The “Code signed vs non-codesigned” poll

//The “Code signed vs non-codesigned” poll

The “Code signed vs non-codesigned” poll

For a few months in 2017 I cast a poll to determine how interested users would be in a digitally codesigned version of Quickhash, in exchange for a small fee.

In recent years, IT security has got serious! Especially with Apple Mac OSX, iPhones, and with the introduction of Windows 10 a couple of years ago. No longer can you just download and launch any program you like on a modern computer operating system. If you are able to launch it at all, even on a domestic computer, you often have to click several “Are you sure?” and “Are you really really sure?” dialogues. And that is just for the home user. Lets talk about commercial enterprises and governments. How much chance does anyone think they have of getting QuickHash used on a government system while it is unsigned? Next to zero. How much chance does anyone think they have of getting QuickHash used on a military system while it is unsigned? Zero. How much chance does anyone think they have of getting QuickHash used on a high end commercial enterprise system while it is unsigned? Very very little. So, simply because it is unsigned, many potential users cannot use the program (unless they know how to compile it themselves), even if they want to.

Added to that are the anti-virus and IT security software manufacturer like AVG, Kaspersky, Bit Defender and so on, which very often flag unsigned software as suspicious and sometimes immediately quarantine it! I was asked by a user once to add a new feature, which I did, and I sent him a beta copy of the executable to try. He got back to me to say he couldn’t run it because AVG had quarantined it straight away even though it was entirely safe. I assured him it was safe but understandably, he never got back to me. I suspect he thought I was some malicious code writer. Had I been able to code sign it, that would not have happened.

In addition, companies and governments can often buy something, but they cannot donate to something. So it is not sufficient to say “they can just donate”. Many companies and agencies cannot be seen to be donating to anything. They have to buy (procure) things and have an audit trail (an invoice or something) of their purchase. And if anything is free, it is often looked at suspicious or too good to be true. Even if they are told they can compile it themselves, often they are not permitted to do so or are not allowed access to the tools needed to do so.

Lastly, and perhaps most importantly, in order for me to digitally sign QuickHash, I have to buy a code signing certificate. The cost of these vary but for a reputable certificate from a reputable certificate authority, a standard code signing certificate is about $180 per year, and that is not even an EV (Extended Validation) certificate. I bought mine from Digicert for $240 and had to undergo a rigorous ID check.

So the situation we are in is this : operating system developers are pushing users (and forcing them in some arenas) to only download and launch digitally signed software from trustworthy locations. Even Debian packages have to be signed to be accepted into the Debian package management system (though I think free self-signed certificates may be acceptable there). Commercial, government and military outfits have to run digitally signed tools usually, and increasingly. In order to digitally sign software with a reputable certificate, the developer has to buy a code signing certificate. As it stands, I already give thousands of hours of my spare time to the development of QuickHash, as well as about £30 per month to run this website, but I’m not so generous that I’d also pay several hundred dollars per year to provide my users with a code signed copy in exchange for…nothing. I have mouths to feed as much as the next man. And at the end of the day, the user can always download the source code and compile it himself, or just use the free unsigned version (like has been the case since 2011), or he can buy the code signed version – it’s the convenience and security that is on offer here.

So, based on the download rate of the unsigned software, I wanted to establish roughly how much I’d need to charge for a code signed version of the program in order to recoup the cost of the certificate. And whether or not I’d even be able to recoup it at all. I’ve opted for £1.99.

That, ladies and genetlmen, is what the poll below was for which has run on this website for several months. And the results can be seen below.

QuickHash Poll ResultSo, 53% of users are happy with the unsigned version and have no interest in paying in a code signed version. But, 36% said they would pay ‘an amount’ (that amount varying between £3 to £10). So a little over 1/3 of users would like, and would prefer, a code signed version. 1 in 3, in other words.

Now voting in a poll is very different to actually using ones PayPal account to actually do the buying suggested; I realise that, so I am taking a risk doing this at all. But I am supposing that a really small fee of perhaps £1.99 might be a reasonable enough fee to enable users to enjoy the benefits of a code signed copy of QuickHash, and may enable me to recoup the few hundred dollars I will have to pay each year for the certificate needed to do the signing, not to mention the £30 a month I pay AWS to run this website. If I don’t manage to recoup it after the first year, then I guess I’ll just abandon the idea.

I hope that helps explain why I have decided to offer a code signed version of the program. It is not a means to benefit financially from the program which I have no doubt many will suggest, imply or infer.

On a final note, it is important that users understand what they are paying for. They are not paying for the software. That is still available, unsigned, as it always has. They are paying for the privilege of security by buying a digitally signed version of the software that their computers know they can trust. And as such, it is hoped larger companies and government agencies may be able to roll out the tool across their networks. If you don’t care about having a digitally signed version, then just use the unsigned version as always; nobody is forcing you to buy it. But do not buy the signed version and expect some kind of consumer rights like you’d get when buying a car or a new fridge or a new jumper. The rights are the same as with the unsigned version : no warranty, use it at your own risk, it may not work as you expected or hoped or understood etc etc, as per the GPL2 license for which the program is released under. And you can always compile it yourself if you’re really fussy.

By |2018-02-04T17:22:48+00:00February 4th, 2018|News|0 Comments

About the Author:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.