Results 1 to 8 of 8

Thread: Authenticode

  1. #1

    Thread Starter
    Fanatic Member
    Join Date
    Mar 2009
    Posts
    739

    Authenticode

    Not sure where I read this but is it true that the App Store will only accept apps that are authenticode signed with a Symantec certificate.

    Won't my Thawte certificate be good enough ?

    Thanks
    Ian

  2. #2
    PowerPoster SJWhiteley's Avatar
    Join Date
    Feb 2009
    Location
    South of the Mason-Dixon Line
    Posts
    2,256

    Re: Authenticode

    From what I can see, yes (I knew a VeriSign certificate was required, didn't know they were 'owned' by Symantec). It's a good few hundred bucks, so, I can understand the concern.

    Note that the Windows 8 (Metro) apps are handled differently: you submit your package to Microsoft, they test it to meet quite stringent requirements, and is signed by MS. A certificate, in this case, is not required, only for desktop apps.

    Basically, though, you are only paying for the privilege of posting your [desktop] application to the Microsoft app store window. You still have to perform all the payment transaction yourself, download, etc. The certificate issue is a tough pill to swallow as a requirement - and a double whammy for those with a different, but no less secure, certificate.
    "Ok, my response to that is pending a Google search" - Bucky Katt.
    "There are two types of people in the world: Those who can extrapolate from incomplete data sets." - Unk.
    "Before you can 'think outside the box' you need to understand where the box is."

  3. #3

    Thread Starter
    Fanatic Member
    Join Date
    Mar 2009
    Posts
    739

    Re: Authenticode

    Note that the Windows 8 (Metro) apps are handled differently: you submit your package to Microsoft, they test it to meet quite stringent requirements, and is signed by MS. A certificate, in this case, is not required, only for desktop apps.
    My understanding was that MS wouldn't accept it at all unless it was signed by the developer with a "VeriSign" certificate.


    Basically, though, you are only paying for the privilege of posting your [desktop] application to the Microsoft app store window. You still have to perform all the payment transaction yourself, download, etc. The certificate issue is a tough pill to swallow as a requirement - and a double whammy for those with a different, but no less secure, certificate.
    I didn't know that I could post "Desktop" apps to the MS App Store. As it stands though I don't have problem installing my desktop apps on Windows 8 RTM. It's happy to accept either my Thawte or my Comodo certificates.

    Actually, Thawte and VeriSign are BOTH owned by Symantec. Which makes me wonder why a VeriSign Certificate is double the price of the Thawte certificate. Are they saying that Thawte is 'less' secure ?

  4. #4

    Thread Starter
    Fanatic Member
    Join Date
    Mar 2009
    Posts
    739

    Re: Authenticode

    Earlier today I sent this email to MS

    To: Solution Partner Expert Team
    Subject: Win8 Apps and Authenticode

    I've been lead to believe that the Win8 App Store will only accept apps that are authenticode signed with a VeriSign certificate.

    Won't my Thawte certificate be good enough ?

    Thanks
    Ian
    and got this answer

    Hi team,

    Is it true that only a VeriSign certificate is acceptable for Windows 8 store submissions?

    Thanks!
    -Nichole


    Who is 'Nicole' and why is she answering my email with her own question - or did the MS cut-n-paste chimp just send me somebody else's question because it sounds a bit like mine ?

  5. #5
    PowerPoster SJWhiteley's Avatar
    Join Date
    Feb 2009
    Location
    South of the Mason-Dixon Line
    Posts
    2,256

    Re: Authenticode

    Quote Originally Posted by IanS View Post
    My understanding was that MS wouldn't accept it at all unless it was signed by the developer with a "VeriSign" certificate.
    Hmm, I didn't think that was the case - perhaps I'm wrong, then. In which case, even the Metro App Store is out of reach of your average hobby coder... ! I'd better double-check that, but I do recall the last stage of 'certification' was Microsoft signing the package.



    Quote Originally Posted by IanS View Post
    I didn't know that I could post "Desktop" apps to the MS App Store. As it stands though I don't have problem installing my desktop apps on Windows 8 RTM. It's happy to accept either my Thawte or my Comodo certificates.

    Actually, Thawte and VeriSign are BOTH owned by Symantec. Which makes me wonder why a VeriSign Certificate is double the price of the Thawte certificate. Are they saying that Thawte is 'less' secure ?
    Really, it's just a 'store front' - or more like a 'yellow pages' for apps. You have to provide a link to your own web site where they can download the app. You can easily (obviously) bypass the Microsoft storefront completely, and people can find your app through other means (Google, for example). The Microsoft store front is mimicking the Apple model - a one-stop shop where you can find apps for your device/computer. A requirement for your app to be showcased is that it is signed by VeriSign. I'm not sure how they can enforce that, since the app is actually downloaded from your site, but I haven't looked at the Desktop App steps in great detail.

    I'm a novice when it comes to app distribution to a non-vertical market - code signing generally isn't important for custom applications - but am investigating what is needed to try and hedge my bets that the WinRT on a mobile device has any penetration into an industrial environment.
    "Ok, my response to that is pending a Google search" - Bucky Katt.
    "There are two types of people in the world: Those who can extrapolate from incomplete data sets." - Unk.
    "Before you can 'think outside the box' you need to understand where the box is."

  6. #6
    PowerPoster SJWhiteley's Avatar
    Join Date
    Feb 2009
    Location
    South of the Mason-Dixon Line
    Posts
    2,256

    Re: Authenticode

    Here's a couple of reference links:

    Windows 8 app certification requirements
    http://msdn.microsoft.com/en-us/libr.../hh694083.aspx

    This above page does not note any signing requirements, but the submission steps documented on an MS blog indicate that MS signs the app package as one of the last steps.

    Certification requirements for Windows 8 desktop apps
    http://msdn.microsoft.com/en-us/libr.../hh749939.aspx

    This does indicate the application needs signing, but does not specify that VeriSign must be used. Doesn't mean that VeriSign is not required, but the whole thing is relatively complex if you haven't accommodated all the requirements in current apps. MS have a lot of investment, it seems, in the store, so wouldn't suprise me if there are many, many, departments working on this whole 'windows 8 experience' and one hand doesn't know what the other is doing. Indeed, Microsofts home web side is designed to look like a Windows 8 app. Neat and Unifying - if your eyes can stand the obnoxious colors - which I have a real hard time with.

    So, it also doesn't surprise me that MS employees are also confused: so-called Windows 8 MS representatives (and experts) on the Windows 8 community forums are complete idiots. Granted, some of the the questions/comments/rants are not of a particularly high quality, but still.
    Last edited by SJWhiteley; Oct 3rd, 2012 at 03:13 PM.
    "Ok, my response to that is pending a Google search" - Bucky Katt.
    "There are two types of people in the world: Those who can extrapolate from incomplete data sets." - Unk.
    "Before you can 'think outside the box' you need to understand where the box is."

  7. #7
    ex-Administrator brad jones's Avatar
    Join Date
    Nov 2002
    Location
    Indianapolis
    Posts
    6,608

    Re: Authenticode

    I asked a Microsoft person as well. The answer I got today is:

    Using a certificate within the app itself? I don’t see anywhere that limits to what Certificate Store is allowed and also I would find that hard to believe that they would limit to only Symantec and not others such as Verisign and Thawte.

    http://msdn.microsoft.com/en-us/libr.../hh464941.aspx
    Have you given out your reputation points today? Select the Rate This Post link to give points for good posts!
    -------------------------------------------------------------
    Brad! Jones
    Lots of Software, LLC
    (I wrote: C Programming in One Hour a Day) (Dad Jokes Book) (Follow me on Twitter)

    --------------------------------------------------------------

  8. #8
    Frenzied Member Lightning's Avatar
    Join Date
    Oct 2002
    Location
    Eygelshoven
    Posts
    1,611

    Re: Authenticode

    For WP7, with a quite similar marketplace, the file is signed by MS itself.
    VB6 & C# (WCF LINQ) mostly


    If you need help with a WPF/WCF question post in the NEW WPF & WCF forum and we will try help the best we can

    My site

    My blog, couding troubles and solutions

    Free online tools

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width