Multiworld Software
Logo
Multiworld Software

Code signing certificate

We believe that 200$/year is a small price for your security; that's why, thanks to all our generous Patreon backers, we purchased code signing certificate (also our website is served exclusively over https so NSA won't know you're playing porn games). Code signing assures you that this shoot'em up game you just downloaded is for sure made by Multiworld Software, and the code hasn't been tampered with since we've published it.

Code signing certificates guarantee identity, not trust. Windows has a feature called SmartScreen, which uses a variety of signals to evaluate the reputation of software, including the download history and popularity, anti-virus results, reputation of the site you have delivered it from, and more. Once Microsoft knows that Chaosrise.exe comes from us and doesn't harm your computer, we start gaining reputation and sooner or later that warning goes away.

Now, as you all remember, it took ages to obtain that damn certificate, and it was quite an adventure - though not the one we'd like to repeat... When we purchased the certificate (right away after we hit the goal!), we thought it was all ready to go - but it was just the beginning of the battle. The company issuing the certificate has obtained all our company information, and then contacted us to say that we have to register in one of the online business directories, like 192.com or scoot.co.uk. Why the hell would they need that? We've already registered the company on the official .gov company directory but, as we found out, their website doesn't list the phone numbers. Why does it matter? Well, because the phone number is necessary for the certificate issuer to verify our company's identity.

Of course, we didn't have a phone number at all, because why would we? -_- Well, it's not like we can't have any - we just went and got one from Sonetel with a simple redirection to one of our personal numbers, and provided it to the certificate company. That wasn't nearly enough for them, though - that phone number must be on one of the online directories, not anywhere else.

So, uh, we registered on one of these and added the phone number (the company itself had already been there, probably obtained from the .gov directory). Can't even remember which one - but after we sent the link to the issuer, they finally provided us with a URL through which we could generate an automatic callback - and enter a verification code we got on that call. Easy? Not when your number can't seem to accept automated callbacks. Something must have been conflicting at some point (the redirection, perhaps?) and whenever we started the callback, we would get a message about it failing soon after.

After a couple of back-and-forths with the certificate company, we managed to organise a manual callback, but guess what - Sonetel had already disabled the number by then because we purchased the number by the end of the month and didn't set up automated payments for extending it. Yup, let's start all over again. Buy the Sonetel number, organise a manual callback... but then, we finally did it! A lovely lady provided us with a secret code, which I entered on a page generated for us and we got the certificate!

Email from Comodo
That Banner with IE7 mentioned... it's almost 10 years old!

Or, to be more precise, my Google Chrome got the certificate. Why does it matter? Because, as it turns out, Google Chrome does not allow to export that certificate's private key, which we need to sign the .exe. We contacted the certificate company again, and they've informed us that we should be using some other browser, preferably Internet Explorer. Luckily, their control panel allows to "update" the certificate and generate it anew, using some other browser.

We tried Firefox, Edge, Opera and IE. Each of them had different settings for the private key, but none of them worked.

We even setup a virtual machine with Windows XP, to ensure it's not any newer version of Windows preventing us from exporting the key. Nothing worked!

Because - guess what - it turned out that after updating the certificate, we had to organise a manual callback verification again. =____=

A couple of days later, equipped with the new code, we generated the certificate in IE and successfully managed to export it along with its key - with which GvS was finally able to sign our .exe!

![Installer before and after](/content/images/2016/08/before_after.png)

So, if you're planning on ever trying to obtain a code signing certificate, be warned that you're in for a hell of a ride. Or just read the above carefully and don't repeat our mistakes!

Sorry for the long post. Here's some porn.