July 01, 2012 | Filed under: business002
Hands up everyone who knows about code-signing certificates!!!! anyone?
Well they are quite dull, but you have all seen evidence of them, or their non-existence. Code-signing has been around a long time, but for most of the time it’s been a topic that indie game devs could ignore. Essentially, as I understand it, code signing is a way for people to know that the exe file they are downloading is the same exe file it claims to be, and that it doesn’t have any malware in it (not really…but…read on).
If you download an .exe file from the internet using internet explorer, you get scary message windows popup and warn you that your house is about to explode and that swarms of locusts will descend and kill you. However, if that exe file is code-signed, the message is marginally less scary, and you are told the locusts are probably not deadly, and that the explosion will only cause collateral damage.
Some poor sods who have the misfortune to have malware called ‘norton internet security’ probably don’t even get that far. This malware just deletes any exes it doesn’t personally like the look of, regardless of content or publisher… sigh.
Anyway, the get your code signed (and thus scare your potential customers/demo downloaders) a *bit* less, you need to pay an exorbitant sum of money to some supposedly trustworthy company that will verify who you are. I paid $99 and got a few emails asking to see bill or bank statement scans (like they can’t be forged in 10 minutes in photoshop), hand-wavey claims that my identity will be verified in ways unmentioned, and a 1 minute phonecall from a very bored guy in an indian call center checking that I knew all about my submission.
In other words, rigorous FBI-level security clearing stuff that mafia-funded russian hackers could not even begin to circumvent. Oh no…
And then you get a special URL that plonks something somewhere in your copy of internet explorer (it HAS to be IE, what irony!) and are left to fend for yourself.
A bit of experimenting showed that you can ‘export’ the certificate from IE onto your hard drive, at which point you pick a password for it. The next bit it easier, because if you use inno setup, there are simple instructions of enabling it to auto-sign your installers, once you’ve downloaded a ‘signing tool’ from some third party.
And then lo! You have code-signed installers. This means Internet Explorer and Norton Internet Stupidity are very very very slightly less suspicious of my games and demos. Hurrah! Thanks to crass stupidity at the highest levels, they still spout warnings like ‘This file is not commonly downloaded, and therefore must be a virus’ (which are never ever downloaded, clearly). But, it’s a slight step in the right direction.
People are getting more and more used to using clients like steam to get games, and more and more wary of random internet exes. I thought I should at least do my tiny bit to stem the tide of the total extinction of a free, open internet where people can sell games direct, by actually signing my exes and making them seem safer to the wary. Pity that the entire code-signing system was exposed as totally insecure, but I don’t make the rules…