WinXP SP2 and Digitallly Signing your .exe

Discussion in 'Game Development (Technical)' started by Fost, Aug 28, 2004.

  1. Nutter2000

    Original Member Indie Author

    Joined:
    Jul 27, 2004
    Messages:
    993
    Likes Received:
    3
    which one is that?
     
  2. princec

    Indie Author

    Joined:
    Jul 27, 2004
    Messages:
    4,873
    Likes Received:
    0
    Hey Fost, who does certs. for that price? I've got to get my Java stuff signed (we've had to put up with scary security cert warnings for years in Javaland).

    To all the moaners in here - just get your code signed, grin and bear it. It shows you're serious and considerably more trustworthy. You wouldn't want some dodgy site to hack your Plimware wrapped game and have it divert all the money to their account now would you? This is no more or less sensible than SSL for http communications. It's about trust. Don't complain.

    Cas :)
     
  3. Nutter2000

    Original Member Indie Author

    Joined:
    Jul 27, 2004
    Messages:
    993
    Likes Received:
    3
    I agree with Cas here, it's simply something that will benefit all of us in the long run anyway.

    However, most people here appear to be using shareware-specific payment processors/online publishers surely this is a service you should be lobbying them for?
     
  4. tentons

    Indie Author

    Joined:
    Mar 1, 2004
    Messages:
    664
    Likes Received:
    0
    It's a little uncanny that this thread just started, also. Is this a hint of bigger things to come in the future in terms of who controls your computer--and, by extension, your business? It's "harmless" and "sensible" now, but it's also conditioning for what's coming.

    Viruses/malware are the Terrorism of computing. Think before you take the leap.
     
  5. Coyote

    Indie Author

    Joined:
    Jul 27, 2004
    Messages:
    697
    Likes Received:
    0
    Do you get a discount for re-signing it each time you release an update?
     
  6. Valen

    Indie Author

    Joined:
    Jul 27, 2004
    Messages:
    133
    Likes Received:
    0
    It would be nice if terrorism could be wiped out with an Anti-Virus program. :) Seems to me like the real solution is to ship auto updating anti-virus software with Windows, rather than try to control what people run. Of course, that's not nearly as profitable as charging developers for useless certificates. :rolleyes:
     
  7. Greg Squire

    Original Member

    Joined:
    Aug 5, 2004
    Messages:
    848
    Likes Received:
    0
    (Someone correct me if I'm wrong here) My understanding is that you can package as many files as you want with your digital ID/certificate, using the tools they provide. I don't believe you have to buy a certificate for each file. Thus the $400 dollars can be spread across multiple products and updates.
     
  8. Fost

    Indie Author

    Joined:
    Jul 31, 2004
    Messages:
    524
    Likes Received:
    0
    Apologies to everyone, I should have posted the place I saw Authenticode certificates for £66 (for one year) or $99 (which is actually cheaper than £66 with the current awful exchange rate :( ). This was InstantSSL.com

    They don't seem to offer any java signing though for those who need it. (Might be wrong, but couldn't see it).

    Wonder if they would do a bulk discount for a few of us....
     
  9. Mike Wiering

    Original Member

    Joined:
    Jul 28, 2004
    Messages:
    246
    Likes Received:
    0
    But after a year your certificate expires and you have to buy a new one, right?
     
  10. Greg Squire

    Original Member

    Joined:
    Aug 5, 2004
    Messages:
    848
    Likes Received:
    0
    Yes, there usually is an expiration date on them, usually one or two years. I'm not sure what the time period is on Verisign certificates.
     
  11. Nutter2000

    Original Member Indie Author

    Joined:
    Jul 27, 2004
    Messages:
    993
    Likes Received:
    3
    cheers Fost

    That's not a bad idea actually, if need be we could probably organise an IndieGamer (or IndieGamerUK, IndieGamerUS, etc) certificate that can be sold cheaply to people on this board who match a certain criteria
    I'm not trying to make it an elitist thing but such a scheme would certainly require some safeguards to stop virus writers, spammers, or possibly simply games we don't feel are quality enough to use the certificate.

    on the other hand that goes back to what I was saying earlier, perhaps this is something that the online publishers should be lobbied to provide
     
  12. Redclaw

    Original Member

    Joined:
    Jul 27, 2004
    Messages:
    41
    Likes Received:
    0
    Great... So if there's an old version of your game on the net somewhere and someone tries to install it, they'll get a WARNING - THE LICENSE HAS EXPIRED!! DO NOT TRUST THIS SOFTWARE!!! IT WILL KILL YOUR WHOLE FAMILY WHILE YOU SLEEP!!! type message.

    Nice.

    These licenses are themselves a fucking license to print money.
     
  13. Nutter2000

    Original Member Indie Author

    Joined:
    Jul 27, 2004
    Messages:
    993
    Likes Received:
    3
    good point

    Agreed, a license to print money (damn, now where can I get one of those!;) )

    On the other hand, I would guess that the crypto key stays the same so long as you keep updating the license, which you probably would if you want to remain selling your software.

    However, like DavidRM said, how quickly will the consumer become used to the warning and totally blase about it?
    I suspect that, given human nature and the time it will take for software companies to get all their software digitally signed especially the smaller ones like us, not to mention all the software that's already out their and unsigned, that there will be a slight initial panic but people will very quickly become used to ignoring it.
     
  14. princec

    Indie Author

    Joined:
    Jul 27, 2004
    Messages:
    4,873
    Likes Received:
    0
    It is likely to eventually become the case that the default configuration of the OS will not allow users to run unsigned or broken or expired software. Hurrah for me with Webstart of course coz it's always 100% up to date ;) But I can see that the days of traditional downloadable .exes may be numbered.

    M$ of course are pushing the same model as Webstart, with clientside .NET looming on the horizon to be the preferred deployment format on Win32 in the next decade.

    Buy into it folks, it's not going to go away!

    Cas :)
     
  15. cliffski

    Moderator Original Member

    Joined:
    Jul 27, 2004
    Messages:
    3,897
    Likes Received:
    0
    I would NEVER buy an O/S that refused to le tme run unsigned exes. If they insist on that, ill stick with XP forever.
    This is my PC, I own it, ill run anything I damn like on it as long as im not affceting others.
    Anyone wanting $100 from me to verify I am not a virus writer can Fck Off!
     
  16. princec

    Indie Author

    Joined:
    Jul 27, 2004
    Messages:
    4,873
    Likes Received:
    0
    Keep your hair on! That's not what I said was going to happen. The default configuration will probably eventually be to automatically disallow unsigned code. It will have to be overrideable otherwise developers are going to have a pretty hard time writing code on their own machines aren't they?

    Cas :)
     
  17. wazoo

    Original Member

    Joined:
    Jul 27, 2004
    Messages:
    519
    Likes Received:
    0
    back to reality...

    Hey our company (ie. day job) buys them from GeoTrust.

    www.geotrust.com

    On average they're cheaper than the cost of Verisign..

    hth,
     
  18. fusionlab

    Original Member

    Joined:
    Sep 2, 2004
    Messages:
    19
    Likes Received:
    0
    Nice scare tactics Microsoft - let's play on the fears of everyone who risks downloading a virus thanks to your leaky operating system. Hey, why fix the holes when you can make more money out of them!

    This is majorly bad news. Gamers with little technical knowledge are going to hit the "no" button every time. If your target audience is mostly non-technical (eg mothers - sorry mum!) and/or you don't want to lose casual gamers then - reluctantly - I have to say this certificate is a must.

    As others have pointed out, at least it means that these same customers will be less likely to download cracked versions of our games because they won't carry any certification.

    And I'm sure you're right about future OS's, princec. Microsoft have seen how they can monopolise development on their Xbox console through encryption (no one can produce any unauthorised third party software for it). I guess they want to tighten the iron grip they already have on the PC and generate another lucrative revenue stream.

    The future's bright (for Microsoft)...the future's digital rights.
     
    #38 fusionlab, Sep 2, 2004
    Last edited: Sep 2, 2004
  19. SyneRyder

    Original Member

    Joined:
    Jul 27, 2004
    Messages:
    19
    Likes Received:
    0
    I think some people need to do more research before posting here. Your signing licence may expire each year, but the EXEs that you sign do not expire. There is no problem with old exes files expiring.

    The point of the code signing is to verify the identity of the publisher and the integrity of the download. It's like PGP and MD5 for software. If the file download is tampered or altered, the customer will be notified. If you get a certificate, your downloads will show your company name, and any unsigned cracks of your software out there will show "Unknown Publisher". If you've ever had problems with customers who didn't realize they were running a crack, you'll see how this can be beneficial.

    I'm with Cas, I think it's a good way to show you're trustworthy and it's best to get in on this early. Depending where you get your certificate from it's only $99 annually (I think Thawte is $200, Verisign $400) and you should be able to write it off as a business expense on your taxes.

    PS Some of the top download sites are seeing an extremely rapid takeup of SP2. It's worth joining the ASP to learn the exact percentages just over the last two weeks. They've been talking about code signing in their newsgroups for some weeks too.
     
    #39 SyneRyder, Sep 2, 2004
    Last edited: Sep 2, 2004
  20. tentons

    Indie Author

    Joined:
    Mar 1, 2004
    Messages:
    664
    Likes Received:
    0
    This article is about TCPA, but it potentially affects anyone publishing software. Digitally signing is, in most cases, good for developers. But with added security, you're going to lose freedom.

    The question is how much you're willing to tolerate and how far they will push, little by little. Before you know it you don't have control of your software or business anymore unless you pay what they want you to pay and use their software for deployment and deploy only at their authorized locations and follow their rules about content, etc etc etc.

    Where does it stop? That's the bigger issue, IMHO.
     

Share This Page

  • About Indie Gamer

    When the original Dexterity Forums closed in 2004, Indie Gamer was born and a diverse community has grown out of a passion for creating great games. Here you will find over 10 years of in-depth discussion on game design, the business of game development, and marketing/sales. Indie Gamer also provides a friendly place to meet up with other Developers, Artists, Composers and Writers.
  • Buy us a beer!

    Indie Gamer is delicately held together by a single poor bastard who thankfully gets help from various community volunteers. If you frequent this site or have found value in something you've learned here, help keep the site running by donating a few dollars (for beer of course)!

    Sure, I'll Buy You a Beer