-
Oct 3rd, 2012, 05:49 AM
#1
Thread Starter
Fanatic Member
Authenticode
Not sure where I read this but is it true that the App Store will only accept apps that are authenticode signed with a Symantec certificate.
Won't my Thawte certificate be good enough ?
Thanks
Ian
-
Oct 3rd, 2012, 12:51 PM
#2
Re: Authenticode
From what I can see, yes (I knew a VeriSign certificate was required, didn't know they were 'owned' by Symantec). It's a good few hundred bucks, so, I can understand the concern.
Note that the Windows 8 (Metro) apps are handled differently: you submit your package to Microsoft, they test it to meet quite stringent requirements, and is signed by MS. A certificate, in this case, is not required, only for desktop apps.
Basically, though, you are only paying for the privilege of posting your [desktop] application to the Microsoft app store window. You still have to perform all the payment transaction yourself, download, etc. The certificate issue is a tough pill to swallow as a requirement - and a double whammy for those with a different, but no less secure, certificate.
"Ok, my response to that is pending a Google search" - Bucky Katt.
"There are two types of people in the world: Those who can extrapolate from incomplete data sets." - Unk.
"Before you can 'think outside the box' you need to understand where the box is."
-
Oct 3rd, 2012, 01:15 PM
#3
Thread Starter
Fanatic Member
Re: Authenticode
Note that the Windows 8 (Metro) apps are handled differently: you submit your package to Microsoft, they test it to meet quite stringent requirements, and is signed by MS. A certificate, in this case, is not required, only for desktop apps.
My understanding was that MS wouldn't accept it at all unless it was signed by the developer with a "VeriSign" certificate.
Basically, though, you are only paying for the privilege of posting your [desktop] application to the Microsoft app store window. You still have to perform all the payment transaction yourself, download, etc. The certificate issue is a tough pill to swallow as a requirement - and a double whammy for those with a different, but no less secure, certificate.
I didn't know that I could post "Desktop" apps to the MS App Store. As it stands though I don't have problem installing my desktop apps on Windows 8 RTM. It's happy to accept either my Thawte or my Comodo certificates.
Actually, Thawte and VeriSign are BOTH owned by Symantec. Which makes me wonder why a VeriSign Certificate is double the price of the Thawte certificate. Are they saying that Thawte is 'less' secure ?
-
Oct 3rd, 2012, 01:27 PM
#4
Thread Starter
Fanatic Member
Re: Authenticode
Earlier today I sent this email to MS
To: Solution Partner Expert Team
Subject: Win8 Apps and Authenticode
I've been lead to believe that the Win8 App Store will only accept apps that are authenticode signed with a VeriSign certificate.
Won't my Thawte certificate be good enough ?
Thanks
Ian
and got this answer
Hi team,
Is it true that only a VeriSign certificate is acceptable for Windows 8 store submissions?
Thanks!
-Nichole
Who is 'Nicole' and why is she answering my email with her own question - or did the MS cut-n-paste chimp just send me somebody else's question because it sounds a bit like mine ?
-
Oct 3rd, 2012, 02:48 PM
#5
Re: Authenticode
Originally Posted by IanS
My understanding was that MS wouldn't accept it at all unless it was signed by the developer with a "VeriSign" certificate.
Hmm, I didn't think that was the case - perhaps I'm wrong, then. In which case, even the Metro App Store is out of reach of your average hobby coder... ! I'd better double-check that, but I do recall the last stage of 'certification' was Microsoft signing the package.
Originally Posted by IanS
I didn't know that I could post "Desktop" apps to the MS App Store. As it stands though I don't have problem installing my desktop apps on Windows 8 RTM. It's happy to accept either my Thawte or my Comodo certificates.
Actually, Thawte and VeriSign are BOTH owned by Symantec. Which makes me wonder why a VeriSign Certificate is double the price of the Thawte certificate. Are they saying that Thawte is 'less' secure ?
Really, it's just a 'store front' - or more like a 'yellow pages' for apps. You have to provide a link to your own web site where they can download the app. You can easily (obviously) bypass the Microsoft storefront completely, and people can find your app through other means (Google, for example). The Microsoft store front is mimicking the Apple model - a one-stop shop where you can find apps for your device/computer. A requirement for your app to be showcased is that it is signed by VeriSign. I'm not sure how they can enforce that, since the app is actually downloaded from your site, but I haven't looked at the Desktop App steps in great detail.
I'm a novice when it comes to app distribution to a non-vertical market - code signing generally isn't important for custom applications - but am investigating what is needed to try and hedge my bets that the WinRT on a mobile device has any penetration into an industrial environment.
"Ok, my response to that is pending a Google search" - Bucky Katt.
"There are two types of people in the world: Those who can extrapolate from incomplete data sets." - Unk.
"Before you can 'think outside the box' you need to understand where the box is."
-
Oct 3rd, 2012, 03:02 PM
#6
Re: Authenticode
Here's a couple of reference links:
Windows 8 app certification requirements
http://msdn.microsoft.com/en-us/libr.../hh694083.aspx
This above page does not note any signing requirements, but the submission steps documented on an MS blog indicate that MS signs the app package as one of the last steps.
Certification requirements for Windows 8 desktop apps
http://msdn.microsoft.com/en-us/libr.../hh749939.aspx
This does indicate the application needs signing, but does not specify that VeriSign must be used. Doesn't mean that VeriSign is not required, but the whole thing is relatively complex if you haven't accommodated all the requirements in current apps. MS have a lot of investment, it seems, in the store, so wouldn't suprise me if there are many, many, departments working on this whole 'windows 8 experience' and one hand doesn't know what the other is doing. Indeed, Microsofts home web side is designed to look like a Windows 8 app. Neat and Unifying - if your eyes can stand the obnoxious colors - which I have a real hard time with.
So, it also doesn't surprise me that MS employees are also confused: so-called Windows 8 MS representatives (and experts) on the Windows 8 community forums are complete idiots. Granted, some of the the questions/comments/rants are not of a particularly high quality, but still.
Last edited by SJWhiteley; Oct 3rd, 2012 at 03:13 PM.
"Ok, my response to that is pending a Google search" - Bucky Katt.
"There are two types of people in the world: Those who can extrapolate from incomplete data sets." - Unk.
"Before you can 'think outside the box' you need to understand where the box is."
-
Oct 11th, 2012, 10:16 AM
#7
Re: Authenticode
I asked a Microsoft person as well. The answer I got today is:
Using a certificate within the app itself? I don’t see anywhere that limits to what Certificate Store is allowed and also I would find that hard to believe that they would limit to only Symantec and not others such as Verisign and Thawte.
http://msdn.microsoft.com/en-us/libr.../hh464941.aspx
-
Oct 14th, 2012, 02:36 PM
#8
Re: Authenticode
For WP7, with a quite similar marketplace, the file is signed by MS itself.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|