Digital Signatures

[sspears]

My question is prompted by a recent Vista experience.  All of my applications show up with the Windows security shield over my
icons which is annoying.  Of course, Vista says this is an unknown software (Cancel or Allow) when I run it.   

What do I need to do to make the white list or whatever it is.  I'm sure money is involved but where do I start and does EBasic
support this type of digital signature?  Anyone else running into this?

[Brice Manuel]

For that, you would need a digital signature.  Depending on what company you go with (you do want a reputable one), the cheapest is likely around $200 up to $1000.  I think the $400-$500 range might still be the "norm".

It is worth noting that if you are writing a game for Vista.  In addition to the digital signature, if you want your game to be "fully" compatible with Game Explorer, you will need to acquire an ESRB rating which is EXTREMELY expensive.

If you are in the USA and selling your software (running a business), you should check with your CPA as these fees for digital signatures "should be" legitimate business expenses.

For us who are retired and just make games for fun, well, you've heard the expression "up the creek without a paddle".  We have the paddle, we are up the creek without the canoe in class 6 rapids   We can't afford to "officially" support Vista.

[Zen]

You could always generate a self-signed certificate to sign your programs with, however it will still warn people as the certificate has not been signed by a root certification authority, but it may supress some warnings, i don't know as I have not yet tested it on vista.

Lewis

[sspears]

Thanks for the replies.  I checked into the link Brice posted and finally gained some understanding of the process.  For those that don't know, I will post what I found out.  Basically, I had no idea what the mechanics of 'signing' were so that's what I was looking for info on.  It turns out that there is an exe file called 'signtool.exe'.  This file takes a unique 'private key' file and merges or imprints that file on your executable.

So the syntax is something like 'signtool sign /k c:\mykey.pvk c:\myexe.exe'.

In the example, mykey.pvk is your unique key file and myexe is whatever file you wish to sign.  Here is a link for more detail:
http://msdn2.microsoft.com/en-us/library/aa387764.aspx

Getting the files:
I purchased the private key from www.thawte.com which is a verisign company.  It was $200 for one year.  You just purchase it online and they push the key file to your browser and ask you to save it on your hard drive.  The validation consisted of them calling me on my phone (automated voice prompts) and clicking on browser links.  They display a pin number you must punch into the phone keypad.  This verifies the phone number you gave. 

Then they call a public record number for your company and repeat the process.  Basically, you must be reachable on that phone number as well.  If you are not a large known company then they have some other way to validate you.  Mission accomplished. 

Oh, yeah, one other thing.  I didn't have the signtool program.  To get that you must download the Platform SDK from Microsoft.  There may be other ways but I couldn't find it.  It's about 400Meg so it takes a bit to download depending on your connection.  I haven't finished with this part before it was time to quit for the day but hopefully on Monday it will be downloaded.   

Overall the hardest part was locating the signtool program.  Hopefully I got that and will post a final thought on this next week.