When you download a file on Windows — the browser and the system checks your file for viruses and reputation.
If you want to be trusted — you have to buy an Extended Validation (EV) Code Signing Certificate for a lot of money, but it’s not enough just to buy it, there are a lot of intricacies with it, which is what we’ll talk about next and how I spent over 4k dollars!
We are writing an app on Flutter to manage iOS, macOS and general integration with App Store Connect (aso.dev) and as it turns out many ASO specialists only use Windows…
You can read about that in the first article, and I’ll come back to certificates.
We basically have MacBooks with m1, so building an application on a virtualization for Windows x86 is at least close to impossible (I tried).
First, I turned to Microsoft’s super great program for startups — https://foundershub.startups.microsoft.com/, which got me $5k on Azure pretty easily.
I configured a CI\CD in two weeks. Overall, it’s simple: the intricacies of setting variables or PATH. Reminded me why I don’t like Windows — everything works locally, but in CI\CD— magic….
After building the .exe installer, I realized that downloading and installing from the site is a big problem…
https://preview.redd.it/pyy2vioe3bo...bp&s=710877b550ad5be449526f3f03f1391901dd8240
Google gave information about Extended Validation (EV) Code Signing Certificate and Code Signing Certificate, but the difference between them is 2–3 times…. A long study of the details showed that EV will help with Windows Smart Screen, while a simple certificate will not help 95% of the time.
EV Code Signing Certificate can’t be saved as a file, it needs HSM or token, token via RDP doesn’t work (I tested it), and I have a build only in the cloud, so I found Azure Dedicated HSM with these prices:
Pricing for HSM
Certificates for the cloud must support the cloud (sort of)
Careful readers will notice that the price is per HOUR! I didn’t notice and ended up with 3+k $! I don’t know what I would have done if it was personal money and not part of the grant!
Bill for the month
I deleted everything I could and found on Key Vaults and started checking the accounts every day, after another day I realized the money was still leaking out and removed the key blocks from the deleted ones. That was the end of my desire to keep certificates in the cloud.
I ordered a certificate from IdenTrust. During the order we specified a different delivery and payment address, and it did not match the bank address of the payment card, the money was frozen for a week, support could not help. After the money back we ordered a certificate again, but without a physical token and pass the form of payment successfully. But we were denied, as the company has been in existence for less than 3 years, the money was frozen for another week.
We found a certificate on SSL.com for 349$ (nightmare), and they wrote normally enough how to work with YubiKey, although they required YubiKey FIPS.
Signing .exe on a Mac is theoretically possible, but I wasn’t ready, and the grant is only for a year, so I’ll need a Windows machine soon anyway, so after much research I bought an HP Pro Mini 400 G9 DM/DOS/i5–12500T/8GB/512GB for 58644 RSD (540$), and also bought a YubiKey 5C (50$).
Fun fact: a bootable Windows flash drive for the installation can only be created with Windows! (wasted day)
monitor under repair under warranty, projector saves the day
To verify a business you need an address on Google Maps (not only, but this is the easiest case), in general it is much easier to add a new business to the maps than to update the information about an existed business, even if you are the owner. We had the address listed and hidden, when we tried to show it, they asked for a video confirmation, which no one seems to watch. Google called us 6 times (3 times we communicated) — but it didn’t help to update the data, even sending them information that the same address was listed in the company’s legal documents — Google clearly has something broken in their processes there. In the end, we added a new point on the maps with the address and deleted the old one after SSL.com validation was passed.
After passing all the checks and calls, updating the data on Google Maps, a certificate was issued for our company ASO.DEV LLP and my attempts to sign the application with it began.
The main problem is that SSL.com wants to sell you theirs e-codeSign in the cloud (expensive), so you have to find the instructions for how to run it locally with your own key!
I won’t rehash the instructions, I’ll leave the links here and just focus on the details:
There was another important point why we started to buy the certificate — auto-update of the program on Windows did not work, after signing the certificate it did NOT work, but after fixing in the config sparkle:edSignature to sparkle:dsaSignature everything worked.
If you want to be trusted — you have to buy an Extended Validation (EV) Code Signing Certificate for a lot of money, but it’s not enough just to buy it, there are a lot of intricacies with it, which is what we’ll talk about next and how I spent over 4k dollars!
We are writing an app on Flutter to manage iOS, macOS and general integration with App Store Connect (aso.dev) and as it turns out many ASO specialists only use Windows…
You can read about that in the first article, and I’ll come back to certificates.
We basically have MacBooks with m1, so building an application on a virtualization for Windows x86 is at least close to impossible (I tried).
First, I turned to Microsoft’s super great program for startups — https://foundershub.startups.microsoft.com/, which got me $5k on Azure pretty easily.
I configured a CI\CD in two weeks. Overall, it’s simple: the intricacies of setting variables or PATH. Reminded me why I don’t like Windows — everything works locally, but in CI\CD— magic….
After building the .exe installer, I realized that downloading and installing from the site is a big problem…
https://preview.redd.it/pyy2vioe3bo...bp&s=710877b550ad5be449526f3f03f1391901dd8240
Google gave information about Extended Validation (EV) Code Signing Certificate and Code Signing Certificate, but the difference between them is 2–3 times…. A long study of the details showed that EV will help with Windows Smart Screen, while a simple certificate will not help 95% of the time.
EV Code Signing Certificate can’t be saved as a file, it needs HSM or token, token via RDP doesn’t work (I tested it), and I have a build only in the cloud, so I found Azure Dedicated HSM with these prices:
Pricing for HSM
Certificates for the cloud must support the cloud (sort of)
Careful readers will notice that the price is per HOUR! I didn’t notice and ended up with 3+k $! I don’t know what I would have done if it was personal money and not part of the grant!
Bill for the month
I deleted everything I could and found on Key Vaults and started checking the accounts every day, after another day I realized the money was still leaking out and removed the key blocks from the deleted ones. That was the end of my desire to keep certificates in the cloud.
I ordered a certificate from IdenTrust. During the order we specified a different delivery and payment address, and it did not match the bank address of the payment card, the money was frozen for a week, support could not help. After the money back we ordered a certificate again, but without a physical token and pass the form of payment successfully. But we were denied, as the company has been in existence for less than 3 years, the money was frozen for another week.
We found a certificate on SSL.com for 349$ (nightmare), and they wrote normally enough how to work with YubiKey, although they required YubiKey FIPS.
Signing .exe on a Mac is theoretically possible, but I wasn’t ready, and the grant is only for a year, so I’ll need a Windows machine soon anyway, so after much research I bought an HP Pro Mini 400 G9 DM/DOS/i5–12500T/8GB/512GB for 58644 RSD (540$), and also bought a YubiKey 5C (50$).
Fun fact: a bootable Windows flash drive for the installation can only be created with Windows! (wasted day)
monitor under repair under warranty, projector saves the day
To verify a business you need an address on Google Maps (not only, but this is the easiest case), in general it is much easier to add a new business to the maps than to update the information about an existed business, even if you are the owner. We had the address listed and hidden, when we tried to show it, they asked for a video confirmation, which no one seems to watch. Google called us 6 times (3 times we communicated) — but it didn’t help to update the data, even sending them information that the same address was listed in the company’s legal documents — Google clearly has something broken in their processes there. In the end, we added a new point on the maps with the address and deleted the old one after SSL.com validation was passed.
After passing all the checks and calls, updating the data on Google Maps, a certificate was issued for our company ASO.DEV LLP and my attempts to sign the application with it began.
The main problem is that SSL.com wants to sell you theirs e-codeSign in the cloud (expensive), so you have to find the instructions for how to run it locally with your own key!
I won’t rehash the instructions, I’ll leave the links here and just focus on the details:
- — great video
- https://www.ssl.com/how-to/key-generation-and-attestation-with-yubikey/ — the actual instructions, which are on the site, but very hard to find, the process is very well described.
- Code Signing will NOT work with RDP!!!
- I don’t advise you to transfer installation files via some messengers — it’s better to link via CDN — OS may block an installation process
- Verify Attestation Certificate with SSL.com and attach to order — after downloading the files, you should either wait until the files are updated or write to support — this is if you have a signature error.
- Whether you need FIPS — I don’t know as I bought FIPS after getting a signature error — after a few days of agony, an email to support fixed everything (they updated Verify Attestation Certificate as I understand it). I couldn’t connect a second token for signing because I was scolded for not having a private key, so I didn’t have the energy to experiment further. Certificate experts, can you tell me if FIPS is mandatory?
There was another important point why we started to buy the certificate — auto-update of the program on Windows did not work, after signing the certificate it did NOT work, but after fixing in the config sparkle:edSignature to sparkle:dsaSignature everything worked.