Signing installers on macOS and Windows with the same certificate?

windows

#1

Is this possible? If so any advice on where to buy?

I was under the impression that Apple had locked the gates of the walled garden and it’s only possible to use their certificates for signing a .pkg installer. I may have misunderstood this restriction is only for apps distributed via the AppStore.

The cheapest certificate for signing Windows installers doesn’t say it can sign macOS, so I guess I’d be looking at one of the more expensive options if this is possible, in which case it’s about is the cost of a cheap certificate + Apple Developer membership less than the single cert :smiley:


#2

While I’m not 100% sure, I don’t think it’s possible. Microsoft likes their own and Apple like their own. I use the Apple Developer installer certificate for the Mac and I got a Comodo certificate for Windows from K Software (ksoftware.net). Nice guy and helpful.

Hope that helps.


#3

I’ve spent a lot of time on this, and as far as I can tell, it isn’t possible; Apple products can only be signed with the Apple cert, and the Apple cert can not be used on Windows products.

Currently, we don’t bother signing the Windows side, and I know a lot of devs that also don’t bother. I generated a self-signed cert on the Mac to use for the Windows ProTools build. But that K Software cert is probably the way to go.


#4

This is exactly what I thought.
A little search now just gave me this info “Note: You can use a DigiCert Code Signing Certificate (standard and EV) to sign your Mac OS software, tools, updates, utilities and applications. However, if you want your apps to open on a Mac that has Gatekeeper enabled or want to distribute apps in the App Store, you need to create a developer ID to sign your Mac apps and installer packages; only Apple Developer code signing certificates are compatible with GateKeeper.”
This all came about from a misunderstanding about using a Comodo cert to sign AAX plugins on macOS, but I was still thinking we were talking about installers and then he disappeared from the Discord chat before I could get more info!


#5

agreed. Signing on Windows doesn’t seem to be something end users are that bothered about


#6

It’s certainly less “required” on Windows but I’m always slightly suspicious of unsigned installers, especially from large companies as it’s pretty easy to do on Windows…


#7

Yeah, a large company that can’t even find ~$80/year for a certificate is being a bit too tight with the purse strings!


#8

IMO not signing installers sends out the wrong message to a potential customer about the attitude of the business / developer.


#9

Yeah, that’s my point. It’s more like “if you can’t be bothered to sign installers, how much effort are you putting in to your code/security/data protection etc.”


#10

I’ve actually started signing after nasty security warnings.
It does seems to help. though it’s more important to make sure your Installer executable is signed. if you just provide DLLs (aka .vst3) then you shouldn’t bother.

For installers it does help. but to be honest, less than I would’ve expected…

@richie - there’s no single certificate.
You’ve got one for Microsoft, and an Apple Developer Membership.
If you’re a small indie developer I’ll postpone it, until it becomes worthy - at least on Windows.