iScreensaver Logotype
help

Code-signing, Gatekeeper, and Authenticode

Screensavers, identity, and software security in the modern era

Modern operating systems (beginning with Windows 10 and Mac OS X 10.10 Yosemite) are very careful to only run software that is ''trusted.'' This trust is established by the author of the software signing the code with a digital signature, based on a certificate that was issued to the author's company after a thorough background check to establish a valid identity. Our editing software, iScreensaver Designer, is signed with such a certificate (issued to our parent company Xochi Media Inc).

iScreensaver lets you, the author, create a fully customized screensaver and screensaver installer program, complete with your own icons, text descriptions, images, and copyright information.

These custom modifications change data within the software application executables, so that every screensaver you build is unique. This is a generally a good thing, as the end user of the screensaver software will see your name, your icons - your information.

Unfortunately, these modifications also prevent the screensaver installer software from being digitally signed with our corporate certificate. (If we were to sign it with our identity beforehand, when you built your screensaver, then the signature would be broken and the software application would not run at all).

So, when you build a screensaver installer using iScreensaver Designer, the final built software will be created without a digital signature.

This leaves you, the author, with two choices:

Option 1: No signature. | Option 2: Create your own digital signature.



Option 1: Deliver the software as-is, without a digital signature.

When a customer or end-user tries to install a screensaver that is not signed, they will usually be presented with one or more warnings like these:

Mac OS X unsigned warning:

Windows' Internet Explorer unsigned warning:


Windows' Edge unsigned warning:

Solution: Bypass these warnings.

It is relatively easy to bypass these warnings - let your end users know ahead of time to expect the warning, and instruct them on the way to bypass the warning. These warnings are common to many software packages, and most customers already are familiar with the steps.

Important: when you bypass the warnings, you are allowing un-signed code to run on your computer, which in general is a bad idea. Users should only do this when they know and trust the software's source.

To bypass unsigned warnings on Mac OS X:

To bypass GateKeeper checks, one can simply right-click on the installer icon and choose "open", or hold down the control key while clicking the icon and choose "open".


There will then be a new window with the "open" button enabled:


To bypass unsigned warnings on Windows:
To bypass Authenticode checks, one can choose the "I Undertand the risk..." options and then choose "Run" from the second set of options.



With these two simple techniques, most of the problems of code-signing can be avoided. However, there are certainly situations where it's not feasible to take this approach. A better solution (but one that is much more expensive and technically demanding) is Option 2.



Option 2: Sign the screensaver installers with your own Digital Signature

For the best end-user experience, you want to have your screensaver installers digitally signed with your company's code-signing-certificate. Although this could not be done for technical reasons using iScreensaver Designer 4.5, with the release of iScreensaver Designer 5 we offer full compatibility with modern digital signatures.

Please note that this process is technical, time-consuming, and costs money. Furthermore, it uses third party companies, services, products and tools for which we can not provide technical support. We will provide an outline of the steps and some suggested vendors, but many of the details will be up to you.

Code-signing 101: Step-by-Step Instructions

Code-Signing on Mac OS X

  1. Get a Mac running OS X 10.10 or later. You can not code-sign Mac software on a Windows PC.
  2. Get an Apple Developer Account. This currently costs $99 per year. Enroll in the Apple Developer Program.
  3. Verify your identity with the Certificate issuer. Typically this will require you to have a legal organization (such as LLC, Corporation, Non-Profit, etc.) and can not be done by an individual or sole proprietorship. This step can take several days to have your identify confirmed. You will want to make sure your company is listed properly in DNB (Dunn & Bradstreet) and that you know your DUNS number. You may also need copies of corporate documents such as the Articles of Incorporation.
  4. Request your code-signing certificate from Apple, which is called a "Developer ID Certificate".

    Those are the hard steps. The next step is fairly easy:

  5. Once you have your Developer ID Certificate, you can sign your finished screensaver installers with a single command line:

    codesign -f -s 'Developer ID Application: XYZ Widgets Inc.' /Users/john/Documents/iScreensaver Projects/MyScreensaverInstaller.app

    ...replacing 'XYZ Widgets Inc.' with the name on your certificate, and supplying the actual path and filename for your built screensaver installer.

Code-Signing on Windows OS

  1. Get a Windows PC running Windows 10 or later. You can not code-sign Windows software on a Mac.
  2. Get a code-signing certificate. Numerous companies offer them, and current discount prices run about $100/year. We can recommend using certificates from these organizations:
  3. Verify your identity with the Certificate issuer. Typically this will require you to have a legal organization (such as LLC, Corporation, Non-Profit, etc.) and can not be done by an individual or sole proprietorship. This step can take several days to have your identify confirmed. You will want to make sure your company is listed properly in DNB (Dunn & Bradstreet) and that you know your DUNS number. You may also need copies of corporate documents such as the Articles of Incorporation.
  4. Retrieve your code-signing certificate from your vendor once it is ready. Important: use IE11 for this step and download your certificate on the same computer you will use for code-signing.
  5. Save the certificate and private key as a PFX format by following these steps in IE11:
    • Open IE11 on the same computer where you downloaded your certificate.
    • From the Tools menu, choose Internet Options.
    • On the Content tab, click the Certificates button.
    • Select the code-signing certificate you just purchased and downloaded (note: there may be several certificates in the list, be sure to choose the correct one).
    • Click the Export button.
      • Choose "Yes, export the private key".
      • Choose "PKCS#12.PFX" as the kind.
      • Check the box for "Include all certificates in the certification path if possible".
      • Create a certificate password (and remember it for later).
      • Export the file to your hard drive.
  6. Get the windows SDK which includes the 'signtool' command-line tool. The easiest way is to download the Windows 8.1 SDK, which can be used on Windows 10, directly from Microsoft: Download Windows 8.1 SDK.

    Those are the hard steps. The next step is fairly easy:

  7. Once you have your Certificate and SignTool app installed, you can sign your finished screensaver installers with a single command line:

    "C:\Program Files\Microsoft SDKs\Windows\v8.1\Bin\signtool.exe" sign /v /f MyCertificateAndPrivateKey.pfx /tr hhttp://timestamp.comodoca.com/ /p myPassword /fd sha256 /d "My Screensaver Description" /du "http://mywebsite.com" MyScreensaverInstaller.exe

    ...replacing 'MyCertificateAndPrivateKey' with the name of your certificate file, changing 'myPassword' to the password you created above, setting the description and URL to your company, and supplying the actual path and filename for your built screensaver installer for MyScreensaverSingleFileInstaller.exe.
  8. Important note: currently, iScreensaver Designer 5 only supports signing the Single-File-Installer format. This provides a digitally-signed installer; however the actual screensaver installed will not be digitally signed. Generally this does not cause problems and the installation will be straightforward. However, if the user chooses the option to install the screensaver "For All Users" on their computer, they will see one additional UAC prompt: which they must click "Yes" on.