Not that I normally like to rant, but security is really important, and people are bad at security. One of the ways we secure things is trusted certificates—as a software developer who has a company something you need to do is buy a certificate to “sign” your software. Your certificate is issued by a 3rd party who performs some level of verification which indicates that you are a “real” software developer. It is a key part of the trust relationship when installing software. In fact unsigned software is used an indication by experts to identify malware.
So who is the victim of my rant this week? Power Tap, the company that makes the power meter on my bicycle. They also make software that lets me download my cycling data. This software has two problems:
- It requires Java. Boo, hiss.
- It is unsigned. More booing, and hissing.
So, sign your software, so people don’t think it’s a virus. On my Mac I have to go into security settings and do bad things to even install this software. And then I have to do even worse things, like installing Java, in order to use it.
I agree from a technical perspective, but the market doesn‘t allow for widespread deployment of software signing for fringe software. The process is too expensive! I’m really hoping we’ll see a free-certificate revolution in the software signing space soon; the same way we got free certificates for use on the web from Let’s Encrypt.
Software signing certificates are really expensive. Deploying them is really expensive. Managing their use and securing them is adds additional cost. The cost is negligible for a large software company, but for individual open source developers or small business – it’s just not at all worth the trouble and expense.
Software certs can be had for under $100. And there are programs for Open Source devs to get them for free–I recently got one (granted it was a perk of being an MVP). Management is a bit tricky, but cloud services like key vault make it much easier.
There have been two companies that used to give away free certificates to open source projects “of some noteworthiness”. These programs were discontinued years ago.
The cheapest I could find now is 223 USD/year. Note that you need to renew a month or two before it expires to give you time to dual-sign (to transfer certificate reputation from one certificate from the other). The actual price is closer to 260 USD/year as you need to purchase 14 months worth of certificate per year.
Even the non extended validation (EV/green) code signing certificate requires you to submit identification papers and go through a tedious process. This varies from CA to CA, but it’s more involved than a web certificate with all of them. It also requires you to release your software at least ones a year to distribute the new certificate. Ideally, you’d need to have working auto-update with the associated infrastructure to update every one as your auto-update client should validate your certificate as part of the install process.
If you’re a small open source project or even a small business that is giving away software for free … . Well, why would you ever bother with any of this? The cost is one thing, but learning and deploying the extra technical requirements just isn’t worth it unless you’re being paid to do it.
But I do agree with you: more software should be signed. The Windows platform just needs to make that a bit cheaper and easier first. Linux has solved this with PGP and a trust-chain per distribution. Mac solves this by giving away as many free certificates as is needed as part of their for-all-intense-and-purposes mandatory Apple Developer Program (99 USD/year). What the two platforms have in common is that it’s much easier and cheaper for developers to get a certificate and to sign their software.