locked
Which Certificate Authority should I use for creating an app that will be sideloaded by my customers?

    Question

  • Hi all,

    I have an app in the Windows 8 App store --- all good so far.

    Now, an enterpirse version of this app will be distributed directly to organizations who will sideload it onto corporate PCs/Devices, so I know that I need to sign the app with a certificate from a trusted authority.

    The million dollar question, then, is which authority (Verisign/Symantec, DigiCert, GoDaddy, etc), and what type of certificate?

    Has anyone done this for real yet?

    Thanks

    Martin

    Thursday, November 15, 2012 6:19 PM

Answers

  • Totally hacked off --- spent hundreds of dollars on a DigiCert EV certificate and there are two main problems:

    1. Microsoft's Schema for validating certificates in Windows 8 Apps does not allow PostalCode (as per http://social.msdn.microsoft.com/Forums/en-US/toolsforwinapps/thread/27b5ff8c-407f-49a3-bbd6-dc95d67f4175), while DigiCert insists on including it. Not sure if this is the fault of DigiCert or Microsoft, but I suspect the latter, as it seems very reasonable to include PostalCode. Or more likely it's both of their faults as they both bang on about how they worked together to create cert solutions for Windows 8, but obviously no-one from either side even did the simplest thing of signing a Windows 8 app to see if it works...

    2. DigiCert support is ludicrous. They insist on repeating verbatim the information on their Web site, without actually attempting to understand my question. (i.e. all you need to do is mention 'Windows 8' and they straight away start talking about their EV certs, blah, blah, blah. They seem so stupid they don't even know how their own products work. I will NEVER use them again. For example, they ignored my emails, and their instant chat 'Support' person kept telling me the same thing about EV certs.

    If I ran my software company like either of these two (at least in this instance) then we'd be broke in a heartbeat. I just don't understand how they can get away with this...

    RESULT = I decided to give away the APP for free in the Windows 8 store for both end users and enterprises, thereby not making any money for us, but also not contributing to Digicert or Windows 8 store revenue in the future. (By the way, it's a great app! Check out http://www.point8020.com --- the app is called ShowMe Windows 8, and as I say it's now totally free. I'd be grateful if you folks could blog/tweet both this post and the resulting free app on our site. I guess as many folks as possible can now benefit from it, for free. Thanks!

    Friday, March 01, 2013 6:07 PM

All replies

  • Hello Martin,

    Have a look at the following page on How to Add and Remove Apps. It depends on how you want to install them. You can sideload them if that is the preference or you can use DISM and include them in an image. The certificate will depend on what is being used in the domain and how you sign the package. You can use PowerShell or Visual Studio to sign the package. Here is another page on Signing the app package to give you a better overall picture of how to it can be done. Hope this information helps!

    Cheers,

    Jesse

    Thursday, November 15, 2012 10:12 PM
  • Thanks for your quick reply, Jesse.

    Technically I know how to do all that is described, and I even know that I will need a certificate from a trusted authority (e.g. Verisign, Thawte, DigiCert, GoDaddy, etc). However, my main question is which of these authorities can produce certs that are compatible with sideloading Win8 Apps. For example, I see that DigiCert and Verisign/Symantec both offer 'EV' code-signing certs as well as non-EV certs, so I want to ensure I purchase the correct type from a supported authority. (As you may know, these certs can be quite expensive...). I guess the issue is which of these does Windows 8 actually trust OOB?

    Help available from these authorities is predicatably poor --- they don't even know what sideloading means, so I am not predisposed to trust their advice. In  other words, the information these  'trusted authorities' offer is neither authoritative nor trustworthy (hahaha:-), so I appreciate any advice you (or someone else at MSFT) can offer.

    Thanks!

    Martin

    Friday, November 16, 2012 9:15 AM
  • Uhm... if you're sideloading, you're not entering the app to the store right? Hence you don't need to sign it? What am I missing?

    If you do have to publish it to the store, VeriSign seems to be the only option though.

    Saturday, November 17, 2012 11:56 AM
  • oh, it's in the store already, so no problems there. The issue is that we will also distribute it separately (direct to customers) who will then sideload it onto multiple devices (e.g. by group policy or maybe even by running the installer manually). So for that to work, the package needs to be signed by my company with a cert obtained from an authority that Windows 8 trusts. (Just to be clear, it's no good for me to just create my own cert, as no one else will trust that and the install will be spoiled by alerts or even failures)

    The question, then, is which authorities does Win8 trust, and also what type of cert is appropriate. (e.g. Digicert and VeriSign both offer "EV" code-signing certs, as well as standard code-signing certs. My guess is that EV is correct, but it would be an expensive guess if wrong.

    Has anyone done this?

    Saturday, November 17, 2012 12:08 PM
  • Ok I understand. Technically this is not a Windows Store question, but a Windows 8 question then, but I guess this forum is close enough :-) 

    Do you control the entire deployment chain? Can you write scripts that run on each computer? Are you sure you need to sign it at all to be able to install it automatically- that there isn't some MSI-installer option to make it install and override any warnings? I mean - you even mention running the installer manually - and you can indeed install unsigned applications on Windows 8 manually by overriding the warnings. You get this dialog that says you can't install it, but then you click "more options" and "install anyway". I'm sure you've seen this.

    I am myself selling an Outlook plugin that up until now hasn't been signed. I just bought a Thawte digital certificate (standard Authenticode) to sign it, so if you want I can get back to you about how it works on Windows 8 machines. I found Thawte to be one of the cheapest out there. What's interesting though is that Thawte is not listed as one of the members in the Windows Root Certificate Program, but they seem to be hosting for Verisign or something (search for "Thawte"). Not sure exactly how this works out, but I can get back to you.

    Saturday, November 17, 2012 12:18 PM
  • Thanks FrodeNilsen!

    I ended up buying a DigiCert EV certificate (not arrived yet), so I will try that out and let you know about how it worked out:-)

    Saturday, November 17, 2012 5:16 PM
  • Hi Martin, I have now used the Thawte Authenticode certificate to sign my Outlook plugin (MSI file), and well - the outcome wasn't all that satisfying. Here's my experience with downloading and installing my MSI from a browser - before and after signing the MSI file with the digital certificate:

    BEFORE
    Windows SmartScreen: Pops up with the text "Windows SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk." You need to click "Show more" and click "Run anyway" to continue.
    UAC: Pops up with the text "Do you want the following program from an unknown publisher to make changes to this computer". Yellow warning-ribbon.

    AFTER
    Windows SmartScreen: Same as before
    UAC: Pops up with the text "Do you want the following program to install software on this computer". No yellow ribbon.

    So in summary, only the UAC was slightly less scary. I'm not at all convinced that the cost/benefit of purchasing a Thawte certificate for my product is good enough to be justified. Frankly, I feel kind of cheated because the primary reason for me to by the certificate was to get rid of the SmartScreen warning.

    I would be very interested in hearing your experience for the VeriSign certificate though. It might be that because Microsoft has endorsed these guys, that your signed apps will bypass the SmartScreen warning. 

    PS: Note that the SmartScreen only checks your software if you run them after downloading the .MSI or .EXE through a browser.


     

    Thursday, January 03, 2013 10:07 AM
  • Martin,

    Can you please share your experience?

    I read somewhere this

    "So you need another commonly trusted CA to sign your Code Signing Certificate – this is where commercial CAs comes into the game"

    You need a Commercial Trusted certificate to sign our internal Code Signing certificate?  - is this true and why is Microsoft not making it clear.

    If you come across any documentation on this Enterprise Side Loading - specially dealing with certificate please share.

    thanks

    John

    Wednesday, January 30, 2013 8:33 PM
  • John: You don't need a certificate for anything. Define your use case. 
    Thursday, January 31, 2013 1:52 PM
  • Totally hacked off --- spent hundreds of dollars on a DigiCert EV certificate and there are two main problems:

    1. Microsoft's Schema for validating certificates in Windows 8 Apps does not allow PostalCode (as per http://social.msdn.microsoft.com/Forums/en-US/toolsforwinapps/thread/27b5ff8c-407f-49a3-bbd6-dc95d67f4175), while DigiCert insists on including it. Not sure if this is the fault of DigiCert or Microsoft, but I suspect the latter, as it seems very reasonable to include PostalCode. Or more likely it's both of their faults as they both bang on about how they worked together to create cert solutions for Windows 8, but obviously no-one from either side even did the simplest thing of signing a Windows 8 app to see if it works...

    2. DigiCert support is ludicrous. They insist on repeating verbatim the information on their Web site, without actually attempting to understand my question. (i.e. all you need to do is mention 'Windows 8' and they straight away start talking about their EV certs, blah, blah, blah. They seem so stupid they don't even know how their own products work. I will NEVER use them again. For example, they ignored my emails, and their instant chat 'Support' person kept telling me the same thing about EV certs.

    If I ran my software company like either of these two (at least in this instance) then we'd be broke in a heartbeat. I just don't understand how they can get away with this...

    RESULT = I decided to give away the APP for free in the Windows 8 store for both end users and enterprises, thereby not making any money for us, but also not contributing to Digicert or Windows 8 store revenue in the future. (By the way, it's a great app! Check out http://www.point8020.com --- the app is called ShowMe Windows 8, and as I say it's now totally free. I'd be grateful if you folks could blog/tweet both this post and the resulting free app on our site. I guess as many folks as possible can now benefit from it, for free. Thanks!

    Friday, March 01, 2013 6:07 PM