Profit from Penny Stocks. Learn from a millionaire who shares everything!

The High Cost of Digital Code Signing Certificates To Give Away Free Applications

It's great that technologies, like Adobe AIR, encourage software publishers to take responsibility for their software. It's too bad that the only way for hobbyist software writers to do that is to pay protection money to overpriced certificate vendors.

This is the longer version of my blog post ranting against high cost of digital certificates

I recently released my Air Server and Website Monitoring Tool for free. It's a nice widget to help me monitor all the various websites that I own, and it was a nice hobby project to learn how to use Adobe AIR.

One of the decisions that you have to make before publishing an AIR application is how to sign the application. I just read this article about Digitally signing Adobe AIR applications. The choices are to:

  • Free: use a self created certificate that flashes a big "UNKNOWN" publisher warning when users try to install the app.
  • Expensive: use a commercial code signing certificate. These cost $300 or more, per year, per technology!

Note: If you self-sign your app, you'll have to create a new app later when you use commercial certificate. AIR doesn't allow you to sign the same app using two different certificates. The AIR runtime will refuse to install an update signed with a different certificate than the original program. You'll need to advise your users to first uninstall the previous version, and then install the new version.

The article gives a good justification for why software tool vendors are adding code signing capabilities to their tools:

  • Code signing takes care of these scenarios by building customer confidence that what they're installing was created by the named publisher, and that the code hasn't been changed since that publisher signed it.

How much do they cost?

Using the commercial code signing certificate, from companies like Thawte has all kinds of benefits like annual fees, red tape (faxes, sending in articles of incorporation, etc.), and not frightening your users who got up enough courage to even try downloading and installing your application. Thawte proclaims "In a world of risk, know who to trust"

Pricing 1 yr 2 yr 1 year renew 2 year renew
Thawte $299 $549 $249 $499
Verisign $499 $894

Am I the only one who thinks that is outrageously expensive? The article on code signing mentions in more than one place that Verisign and Thawte are (maybe) the only choices if you want users not to see warning dialogs, because, as the article on code signing AIR applications points out:

  • However, only VeriSign and Thawte come pre-installed on most end user's machines (Mac OS X or Windows) and are trusted by the operating systems.... Using certificate authorities other than Thawte or Verisign is going to require that the end user (not the developer of the software), or a system admin charged with managing a computer on an enterprise network, manually install a root certificate for that certificate authority.

Only a single certificate needed - NOT!

Thawte claims that "Uses a single certificate for most platforms and applications - this is unique to thawte". But when you click continue, the first question you are asked is:

What kind of certificate do you wish to purchase?

  • Apple developer certificate - Introduced in MacOS 9
  • JavaSoft Developer Certificate
  • Microsoft Authenticode (Multi-Purpose) Certificate
  • Netscape Code-Signing Certificate
  • VBA Developer Certificate - Identical to Authenticode certificates
  • Adobe AIR Developer Certificate

Does anyone other than me see a conflict between "uses a single certificate", and then having 5 different kinds to choose from?

update
According to this article authenticode code signing certificates can be used to sign AIR apps, it's just a matter of converting the format of the certificate. It is interesting how Thawte doesn't make that more clear on their website, possibly because they would rather that people buy extra certificates.....

There are technological differences between the different kinds of object signing. Other kinds of signing certificates can not be used for code signing.

Imagine I'd just bought an Authenticode certificate a couple of months ago. Now I want to try my hand at Air apps. You mean I can't use my same certificate for Air? I need to spend another $300, and go through all the red tape again? That sucks!

Thawte and Verisign might not like your browser

Here's a funny one... When you go to signup for the thawte certificate, you'll be advised

  • (Please note that in order to complete the enrollment process, you will need to have javascript enabled in your browser. Javascript is usually enabled in your browser by default.)

OK, that's reasonable enough...

  • Try to signup for an Adobe AIR Developer Certificate from Thawte using IE 6 (with Javascript enabled), click submit, and you'll encounter your first error: "You must use Firefox to enroll for the chosen certificate type."
  • The netscape certificate requires you to use a netscape browser. Fortunately, the Microsoft Authenticode certificate can be signed up for with Internet Explorer.

Why the nonsense about which kind of browser you are using? Dumb.

Note: Apparently the reason is that the "private key will be automatically stored within the Firefox keystore". Great, something else to figure out how to backup. If the private key is lost, it's a very bad thing! Thawte advises "Be sure to back-up your Private key file."

Verisigns different choices for code signing certs

Verisign has a slightly different selection of code signing certificates:

  • Microsoft Authenticode Digital ID
  • Microsoft Office and VBA Signing Digital ID (Verisign doesn't say this is the same as authenticode certificate.)
  • Adobe AIR Digital ID (Verisign advises you that you must use Firefox browser for this)
  • Netscape Object Signing Digital ID
  • Macromedia Shockwave Digital ID - For Macromedia Director 8 Shockwave Studio
  • Marimba Castanet Channel Signing Digital ID
update
According to this article authenticode code signing certificates can be used to sign AIR apps, it's just a matter of converting the format of the certificate. It is interesting how Thawte doesn't make that clear on their website, possibly because they would rather that people buy extra certificates.....

Some other kinds of digital signing certificates

  • DocumentSign Digital IDs for Adobe Secure PDF - source
  • Windows Vista Kernel 64 bit - This is another variety of Microsoft Authenticode, but is cross signed by Microsoft source

Documentation needed to buy a digital code signing certificate

What will you need to get a code signing certificate? You've got a current company, then maybe it's not a big deal. But if you're just a hobbyist, you'll be surprised at the red tape you'll need to go through.

My comment
No hobbyists allowed to code sign applications with any level of trust. In order to get a code signing certificate, you'll need to pay annual fees, apply for some kind of governmental business license, and get a business telephone line! Or go and buy company letterhead, and hire a notary to notarize it. Fortunately, it's free to get a Reseller Permit in California, but you'll need to file a report at least annually, and if you don't pay at least some sales tax each year, they take it away from you!

What happens when a code signing certificate expires

Apps signed when the certificate was unexpired will continue to work after the expiration date.

  • What happens if I code sign an applet with a valid certificate which has expired in the meantime?
    • Netscape's tools won't let you sign an applet with an expired certificate.
    • Microsoft's tools allow you to attach an unforgeable timestamp to your archive. Archives which were timestamped and signed with valid certificates will be treated as secure even after the certificate expires; archives that were not timestamped or were timestamped after the certificate had expired will be reported as suspect.

The acid test: Try explaining to your wife the cost of a code signing certificate to give away software

Yeah, I'm a cheapskate. Yes, I did pay for my computers, and I did buy a copy of the development tools I use. Yes I do pay $10 a year for each of dozens of domain names. But those are one time expenses usually. I can use the same version of the compiler for years.

But $300 for a digital certificate? For one that expires in a year? For each technology I might want to try? Give me a break! Look at it another way: How could you explain this kind of purchase to a wife, who likes buy $60 dresses only if she can get them for $5 at a second hand shop? How would you explain that, unlike the past when you spent all your time writing free widgets to give away to make the world a better place, now you need to go and spend 6 months of her clothes budget to buy some digital bits just to help people trust the free software that you want to continue spending your evenings away from her to write and give away for free. And explain that you'll need to pay that amount every year, just like cell phone service.

Spouse: Where are you going?
Other Spouse: Down to the courthouse to apply for a fictitious business name, then publish it in the paper of record for several days, then get a company phone line, just so I can spend $300 on the digital code signing certificate for the software I give away.
Spouse: I'm glad knitting doesn't have so much red tape....

My conclusion: Some things are probably best left unmentioned....

Oh, and, it would be nice if Adobe could do something about the bloated cost of these certificates.....

And another solution: I suppose I could find a paying client to pass along this cost, but only if they'd let me put my name on the cert used for their widget, instead of their name. Not a lot of clients will allow for that... Sigh....

Some cheaper sources for code signing certificates

Are there any cheaper sources than verisign and thawte for code signing certificates?

Keywords

  • Adobe AIR Developer Certificate
  • Adobe AIR Code Signing Certificate

Other blogs and articles on the topic of code signing

See my collection of Code signing blogs and articles...

Some comments to other articles

  • Falken said... Or, alternatively, just use a self signed developer cert. Sure, it shows green ticks rather than red ones, but users will install it anyway.
Disclosure
Adobe has been one of my clients since 2006. But nothing I say here is any kind of official statement on behalf of Adobe.

Labels

code-signing code-signing Delete
certificate certificate Delete
code-signing-certificate code-signing-certificate Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.