I received a free code signing certificate from Thawte a few years ago, valid for 2 years, valued around $600US. I can't remember all the details now, but there was a bit of misery involved in getting it installed and working and I had to make some delicate adjustments to my build processes to use the certificate. I remember receiving incoprehensible problems that drove me nearly insane (again) when importing and managing the certificate and using the signtool.exe utility. It was fun to see a signed app finally come out, but the extra work was not worth for my case where I don't publish my own commercial software. I publish lots of free demo apps and code, but there no use in signing that sort of thing, in fact you have to keep your certificate private and secret and not give it to other developers. Then the person installing the signed software has to go through steps (that I've forgotten) to say they trust your certficate and it's not a magically simple as you expect. So overall, as a single contractor developer, I found a real certificate is of little practical use and lots of suffering.
Greg Keogh P.S. I just found some of my old batch files that run makecert and signtool. They used to work of course years ago, but now I'm getting "The signer's certificate is not valid for signing" even though it all looks good when viewed in certmgr.msc. Lord knows, I give up immediately as I have enough outstanding problems. On 15 April 2013 15:16, Katherine Moss <[email protected]> wrote: > Hi guys, > I've been arguing with myself about this for a while. I'm progressing in > my .net development learning with C#, and I'm pretty dang sure I'm going to > be catching on soon. I had some ideas for the open source community, > clearly both for the experience, for the privilege of working with people > who develop for the sheer fun of it while producing quality software at the > same time. And with that comes authenticode issues; where to get a > certificate that's not $10,000. Because I know that even in the free and > open source world trust is still an issue, however there are no open source > or community-based certification authorities, or at least none that offer > code signing. I've noticed a lot that most open source projects don't > actually have a cert issued by a trusted publisher, and that hasn't stopped > me from running the application (most of these have come from the CodePlex > forge, and I cannot remember which ones they are), and I will even bravely > add self-signed certificates to my root store for those Windows 8 Modern > apps that people want to keep away from the Draconian, super-restricted > environment that Microsoft's Tiled World has become. So, is it that > important? I mean, how seriously do you take the warnings about > self-signed certificates? How worth is paying inordinate amounts of money > for a code signing certificate in an open source project when you can > easily make one and get your users and loyal followers to trust you > directly instead of some ding dong head that is getting paid to say, yes, > this software is issued and signed by so and so? Anyway, opinions would be > good; I'd love to hear what real developers have to say about this. > >
