WinXP SP2 and Digitallly Signing your .exe

Discussion in 'Game Development (Technical)' started by Fost, Aug 28, 2004.

  1. Adrian Lopez

    Original Member

    Joined:
    Sep 7, 2004
    Messages:
    489
    Likes Received:
    0
    I agree that the signature verification features in SP2 do not currently facilitate the kind of abuse I was hinting at (after all, users still have the option to run unsigned code if they want to), but my concern is more with the potential for abuse than what's actually happening at any particular point in time. The argument has more to do with code-signing as a concept than its particular implementation in SP2. The same code-signing infrastructure that is currently used to provide confidence could someday be used to gain control over code distribution by ensuring that only signed code is allowed to run.
     
  2. Mickey Crocker

    Mickey Crocker New Member

    Joined:
    Aug 2, 2004
    Messages:
    72
    Likes Received:
    0
    I have a few questions about indie businesses and digitally signing...

    1) If I plan on selling software online, must I pay to start up a legit business in order to legally do this? (in Canada).

    2) If I want to digitally sign my software, must I purchase a commercial ID Certificate? Or can I get an individual cert? (i've looked for answers on this, but couldn't find any.)

    3) When you sign up for a ID Cert, can you use the same one for every game that you make? Or must you purchase unique IDs for each?

    The reason I asked this is because I want to keep this "business" as close to being a hobbie as possible. I have a full time job that I plan to keep, and do this on the side. So, i'd like to make money from the work that I do, without the worry of my business going bankrupt, is this possible?

    ...I'll talk to a lawyer when the time comes on these subjects, but just looking for some of your insights. Thanks.
     
  3. keethrus

    Original Member

    Joined:
    Sep 23, 2004
    Messages:
    61
    Likes Received:
    0
    http://timestamp.comodoca.com/authenticode

    I just successfully signed and timestamped the installer of a commerical app I'm creating. It went really smoothly! I found a "Digital Signing Wizard", GUI not console, which did everything for me. I'd be happy to share the link to it on Microsoft if anyone wanted it.

    - Jeremiah
     
  4. Mike Boeh

    Administrator Original Member

    Joined:
    Jul 26, 2004
    Messages:
    949
    Likes Received:
    0
    Yeah, they hadn't rolled it out yet when I posted that. But after emailing them, I got the goods! :) Unlike the experience of Cas, I was really impressed with their quick and helpful support too!
     
  5. princec

    Indie Author

    Joined:
    Jul 27, 2004
    Messages:
    4,873
    Likes Received:
    0
    Yeah, they were quick all right, just not competent enough to help out :(

    Cas :)
     
  6. Mike Boeh

    Administrator Original Member

    Joined:
    Jul 26, 2004
    Messages:
    949
    Likes Received:
    0
    Maybe they just hate Java! :D
     
  7. Sillysoft

    Indie Author

    Joined:
    Jul 27, 2004
    Messages:
    831
    Likes Received:
    0
    It's entirely possible. I don't think thwarting java users is a great business move though.

    I am not using any certificate at the moment. I will reconsider the situation in a little while from now and decide whether I should get one or not.
     
  8. keethrus

    Original Member

    Joined:
    Sep 23, 2004
    Messages:
    61
    Likes Received:
    0
    Anybody know how to get WinXP SP2 to show your application's icon when it popups the download warning? I've gotten my installer signed and it works, but it shows the default application icon instead of the installer's icon. Any ideas?

    - Jeremiah
     
  9. xelanoimis

    Original Member

    Joined:
    Apr 25, 2005
    Messages:
    126
    Likes Received:
    0
    What about "free software" ?

    Indie games include free games and people are creating those to be freely distributed to anyone.
    It's not normal to be asked to pay 100$ or more (some people do not gain that much in a whole month) just for being able to offer your software for free.
    Imposing such a signing mechanism is a move against free software.

    What is the choice of a free game developer?

    1. To pay 100$ out of his poket and sign his software,
    if he realy wants his game to reach the people, like any other comercial product.

    2. To not pay and not sign his game, reducing the number of people playing it.
    Consider that in the future this number might hit absolute 0,
    depending on the "security" measures of the future operating systems.

    3. To totally give up creating free games.

    Then you will be wondering why there are only crappy games to play, like most cases in the consoles market today. It will be because only good selling games will be published (to cover all those stupid additional costs). And good selling doesn't mean good gaming!
    Why all the published adventure games reduced their number so much, being almost unexistent on consoles. Check the free game adventure comunities and see where they all went. ( http://www.adventuregamestudio.co.uk ).

    So, I'm not saying that the idea of signing your software and the idea of security are bad things.
    I just say that, in it's current form, it proves to be a move against free software.

    The solution to this would be very simple:
    SIGN FREE SOFTWARE FOR FREE !

    ... but I doubt any company like Microsoft would have such intentions.

    Thanks!
     
  10. Fabio

    Original Member

    Joined:
    Sep 30, 2005
    Messages:
    499
    Likes Received:
    0
  11. Savant

    Original Member

    Joined:
    Feb 8, 2005
    Messages:
    1,674
    Likes Received:
    0
    Strap on those tinfoil hats kids, it's going to be a bumpy ride!
     
  12. Indiepath

    Indiepath New Member

    Joined:
    Aug 22, 2004
    Messages:
    999
    Likes Received:
    0
    I had similar issues with thier support, they are not consistant and tend to go around in circles. Try asking them how do sign a .xpi file (that's a Firefox plugin), go on I dare you :)
     
  13. tentons

    Indie Author

    Joined:
    Mar 1, 2004
    Messages:
    664
    Likes Received:
    0
    I guess you didn't hear about the domestic spying program in America. Not that there's a connection or it proves anything, just that a backdoor in Windows may not be reason to don the foil in light of current facts. It's healthy to be skeptical of multi-billion dollar corporations known to have ignored/invaded users' privacy in the past.

    Related: http://news.com.com/Microsoft+Vista+wont+get+a+backdoor/2100-1016_3-6046016.html?tag=nefd.top
     
  14. Gary Preston

    Original Member

    Joined:
    Aug 5, 2005
    Messages:
    239
    Likes Received:
    0
    Personally I see this been no different from signing emails with GPG to prove who it came from and that it hasn't been modified.

    Many people also use GPG to sign software so that mirrors can host the installers whilst end users can still be certain the software hasn't been tampered with by any of the hosting mirrors (or that the website hasn't been cracked and the files replaced with modified version).

    The only reason I think companies will choose certs over gpg is that with cert signing, the root certs are already a part of the various users machines. With gpg you need to build your own web of trust. Thats not to say you couldn't create signing authorities for gpg and have thier keys pre intstalled on users machines. But the moment you did, you'd have the same situation we have with ssl certs, the cost assosiated with running those few signing authorities.

    I don't see anything wrong with signing bringing up warnings. So long as there is always the option to still install unsigned programs much as we have the option to still install unsigned activex controls or plugins.
     

Share This Page

  • About Indie Gamer

    When the original Dexterity Forums closed in 2004, Indie Gamer was born and a diverse community has grown out of a passion for creating great games. Here you will find over 10 years of in-depth discussion on game design, the business of game development, and marketing/sales. Indie Gamer also provides a friendly place to meet up with other Developers, Artists, Composers and Writers.
  • Buy us a beer!

    Indie Gamer is delicately held together by a single poor bastard who thankfully gets help from various community volunteers. If you frequent this site or have found value in something you've learned here, help keep the site running by donating a few dollars (for beer of course)!

    Sure, I'll Buy You a Beer