Software distribution, code signing, and me.

If you’ve installed Blackstar on any machines, you’ll probably have noticed that your web browser or the Windows SmartScreen feature seems to think it’s some sort of malicious software and warns you before it is installed.

This isn’t because of anything nefarious built into it, but because the software isn’t signed. What this means is simply that I’m an unregistered developer, and as such, not trusted by the wider software community.

The way around this is by purchasing a code signing certificate from a trusted vendor. They will vet who I am, verify that I am in fact me, and then allow my software to install with a less scary nag screen until I am finally trusted.

If I were to purchased an extended verification code signing certificate, this trust-building step could be skipped, but that costs several hundred dollars more than the regular certificate. It just won’t be feasible until this project can make some money, as I’m working on a shoestring hobbyist budget at the moment.

However, even the regular certificate is fairly pricey and still requires one of two things:

  1. I disclose my actual identity to anyone who downloads the software, which I’m reticent to do. Or,
  2. Register a business in my state and then purchase the certificate through that company, which has its own huge frustrating set of issues.

I have registered a DBA so I do not have to disclose my identity, but it may take up to 4 weeks. Currently this software is used by .. no one, so that likely won’t be an issue, but I just thought I’d try to give reassurances to anyone who wants to try it out.

If you do have any further questions, feel free to email me at [email protected].