Windows app certification

Deploying to Windows? Utilizing VB Script execution? This is the place to ask Windows-specific questions.

Moderators: FourthWorld, heatherlaine, Klaus, kevinmiller, robinmiller

jmk_phd
Posts: 213
Joined: Sat Apr 15, 2017 8:29 pm

Windows app certification

Post by jmk_phd » Thu Jun 17, 2021 10:43 pm

In order to distribute a Mac app outside the Apple Store, I've had to join the Developer network ($100/year). After some trial-and-error (and with the invaluable help of Matthias Rebbe's excellent tutorial), I've managed to sign/notarize/staple one of my Mac apps.

However, I'm still very unclear as to whether Microsoft requires the same kind of certification. Elanor Buchanan's LiveCode lesson on the topic was interesting but not definitive in that regard. Just today I purchased a copy of Windows10 Home Edition that I intend to install on my Mac via Parallels in the hope that I can test the Windows standalones of my four apps. (BTW, all run fine on an ancient Vista laptop, albeit copied there via USB rather than via internet download.)

I admit to being utterly clueless with respect to Windows -- having been a Mac-only user since 1989. Admittedly, my own shortcoming.

Here's the thing: The first prospective Windows user of one of my apps -- downloaded as a .zip -- reported having been unable to open or run this. From what I've read and have been told, a Windows user should be okay as long as she/he has administrative privileges. (I don't know what kind of scary warnings against downloaded apps might be displayed by Windows10, but I assume that developers are concerned about such a thing.)

In your experience, how willing are Windows end-users to run a third-party app without a certificate purchased from an approved authority?

(My first user in question is in Denmark, so I have only very limited ability to inquire about his Windows configuration.)

Thanks much for your help!!

jeff k

stam
Posts: 2634
Joined: Sun Jun 04, 2006 9:39 pm
Location: London, UK

Re: Windows app certification

Post by stam » Fri Jun 18, 2021 12:47 am

Hi Jeff,

Like you, I'm no expert on this, having never done it (yet) - i'm waiting until intended apps are fully ready to deploy as there is a cost equivalent to the apple developer cost or more.

I've seen recommendations for this service: https://www.ksoftware.net/code-signing-certificates/
I think in almost all cases, the cheaper 'OV' certificate rather than the much more expensive 'EV' is sufficient (OV is $70 - $84/year, depending on how many years you purchase)
They also provide an app for free that does the code signing for you.
This is probably the service i'll use when it comes time to deploy...

Let us know how it goes!
Stam

SparkOut
Posts: 2839
Joined: Sun Sep 23, 2007 4:58 pm

Re: Windows app certification

Post by SparkOut » Fri Jun 18, 2021 7:29 am

I haven't deployed a paid app to customers for years, so also have not had to deal with app certification, but yes you will need to register with a recognised authority to obtain a certificate and codesign the app. I believe the information above is your best source, I know jacque and one or two others have found them to provide cost-effective certificates with easy to deploy codesigning app.

jmk_phd
Posts: 213
Joined: Sat Apr 15, 2017 8:29 pm

Re: Windows app certification

Post by jmk_phd » Sat Jun 19, 2021 1:10 am

Thanks SparkOut and Stam for your replies.

Yes, I've read elsewhere in the LC forums and in an LC lesson about Windows certificate authorities.

The app in question that I created for a brilliant Danish music instructor is intended to be distributed -- just like his own lessons -- free of charge to his YouTube subscribers. It's sad that even freeware developers now must enroll in the Apple Developer Program -- which I did in order to enable the app to run on newer versions of macOS. Even sadder that third-party certificate authorities profit off of Windows freeware.

This Danish musician was afraid to post a link to the free Windows version of my app out of concern that his subscribers would encounter scary Apple-GateKeeper-like messages when downloading the Windows app. I entirely understand his concern.

Is the only option to third-party Windows certification to expect that users ignore such scary warnings? Or is the only option to force freeware and shareware developers to begin charging for their apps -- even when distributed outside the corporate stores?

If so, this is so sad. Please let me know if/how a Windows app can be distributed for free without scary warnings?

jeff k

stam
Posts: 2634
Joined: Sun Jun 04, 2006 9:39 pm
Location: London, UK

Re: Windows app certification

Post by stam » Sat Jun 19, 2021 1:33 am

jmk_phd wrote:
Sat Jun 19, 2021 1:10 am
If so, this is so sad. Please let me know if/how a Windows app can be distributed for free without scary warnings?
I'm under the impression this is not possible but may be wrong; you could distribute without paying anything, but as an unknown developer the 'scary warnings' will keep happening.
At the very least there is a on-off cost of approximately $80, but it's not app-specific, can be applied to any number of your apps. I think once the valid period of the certificate has elapsed, those apps released can continue to be distributed with no additional costs, but you will not be able to code-sign new apps...

bogs
Posts: 5435
Joined: Sat Feb 25, 2017 10:45 pm

Re: Windows app certification

Post by bogs » Sat Jun 19, 2021 10:28 am

I am pretty sure this link -
https://docs.microsoft.com/en-us/window ... e-overview
- should answer most (if not all) of your questions, jmk_phd, and the links under it tell you how to do (at least some of) it manually.
Image

SparkOut
Posts: 2839
Joined: Sun Sep 23, 2007 4:58 pm

Re: Windows app certification

Post by SparkOut » Sat Jun 19, 2021 4:27 pm

If I understand correctly, self-signed certificates will also create a warning. This will help in testing but still not be a seamless experience for the end user.

jmk_phd
Posts: 213
Joined: Sat Apr 15, 2017 8:29 pm

Re: Windows app certification

Post by jmk_phd » Sat Jun 19, 2021 7:01 pm

Thanks to all who've replied to my inquiry.

The link provided by bogs was very helpful with respect to the Windows code-signing procedure. And I do recall that several years ago jacque had posted the link to the ksoftware.net certification service. Thanks to Stam for that reminder, and for the note that when time-stamped the certificate will remain valid even after the enrollment period expires. And to SparkOut for confirming that this is the only way to avoid those scary warnings.

Understandably, most users may be reluctant to download an unsigned app. Perhaps this is why we are seeing freeware/shareware developers resort to begging for donations in order to recover the costs of certification. Nice that Apple provides macOS updates free of charge -- although I did have to enroll in the Developer program. It stung more that I had to purchase both Windows10 (to run using Parallels) plus a separate authority certificate.

Best,
jeff k

SparkOut
Posts: 2839
Joined: Sun Sep 23, 2007 4:58 pm

Re: Windows app certification

Post by SparkOut » Sat Jun 19, 2021 8:14 pm

I wouldn't credit myself with any kind of confirmation, just what I understand, but not any actual experience to draw upon.

Just wondering now, is there a Certification Authority that can provide certificates approved for use to codesign apps for deployment in both in the Apple and Microsoft stores?

jmk_phd
Posts: 213
Joined: Sat Apr 15, 2017 8:29 pm

Re: Windows app certification

Post by jmk_phd » Sat Jun 19, 2021 11:33 pm

SparkOut --

I don't intend to distribute any of my apps via either the Apple or Microsoft stores, so I can't address that aspect of your question. Experienced cross-platform developers in these LC forums surely will know whether any such cross-platform certification authorities exist.

My understanding is simply this: For macOS, the $100 annual enrollment in the Apple Developers Program is all that is needed to code-sign Mac apps -- which Apple handles itself. Inasmuch as Apple does not charge for macOS, it's not a bad deal.

Microsoft apparently employs a different model, relying upon third-party certificate authorities. For someone like myself -- a Mac-only user -- this has meant purchasing Windows10 ($120+ retail) to run this in virtualization via the extraordinary Parallels app ($90/year), plus purchasing a certificate from a Windows-approved Certification Authority ($90+/year). This adds up for those of us who distribute apps free of charge.

If one develops LC apps on a PC -- and so already own Windows -- the cost is only for the certificate. (But of course, programmers on Windows do still need to check out their LC Mac standalones, so in the end this may end up costing at least the same.)

jeff k

jmk_phd
Posts: 213
Joined: Sat Apr 15, 2017 8:29 pm

Re: Windows app certification

Post by jmk_phd » Sun Jun 20, 2021 7:51 pm

Followup on SparkOut's query about certificate authorities recognized by both Apple and Microsoft: I found this FAQ item on the https://www.ksoftware.net website that has been recommended by several LiveCode users:
IMPORTANT NOTE: Apple has changed the way OSX handles certificate from other non-Apple vendors by creating an option in GateKeeper that makes the entire system disallow ALL certificates not created by Apple. After decades of all Apple OSes recognizing the major CAs (like Comodo/Sectigo), this change is quite a surprise. Unfortunately there is no work-around for this as Apple has steadfastly refused to change the default setting to allow other CA's certificates to work like they always have. Because of this we no longer claim that these certificates are supported on OSX natively -- however they *should* still work with Java on the OSX platform.
I assume that this is the definitive answer for now.

jeff k

jmk_phd
Posts: 213
Joined: Sat Apr 15, 2017 8:29 pm

Re: Windows app certification

Post by jmk_phd » Sun Jun 20, 2021 8:45 pm

My (hopefully last) questions for LiveCode developers who already have used ksoftware.net or other Windows certificate authorities:

I have installed Windows10 on my iMac via Parallels. I assume that when applying for a Windows certificate, I must do so while running Windows and Explorer/Edge in virtualization, while connected to the internet through my local network router. (My only PC laptop runs nothing beyond Vista.)

Being an individual developer, I understand that I must provide a copy of my driver's license that includes my legal name and address. (As a licensed psychologist in Illinois, my credentials can be verified online, but these may not matter in establishing my identity.)

In order to complete the signing, I assume that my Windows LC standalone must already be present somewhere on that Windows virtual disk -- perhaps in the Documents folder? -- and that I must connect via Explorer/Edge when I apply for the certificate.

Are there any possible "gotcha's" that could derail this procedure when using Parallels rather than a physical Windows PC? Or is there some tutorial that might guide me in navigating this procedure?

Finally, whereas two of my apps were developed for a collaborator and distributed on his website, my other two apps are my own and distributed via my own website. What impact does this have upon how Microsoft classifies an app as frequently downloaded?

Thanks!

jeff k

jmk_phd
Posts: 213
Joined: Sat Apr 15, 2017 8:29 pm

Re: Windows app certification

Post by jmk_phd » Tue Jun 22, 2021 11:13 pm

I have received a reply from Mitchell Vincent of K Software (https://www.ksoftware.net) in response to my query whether running Windows10 via Parallels on a Mac is sufficient to complete the certificate process. He wrote
though I have to say I've not personally tried it, I don't see why it wouldn't work just like it would if you were on a 'real' PC. If you place the order using IE, the certificate is automatically installed in the Windows CSP (which you get export instructions for, so you have a file to reference from OSX or Windows in the end). There are other alternatives too, so if the order doesn't work for some reason just let me know and we can use a custom CSR and just arrange for a file delivery that contains the certificate.
So apparently K Software will try its best to be helpful. And given its apparently strong money-back guarantee, at least there's no risk in trying.

I will report back here whether/when the Parallels route works.

jeff k

stam
Posts: 2634
Joined: Sun Jun 04, 2006 9:39 pm
Location: London, UK

Re: Windows app certification

Post by stam » Wed Jun 23, 2021 12:11 am

jmk_phd wrote:
Tue Jun 22, 2021 11:13 pm
I will report back here whether/when the Parallels route works.

jeff k
Thanks Jeff - do let us know how it goes!

jmk_phd
Posts: 213
Joined: Sat Apr 15, 2017 8:29 pm

Re: Windows app certification

Post by jmk_phd » Sat Jun 26, 2021 8:23 pm

On the advice of several forum members, I did apply for a certificate through K Software. The application process worked fine using IE in Windows via Parallels, but the real test I suppose will be downloading the certificate via IE once the application is approved.

I do still have a few questions about distributing signed Windows standalones: Unlike Mac app standalones that package everything in one neat bundle, a couple of my Windows standalones require free-standing .dll files (e.g., revsecurity, revpdfprinter, revzip, tsnet) plus a help document, all of which need to be present in the same folder as the standalone.

(1) Do any .dll files -- or even a PDF help file document -- need to be signed along with the standalone?

(2) If a Windows user downloads a .zip file -- or, alternatively, an ISO disk image -- with a folder that contains the signed standalone and these other files, will Windows Defender still issue some scary message or block the download? If so, can either of these be signed?

I understand that there are Windows tools to create installation packages, but being Windows illiterate I'd like to avoid the learning curve involved in mastering these. (Yes, I admit to being a lazy wimp in that regard.)

Any guidance would be appreciated.

jeff k

Post Reply

Return to “Windows”