code signing certificates ...or how to ease the user?

klaus · July 21, 2015, 3:12pm

So until now we are in a closed alpha state meaning we know all our testers personally and they know us.

When you download our zip file with Chrome it will shout out with something along the lines of “this is an unusual download, do you really want to keep this file?” … mkay… It’s a zip file. In this zip file is an installer. When you run this installer the next complaint is just around the corner. “This file looks suspicious” Windows 10 says and you have to actively search the arrow where you can allow Windows to proceed starting the installer.

So, obviously we can’t leave it like that.

My web search suggests that cheapsslsecurity.com has the cheapest code signing certificates (comodo) - do you have any experiences with them?

Or do you know of another way to distribute your game with bundled JRE and installer, where the user doesn’t have to cope with this fear-inducing warnings?

My goal is to make it as easy as possible for the player to install and run the game afterwards.

How do you handle packaging?

princec · July 21, 2015, 6:51pm

I used Comodo before. It works, is all I can say.

Cas

Riven · July 21, 2015, 8:03pm

Signed code is safe, as these clumsy hackers are too fumbly with their purchased certificates. Certificate Authorities have this proven track record of little to no hackery and you rightfully owe them a hundred bucks a year for all the work that they do: allowing that match-three game to be launched with only one toe curling warning.

The future is the web-browser - consider that when purchasing your pricy code signing certificate. And no, there is no alternative than to suck it up and waste your hard earned money — only to see virusscanners jumping in, corrupting your properly extracted JRE. The future is in the web-browser, they say. Now sing along.

klaus · July 21, 2015, 8:10pm

[quote=“Riven,post:3,topic:55128”]
That actually happens?

[quote=“Riven,post:3,topic:55128”]
Maybe. But right now I doubt that real gamers like to play a game in the browser.

Riven · July 21, 2015, 8:19pm

Yes, that happens. At Puppygames we checked the hashes of all files against a known list, and hashes actually changed after a few seconds, or when the process launched the second time - especially with extracted DLLs. Virusscanners also tended to lock DLLs causing the JVM not to be able to load them. It’s misery, really.

Long story short: running integrity checks on your files is never a bad idea.

klaus · July 21, 2015, 8:47pm

oh my … so you say I should write a native windows app that runs before the java process actually spawns, so I can check the integrity of the files and tell the user to shut down the virus scanner? Oh, FML … I don’t wanna do that. That’s the kind of work in gamedev where a lot of time is spent for little output, but important nevertheless… :emo:

So what was your message to your players when you encountered that the hashes changed for the files?

princec · July 21, 2015, 9:43pm

“Use Steam”

Sad but true.

Cas