This is the third blog of the series and hopefully the last one as I am confident to have gone through all the requirements, issues and limitations of the current code signing process. ‘Code Signing Certificates’ Journey of Pain #3: When Even Signing Isn’t Enough’ shines a light on the extortion by the certificate authority industry of software publishers. Thankfully for developers and publishers alike, blockchain and smart contract technology offer substantial pain relief to this intolerable situation.
What started as a painful and time-consuming journey has now blossomed into a full-fledged drama. We thought we had everything sorted for our executable to be installed without any OS complaining about security risks. As it turns out, we discovered that we were not there yet.
After weeks of calls, numerous official papers sent to the certificate authority and a number of checks to prove we were who we claimed to be, we finally received the digital certificate to sign the CodeNotary </> application and the Windows installer. It was now time to test the freshly signed installer and see whether everything worked as expected. However, the drama was just beginning.
In fact, the first surprise arrived immediately during the download of the CodeNotary </> installer for Windows from https://github.com/vchain-us/vcn/releases and triggered the following alert.
We reviewed Google’s ‘Unwanted Software Policy’ to make sure our software did not breach any of the set policy guidelines. Good faith is the foundation of most of these types of policies. This policy was no different. The very first claim it makes is that software is blocked if “It is deceptive, promising a value proposition it does not meet.”
As much as I am a strong believer in the power of AI, I struggle to see how Google can reconcile this policy with a value proposition based on an executable file. Unless someone reports that a software application does not comply with this policy, there are no indicative reasons for any software to not be compliant with this policy.
The one policy in the list that can be empirically verified by Google is the requirement for software to be signed by an official digital certificate. We had taken care of that.
Clearly, for Google, an application signed with an official digital certificate issued by a leading CA with an industry market share of 67% is still not enough for trust. There was no way around this fact. We had to get it fixed. So we started a separate Google approval process that ended up having another set of issues all of its own. More on that later.
Back to the current task at hand. We manually confirmed we wanted to keep the download and clicked the appropriate button in the pop-up notification to start the install process. At this point, I was 100% sure code signing certificates would make the magic happen and the rest of the installation would be straightforward. Alas, it was not meant to be as this was when the second surprised arrived.
I was completely baffled. What happened to my signing certificate? Maybe something went wrong and there was no signature on the .exe file. So I checked the installer properties again. Everything was in order as shown in the image below.
I started looking for an explanation for this alert and on a forum on Microsoft’s website. I found that by using an Extended Validation (EV) Certificate you could make the defender alerts disappear. However, that is only after 3,000+ downloads. Getting 3,000 downloads for a new application is not something you get overnight, and certainly having all these types of alerts from Chrome and Windows doesn’t help on reaching that goal either.
So we considered an EV certificate instead. To get the certificate we had to comply with other manual and time-consuming CA checks, add more weeks of delays to our schedule and spend another $1,000. Altogether, with the already spent $500 between the certificate and the officially registered papers, our total code signing certificate costs amounted to a whopping $1,500. So on general principle, we refused to continue to oil this broken engine.
The industry’s only goal is to milk money from publishers without adding any true value other than allowing software into the game they created. Unfortunately for them, that game is now technologically outdated, dusty, and ultimately ridiculous. This is further proven by a TechTarget report that anyone can buy a counterfeit EV certificate for the same amount or less that passes the CA’s own authenticity test. And they can do so without spending the same amount of time to get it issued.
Luckily, there is a better way with CodeNotary </>. It proves the authenticity of software assets in one single step of signing.
Check how much money you can save on digital certificates using CodeNotary </> and join the community that will change code signing forever. The certificate authority industry is yet one more industry that is being disrupted by blockchain and smart contract technology.
Start your free trial of CodeNotary now and leave the pain behind.