Say you want to put your published IF on Steam. They support macOS, Windows, Linux.
Steam’s docs are clear about what they need for a Mac app: “Starting October 14th, 2019 Steam will require all new macOS Applications to be 64-bit and notarized by Apple.” (from Platforms (Steamworks Documentation))
They don’t say anything equivalent about the Windows app. The link on that page to the Windows development group doesn’t work.
Can some folks who know, explain a bit about codesigning on PCs and where the certificates come from? (The stork, I hope.)
Googling this topic knowing next to nothing gives a mountain of conflicting information, prices, people accusing anyone selling certificates of being extortionists, people accusing anyone accusing anyone of selling it of being extortionists of being liars. It’s definitely been an I’m-grateful-for-the-walled-garden moment in this context.
You may have tried to save time by delivering the most pertinent info in minimum words, but is there any chance you could give a little primer on the PC code-signing certificates world in general? I need a trusted source because I’m getting nowhere with Google.
In principle, it’s pretty straightforward, and the underlying technology is basically the same for Windows, Java and Apple. I’m assuming you understand how code-signing works, at least at an overview level.
You need to buy a code-signing certficate from a CA (Certificate Authority) and install it on your build machine. Once that’s done, once you’ve built a Windows executable you can use a command line tool called “signtool” (which comes with the Windows SDK from Microsoft) to sign the executable. You also need to timestamp it using a public CA timestamp server, but “signtool” can do that bit too. In principle you can do this if cross-compiling (i.e. building a Windows executable on a non-Windows machine) too, but I don’t know the details of that.
The only tricky bit is the “buy a code-signing certificate” part. Certificates for web sites are pretty cheap (sometimes free) because all the CA needs to do is verify that it’s selling to the entity that already controls the website, which can all be done over the Internet. For a code-signing certificate the certificate contains a claim of who you are, which they need to verify in some way. Whether this is a valid reason for the price of code-signing certificates or not is a matter of debate.
Thanks for the overview David, that’s what I needed. Especially the quoted bit about the pricing and who can sell them. That’s what I couldn’t really work out from a position of knowing nothing by Googling. The debate you mentioned is pretty much in the way of the basic information.
Firstly, i wouldn’t bother signing a Windows app if it’s not required.
Secondly, i presume OSX apps notarized by Apple will require an Apple developer licence (correct me if wrong). This licence has to be renewed annually. ~$99 I think.
There are (or used to be) separate Apple licences for iOS and OSX. If your app store licence relapses, Apple pull all your products.
Not sure whether that’s (somehow) also true for OSX notorization. Is this a one off that persists for the app or does it also expire. Perhaps someone knows. Of course, if you make an update, it’s likely you’ll have to re-sign it and therefore you’ll need a valid current licence.
No, because I don’t know anything about Windows code signing. :) I’ve never done it. Happily, David has.
I believe so, yes. The cost should be small compared to the amount of money you expect to make on Steam. (If you don’t expect to make $100/year on Steam, re-evaluate your options!)
Used to be. They’ve been unified for several years now.
If your app store licence relapses, Apple pull all your products.
That’s an App Store policy. It doesn’t affect notarized apps distributed on Steam or elsewhere.
To be clear, while Windows doesn’t “require” signing, you’ll get a big scary red “don’t use this app it’s probably evil” warning if you attempt to distribute an unsigned Windows app not via Steam, e.g. if you try to launch it on anybody else’s machine. (It’s hard to even discover where the “continue anyway” button is. The default “OK” action on that dialog just closes the app entirely.)
Valve has signed their own Steam app (naturally) and their signature allows them to install apps on Windows that don’t launch that scary “beware” dialog. (It doesn’t work that way on macOS, which is why you have to notarize your own apps.)
So, if you can get your app on Steam, and you don’t care about distributing your app/game outside Steam, just shipping via Steam is likely the easiest path forward for you.