Tag Archives: software

digital-certificate-sha1

What every software vendor needs to know about SHA1/SHA2 and digital certificates

Digital certificates are used to prove who authored a piece of software and that it hasn’t subsequently been tampered with. Starting with Windows XP SP2 you get a warning message if you download software that that isn’t signed with an appropriate digital certificate. So most commercial software vendors digitally sign their software. We grumble about price gouging by the certificate vendors and the hoops we have to jump through to get a certificate. But, apart from that, the system seems to work tolerably well. However Microsoft have thrown a spanner into the works by deprecating digital certificates using the SHA1 algorithm. I only found out about this a few weeks ago from a fellow vendor’s blog. Thanks for nothing Microsoft. If you are using a digital certificate you purchased more than a year ago, it is probably SHA1. This post explains what this means for software vendors, based on my research so far. I am not an expert on this topic and things seem to be changing fast, so please let me know if there are any mistakes or omissions.

I don’t digitally sign Windows software, does this affect me?

No. But perhaps treat Windows unsigned software warning with some skepticism until Windows software vendors sort this mess out. If you only develop for Mac OS X you can feel a bit smug (at least until the next time Apple nukes your development ecosystem from orbit).

What is SHA1?

SHA1 (Secure Hash Algorithm 1) is a cryptographic hash function that was used in digital certificates issued until recently. SHA1 was known to have weaknesses as far back as 2005. Microsoft (and Google) have finally decided that SHA1 is too vulnerable and SHA2 digital certificates should be used instead.

What happens if my certificate is SHA1?

If you signed your software with a timestamp before 01-Jan-2016:

  • It will be treated by Windows XP SP2/XP SP3/Vista as signed.
  • It will be treated by Windows 7/8/10 as signed only until 01-Jan-2017.

If you signed your software with a timestamp on or after 01-Jan-2016:

  • It will be treated by Windows XP SP2/XP SP3/Vista as signed.
  • It will be treated as unsigned by Windows 7/8/10 and you will get an ugly “digital signature is corrupted or invalid” error when downloading. If you don’t see this, it might be because you haven’t done a Windows Update recently (shame on you).

How do I know if my current certificate is SHA1?

  1. Right click on your most recently signed installer and select Properties.
  2. Click on the Digital Signatures tab.
  3. Select the signature and click on the Details button.
  4. Click the View Certificate button.
  5. Click the Details tab.
  6. Look at the Signature hash algorithm.sha1 digital certificate

What should I do if my certificate is SHA1?

If you certificate hasn’t expired you should ask the company you purchased it from to issue you a new SHA2 certificate. They should do this free of charge. In the process they will revoke your SHA1 certificate, so you can no longer use it for signing. You should then use your new SHA2 certificate to double sign new releases (see below).

I have an SHA2 certificate, now what?

If you want a new release to be treated as signed on both Windows XP SP3/Vista and Windows 7/8/10 then you need to double sign the file for SHA1 and SHA2:

signtool.exe sign /f <pfx file> /p <pfx password> /t <sha1 timestamp server> /v <installer>

signtool.exe sign /f <pfx file> /p <pfx password> /tr <sha2 timestamp server> /fd sha256 /td sha256 /as /v <installer>

The Comodo SHA1 timestamp server is:
http://timestamp.comodoca.com

The Comodo SHA2 timestamp server is:
http://timestamp.comodoca.com?td=sha256

You can add a /debug flag for verbose output.

If you only want to support Windows 7/8/10, then you can omit the first line (but why would you?).

You can use chktrust.exe to check the signature:

chktrust.exe <installer>

Note that only version 6.3 and later of signtool.exe (which comes with Windows 8.1 SDK and is also available here) supports the /as flag.

I always sign the program, as well as the installer.

Can I double sign .msi files?

I have seen reports that .msi installers don’t support double signing. But I don’t use .msi installers, so I haven’t investigated further.

What happens to software I signed with my SHA1 certificate after the certificate is revoked?

Software you signed previously will not be affected, e.g. it will be treated as signed by Windows 7/8/10 until 01-Jan-2017

How do I sign Windows XP SP1/XP SP2 software?

Windows XP SP1 doesn’t warn you if there is no signature, so you can ignore XP SP1. SHA2 signatures are not supported in Windows XP SP2. So you will need to have both valid SHA1 and SHA2 certificates to support XP SP2 and all the later versions of Windows. Its not clear that certificate vendors will allow this. Also, how many people with Windows XP SP2 (an unsupported OS) are out there buying software? I won’t be bothering to support signing for XP SP2.

Does this affect SSL certificates as well as code signing (Authenticode) certificates?

I believe so. But I don’t have any SSL certificates, so I haven’t investigated further.

How does this affect signing of device drivers?

I understand there are some differences for device drivers. But I don’t create device drivers, so I haven’t investigated further.

What is the difference between SHA2 and SHA256?

SHA2 is a family of two similar hash functions known as SHA256 and SHA512. SHA256 uses 32-bit words where SHA512 uses 64-bit words.

How secure is SHA2?

Er, it was designed by the NSA. Supply your own joke.

I don’t have a digital certificate, where can I get one?

I got my Comodo code signing certificate from reseller codesigning.ksoftware.net. They have a good reputation, and are significantly cheaper than Comodo. I don’t have any business relationship with them beyond being a happy customer.

Anything else I should know?

Microsoft has reserved the right to move the SHA1 deprecation date forward from 01-Jan-2017.

Acknowledgements

Thanks to Nikos Bozinis for first alerting me to this issue and to Mitchell Vincent of ksoftware.net for fact checking this article.

Further reading

http://zabkat.com/blog/code-signing-sha1-armageddon.htm

http://support.ksoftware.net/support/solutions/articles/215805-the-truth-about-sha1-sha256-and-code-signing-certificates-

http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx

passive income

Software products are *not* passive income

Some people dream of creating a ‘passive’ income that generates money on auto-pilot while they go and learn tango in Argentina, or whatever their chosen path to the top of Maslow’s hierarchy is. In my experience, a software product is a long way from being a passive income. I know lots of people who own software product businesses. I don’t think any of them regard it as a passive income either.

While on holiday I’ve run my own business from a laptop in less than an hour per day. But the business would start to suffer if I did this for more than a few months. Even if you are not adding new features, software products require significant effort to maintain. Sales queries need answering, customers need support and bugs need fixing. New operating systems will often break things in otherwise stable products (particularly on Mac OS X). And there is always admin stuff to do: tax, accounts and a hundred other things. Marketing also requires ongoing effort, whether it be in the form of A/B testing, newsletters, SEO, PPC or blogging. If you aren’t continually improving your product and marketing, then harder working competitors are soon going to start eating your lunch. You can hire people to do the work for you. But then you have to train and manage those people. And the most capable people have a habit of going off to start their own companies.

There may be some products that can generate passive incomes. Perhaps ebooks, training videos and mobile apps. But I expect they still need significant amounts of ongoing marketing effort if they are going to earn more than pocket money. Remember – if it sounds too good to be true, it probably is…

software entrepreneur

Confessions of a bad software entrepreneur

If you read blogs and forums and go to conferences you will soon pick up that there are a number of recommended ‘best practices’ for being a successful software entrepreneur. I don’t conform to many of them:

SaaS product

No. Both my products are desktop based.

B2B market

Not really. Most of my customers are consumers.

Funded

No. I bootstrapped the business from my own savings.

Subscription model

No. My licences are a one-time fee.

Beautifully designed responsive website

No! www.perfecttableplan.com converts well, but it is certainly not beautiful or responsive (a new website is on the way though).

Co-founder

No. Just me.

Delegation

No. I have delegated bookkeeping to my lovely and talented wife (who also proof reads this blog) but I don’t have any employees or virtual assistant and do the vast majority of things myself, including all the marketing, sales, programming, documentation and customer support.

Drip email campaign

No. One day perhaps.

Focus

Not really. I like variety. I have 2 products under active development and also do some consulting and training.

Social media campaign

No. I have long since given up on Twitter and Facebook as marketing channels.

Mastermind group

No. I do talk with my peers in forums, at meetups and conferences, but not in any structured way.

Started young

No. I was pushing 40 when I started my entrepreneurial career.

Endless growth

No. I can’t really grow the business much more without taking on staff or becoming a workaholic. But I am happy just to maintain the current level of sales. [1]

Exit plan

No. I haven’t given it any real thought. I am quite happy doing what I’m doing.

But…

My one-man software business has made me a nice living doing a job I enjoy for more than 10 years. So I guess I must be doing something right. There is no ‘one true way’ to be an entrepreneur. If you have a good product with good support and good marketing, most other things are optional.

[1] Added after suggestion by Tom Reader.

Technical Debt

Software products tend to build up ‘technical debt’ over time. Every bad decision, kludge and shortcut made to ‘just get it working’ makes the product more brittle and harder to change in the long run. Technical debt is very hard to avoid unless you know exactly what direction your product will take in the future (unlikely) and you can guarantee that the platform and libraries you build it on won’t change (even less likely). Like real debt, the longer you leave it, the worse it gets. Every so often you need to repay the debt if you want to keep your product healthy. Otherwise it will gradually degenerate into a Big Ball Of Mud.

My seating plan software has been developed continually for over 10 years now. I have done regular refactoring over that time to keep technical debt to a manageable level. For example, early versions of PerfectTablePlan were a bit lax about how memory was managed in the genetic algorithm. This shortcut wasn’t a big deal when the genetic algorithm was solving seat assignments for a few hundred people. But it became a performance issue when it was solving seat assignments for thousands of people. So I had to do a significant rewrite of the genetic algorithm. For PerfectTablePlan v6 I am going to have to rewrite all the remaining code that uses Qt3 classes, so that I can switch the codebase fully to Qt5. Oh joy! Thank goodness for the strong typing in C++. If I can keep the technical debt in check, perhaps people will still be buying PerfectTablePlan in another 10 years.

Technical debt is an inevitable consequence of the fact that software products are a ‘work in progress’ (including the software you are building on top of). The fact that software is never really ‘done’ can be frustrating, but it has its upsides. I was recently in the French mediaeval city of Laon, looking at their beautiful cathedral. I noticed that there were four and a half windows at one end of the transept. Four and a half? On further inspection it was clear that the builders had changed their mind part way through the build and then tried to cover up their mistake. It is still visible some 700 years later. At least we get the opportunity to correct our mistakes and our customers usually never know…

technical debt

It’s great to be in the software products business

hard at work on my software businessThose of us who own software product businesses sometimes grumble about what a difficult business it is. Although its indoor work with no heavy lifting, it has it’s frustrations: software piracy, customers who moan about paying a whole $0.99 for thousands of hours of work, buggy third party software, RSI, chargebacks and the catastrophic consequence of accidentally offending the great god Google, to name but a few.

But reading Kitchen Confidential brought home to me just what a hard business it is to run a restaurant. You have to make a major financial outlay to fit out the restaurant and kitchen. You have rent and staff salaries to pay every month, regardless of whether customers come or not. Staff turnover is generally very high in the catering business, so you are continually having to hire new staff. You have to deal with drunken, unreasonable and dishonest customers. Possibly also drunken, unreasonable and dishonest staff, who have ready access to sharp knives and boiling liquids. Theft by staff can be a real problem. You have highly perishable stock. If you don’t order enough, you have to turn people away. If you order too much, you have to throw away the excess or risk poisoning your customers. You have endless deliveries from suppliers, which you have to check to ensure they are the correct amount and quality. You have to keep the restaurant clean. Extremely long hours are standard. Even if you are doing well, you can’t seat more people than the restaurant can physically hold. A restaurant that has to turn people away Fridays and Saturdays might be empty on Monday. And success brings its own problems as you can only increase the scale of the operation by expensive and disruptive  measures such as opening a new restaurant or moving venue. The relentless overheads of staff, rent and stock mean that cash flow is a huge issue. It’s no wonder that restaurants fail so frequently.

Running a software product business is pretty cushy by comparison. You can start your own software product business with just a PC and a generous dollop of time. Nearly all the issues related to manufacturing, suppliers, stock and shipping go away when you are dealing with electrons rather than atoms. If you do make a mistake, you can usually put it right just by making another release. The worst a disgruntled customer is likely to do is post a snarky comment on a forum or send you a nasty email. High margins and low overheads means that cash flow is much less of an issue than for most other businesses. Software businesses also scale much more easily than other businesses. You aren’t tied to a particular location and don’t even need to rent an office building (billion dollar company Automattic has a fully distributed workforce and no company office).

The software business is a great business to be in!

 

7 Reasons Software Developers Should Learn Marketing

1. Improved career prospects

The intersection of people with development skills and marketing skills is pretty small. Being in this intersection can only help your career prospects.

development marketing skillsAlso an in-depth understanding of software is very helpful when you are marketing software, compared to a marketer who doesn’t really understand software.

2. It’s not rocket science

The basics of marketing boil down to:

  • Find out what people want/need/will pay for.
  • Get people’s attention cost effectively.
  • Communicate what your product does.
  • Choose the right price.

None of these things are as simple as you might think, if you haven’t tried them. But its not rocket science to become competent at them. Hey, if the average marketing person can do it, how hard can it be? ;0)

3. Less reliance on marketing people

If you don’t have any marketing skills then you are completely reliant on your marketing people to do a good job at marketing the software you have poured your soul into. Are you comfortable with that? How do you even know if they’re doing a good job?

4. Number crunching

Developers tends to be well above average in their analytical and mathematical skills. Online marketing tools such as Analytics, AdWords and A/B testing generate vast amounts of data. Being good at crunching numbers is a big bonus for some aspects of marketing.

5. It’s interesting

When I started out as a professional developer some 30 ago, the thought of being involved in the sordid business of marketing would have appalled me. But, as I have got more and more involved in the marketing side of things, I have found it really rather interesting and creative. There is a lot to learn, including: pricing, positioning, customer development, segmentation, partnerships, email marketing, SEO, AdWords, social media and conversion optimization. I think of development as hacking computers and marketing as hacking humans.

6. Diminishing returns on development skills

The more time you spend as a developer, the better you are going to get at it. But you will run into diminishing returns. E.g. you won’t improve as much between your 9th and 10th year of programming as you did between your 1st and 2nd year. Learning a completely new skill avoids diminishing returns.

7. You’ll need it if you ever start your own software business

If you ever start your own software business you will quickly find that marketing skills are at least as important as development skills. So it’s a huge plus if you already have some marketing chops. Even if you have a VC sugar daddy who is going to give you enough money to hire marketing staff, you’ll still need some marketing skills to know who to hire.

If you are employed as a developer full time, I recommend you jump at any chance to get involved in marketing or go on a marketing course. I also run a training course for people wanting to start their own software business that includes a lot of material on marketing.