forum.vdsworld.com

[jules]

Yep, I'm looking at the Comodo one. They have a UK office, which is quite handy. The only thing I haven't managed to establish is if they have a time stamping service, so the certificates don't expire like you explained earlier.

As you say, it's as much an issue of wanting people to trust my software as anything. I'll probably go for it. But it all costs money. There's no such thing as a free lunch. I think we're seeing the effects already, as most freeware asks for donations now, and a lot of freeware is going shareware, or else adware (like Burn4Free, which they should probably rename Burn4Ads.)

[PGWARE]

Jules you can use Verisign's timestamp server, Verisign made it available for free for all code signing developers. If you read on comodo's faq page it states the verisign timestamp server can be used free and was generously provided by Verisign for that purpose. I guess they get free advertising like this since developers will check out what Verisign has to offer since their giving out free timestamp signing.

You can use the url below for the timestamp server: http://timestamp.verisign.com/scripts/timstamp.dll

[PGWARE]

Actually comodo does not state the verisign timestamp service is free, it's actually stated on Thawtes page:

http://www.thawte.com/support/code/tech.html

Click on the link Microsoft Authenticode and scroll down about half way through the page and it mentions Verisign making their timestamp service available for free public usage.

[cnodnarb]

I think i'll just be putting self extracting setup files into zip files for now. Until that stops working....

XP users can open zips like folders. Then double click on the sfx.

NodNarb

[Boo]

I was thinking along the same lines...

[PGWARE]

Files within zips (executables) will still show the warning. Once the file is unzipped and the user executes the exe within it the prompt shows up notifying it was not signed/signed.

[SnarlingSheep]

[PGWARE]

Yup, download XP service pack 2 and test it out. If you try to run a file extracted from a zip and it is executable type it will show the message. Signed or not it shows the message each time the file is opened/run until the user selects teh check box not to warn on that file again.

Even shows up for .chm - compiled help file's too. Shows 'unknown publisher'.

I'd rather just include the single setup file for download and let it warn just once rather then distribute files by zip and have each file warn no signature was found.

[SnarlingSheep]

What a pain..

[Garrett]

I updated to SP2 and am not encountering these messages at all. I've
downloaded several programs and such since and nothing. I'm not using
MSIE however, but still, executing setup.exe files and such are not an
issue, nor running of the programs just installed.

[PGWARE]

[Boo]

Yeppers; well said. I am currently downloading the update to see for myself. (I believe you, but obviously want to try it, too.)

Cheers,

- Boo

[Boo]

I am receiving the warning from a downloaded .exe, but not from an .sfx that was zipped...

Will test and play around with it further...

[jules]

Are you using NTFS? I read that information was written about the file as an auxiliary data stream under NTFS, which means that it can keep track that an EXE came from a Zip file and still display the warning. On a FAT disk there is no facility to do this.

[Skit3000]

With FAT(32) this kind of data can be written to a binary file or the registry...