Why Spaz isn’t “signed”

"Enron Corp. Stock Certificate"

We don’t sign Spaz with a code signing certificate generated by one of the 4 (as of this writing) certificate authorities Adobe accepts. This means that when you install Spaz, you get a scary “Publisher:UNVERIFIED” warning. This is why we don’t sign, from a letter I wrote when asked about it in Spring 2008:

If I sign Spaz with a paid-for Thawte cert, I am on the hook every year for a Thawte cert. I can’t change my cert signer or go back to a self-signed cert without breaking auto updating (at least as I understand it), and I’m therefore locked into a $300 expense every year. That’s not terrible for a commercial app backed by a company, but that’s a pretty significant chunk of change for a free, open-source app developed by one person as a hobby to lay out.

I’m familiar with how certs work, and how Thawte handles certification as compared to other, less expensive cert vendors. Were I convinced that Thawte did some kind of verification process/background checking on the applicant I could see the value, but at least with SSL certs, they certainly didn’t do anything more than vendors who donate free certs to EDUs.

Currently, there are 3 other CAs in addition to Thawte, and the prices range between $180 and $300 per year. Some of these CAs do seem to do a little more background checking. Still, the same arguments apply, especially the one related to cost.

Spaz doesn’t generate revenue, and relies on donated time from myself and a handful of other generous folks. Committing to a yearly expense in the hundreds of dollars seems unwise.

If this is something you would like to see change, I’d encourage you to ask Adobe to make code signing a realistic option for Free, Open-Source Software like Spaz by providing certificates free-of-charge – after a reasonable review process – to projects like ours.

  • Anthony V
    http://hypem.com
    03/12/2009 09:53:35 PM

    I get that this is an OSS project and that it’d be an expense regardless, but why not get a GoDaddy one? I think it’s much cheaper than $300/yr, which is pretty steep.

    I think there are a few others that offer heavily discounted certs that still validate well across a wide set of browsers/etc

  • funkatron
    http://funkatron.com
    03/12/2009 10:11:46 PM

    Ignoring that I’d sooner eat my own poo than buy something from GoDaddy, it’s because code signing certs for AIR are only accepted from the four CAs I mentioned above. And, as I mentioned above, the least expensive option is $180 per year.

    See this as well: Java Code Signing Certificates…same as SSL Certificate?

  • Anthony V
    http://hypem.com
    03/12/2009 10:14:29 PM

    Ahhh, didn’t realize so few CAs were accepted by AIR. Sneaky Adobe!

    Hey, may check out your security talk @ SXSW, heading there tomorrow!

  • funkatron
    http://funkatron.com
    03/12/2009 10:34:44 PM

    Awesome, please come up and chat if you do!

  • 7Zark7
    http://7zark7.com
    03/12/2009 11:01:11 PM

    It sure doesn’t seem like they want to encourage open-source apps, then. That’s a shame, since I would think the cross-platform aspect of it would be very appealing to people who also tend to like OSS solutions, such as Linux users.

  • Christian Cantrell
    http://www.livingdigitally.net
    03/16/2009 12:17:17 PM

    Anthony,

    I don’t think there’s anything “sneaky” about what Adobe is doing. Adobe isn’t making any money off of developers purchasing certificates, so we have no incentive to require certs from specific vendors. As a developer myself, I completely understand not wanting to pay for a certificate, but unfortunately that’s the direction that the software world has gone in. Adobe didn’t invent this; we’re just adhering to current security standards.

    Christian