top | item 46182546

(no title)

jclay | 2 months ago

I thought the macOS notarization process was annoying until we started shipping Windows releases.

It’s basically pay to play to get in the good graces of Windows Defender.

I think all-in it was over $1k upfront to get the various certs. The cert company has to do a pretty invasive verification process for both you and your company.

Then — you are required to use a hardware token to sign the releases. This effectively means we have one team member who can publish a release currently.

The cert company can lock your key as well for arbitrary reasons which prevents you from being able to make a release! Scary if the release you’re putting out is a security patch.

I’ll take the macOS ecosystem any day of the week.

discuss

dceddia|2 months ago

The situation on Windows got remarkably better and cheaper recently-ish with the addition of Azure code signing. Instead of hundreds or thousands for a cert it’s $10/month, if you meet the requirements (I think the business must have existed for some number of years first, and some other things).

If you go this route I highly recommend this article, because navigating through Azure to actually set it up is like getting through a maze. https://melatonin.dev/blog/code-signing-on-windows-with-azur...

jonathanlydall|2 months ago

Thanks for the link, I see only available to basically US, Canada and EU though.

lwkl|2 months ago

That's not easier and cheaper than before. That's how it's always been only now you can buy the cert through Azure.

For an individual the Apple code signing process is a lot easier and more accessible since I couldn't buy a code signing certificate for Windows without being registered as a business.

Razengan|2 months ago

> it’s $10/month

So $120 a year but no it's only Apple with a "tAx"

feznyng|2 months ago

As you said, you need to have a proper legal entity for about 2 years before this becomes an option.

My low-stakes conspiracy theory is that MS is deliberately making this process awful to encourage submission of apps to the Microsoft Store since you only have to pay a one-time $100 fee there for code-signing. The downside is of course that you can only distribute via the MS store.

deltaknight|2 months ago

The EV cert system is truly terrible on Windows. Worst of all, getting an EV cert isn’t even enough to remove the scary warnings popping up for users! For that you still need to convince windows defender that you’re not a bad actor by getting installs on a large number of devices, which of course is a chicken-and-egg problem for software with a small number of users.

At least paying your dues to Apple guarantees a smooth user experience.

jonathanlydall|2 months ago

No, this information is wrong (unless it’s changed in the last 7 years). EV code signing certs are instantly trusted by Windows Defender.

Source: We tried a non-EV code signing certificate for our product used by only dozens of users at the time, never stopped showing scary warnings. When we got an EV, no more issues.

In case it makes a difference, we use DigiCert.

ryandrake|2 months ago

Wow. I haven't written software for Windows in over a decade. I always thought Apple was alone in its invasive treatment of developers on their platform. Windows used to be "just post the exe on your web site, and you're good to go." I guess Microsoft has finally managed to aggressively insert themselves into the distribution process there, too. Sad to see.

jezek2|2 months ago

I solved it by putting a "How to install.rtf" file alongside the program.

Another alternative would be to bundle this app: https://github.com/alienator88/Sentinel

It allows to easily unlock it by drag'n'drop.

tyre|2 months ago

What is the subset of users who are going to investigate and read an rtf file but don’t know how to approve an application via system settings (or google to do so)?

TobbenTM|2 months ago

You certainly don't need a hardware token, you can store it in any FIPS 140 Level 2+ stores. This includes stuff like Azure KeyVault and AWS KMS.

Azure Trusted Signing is 100% the best choice, but if for whatever reason you cannot use it, you can still use your own cloud store and hook in the signing tools. I wrote an article on using AWS KMS earlier this year: https://moonbase.sh/articles/signing-windows-binaries-using-...

TLDR: Doing this yourself requires a ~400-500$/year EV cert and miniscule cloud costs

jonathanlydall|2 months ago

Can confirm this, we use Azure KeyVault and are able to have Azure Pipelines use it to sign our release builds.

We’re (for the moment) a South African entity, so can’t use Azure Trusted Signing, but DigiCert has no issue with us using Azure KeyVault for our EV code signing certificate.

I had ours renewed just this week as it happens. Cost something like USD 840 before tax, don’t have a choice though and in the grand scheme of things it’s not a huge expense for a company.

Klonoar|2 months ago

I have been trying to get people to realize that this is the same or worse for like a year now.

It’s unfortunate it’s come to this but Apple is hardly the worst of the two now.

rxliuli|2 months ago

That's right, there's a similar comparison between the iOS App Store and Android Play Store. Although the annual $99 fee is indeed expensive, the Play Store requires every app to find 12 users for 14 days of internal testing before submission for review, which is utterly incomprehensible, not to mention the constant warnings about inactive accounts potentially being disabled.