Wednesday, November 25, 2009

Security Warning - The publisher could not be verified.

As you may know, installing any of the Weather Message products from the Internet results in the following message:

This message appears because the Weather Message installers are not digitally signed. Microsoft calls this technology Authenticode or code signing. Until recently the cost to get a digital certificate was really expensive. In some cases it could cost $499 per year. That is way too expensive for a digital signature.

I discovered a new company that is trying to lower the cost of digital certificates. StartCom/StartSSL began offering free certificates several years ago. They however were not recognized by Microsoft and therefore their root certificates were not installed in Internet Explorer.

Starting with Windows 7, StartCom/StartSSL is now a recognized certificate authority. Their root certificates are now installed by default in Windows 7. They are also available for other operating systems by getting a root certificate update from Microsoft. (These are generally available through windows update.)

You can still get free digital certificates from them, but the ones needed to sign code cost $40.00 for two years. That is a bargin! Because of the price change, I have obtained certificates from http://www.startssl.com/.

Beginning with version 3.5, all of my installers will be properly signed. You will see the following message when running the installer:

It does show my name as the publisher, instead of Weather Message Software. I would have preferred Weather Message Software, however, for $40.00 that is fine.

This should make Windows Vista, Window 7 and Windows 2008 alot happier about installing my software.

I will note that StartCom offers free certificates for S/MIME (email) applications. You can also get free secure certificates for websites. I have not tried one on my webserver, but I will be doing that soon just to see how it works.

No comments: