Table of contents

• What is “signing”?
• Why do I need to do this?
• “Code” vs “Installer” signing. What’s the difference?
  • Installer Signing
  • Code Signing
• How do I get my Code Signing certificate?
  • macOS:
  • Windows:
• When should I sign up?
• What happens if my certificate lapses?
• What do I do once I have a certificate?
• What if I get stuck?

What is “signing”?

Signing is a cryptographic method for confirming that your code (i.e., your plugins or instruments) and your installers are delivered from your company and have not been tampered with by third parties. The technical methods behind signing are beyond the scope of this article, but the key takeaway is that signing provides a way to confirm that your code and installers can be trusted by your end users and installed safely on their operating systems (macOS or Windows).

Why do I need to do this?

Code that you intend to distribute to your end users must be signed because both MacOS and Windows prefer signed code. This is done for the benefit and protections of end users. Signed code makes it much more difficult for cracked or modified software with malicious code (trojans, spyware, malware, etc.) to enter an end user’s system. This is a good thing and is common practice in modern software development. We strongly recommend it.

Note: While there are limited workarounds to install and run unsigned code (for example, when handing out code to beta testers that know and trust you), the operating systems do not allow for easy installation and will display various warning messages to discourage users. We strongly advise against releasing unsigned code to the public. Doing so can make your business look unprofessional, runs the risk of being modified by third parties for ill purposes, and may damage your brand’s reputation.

“Code” vs “Installer” signing. What’s the difference?

When discussing signing, it’s important to differentiate between the code and the installer. “Code” refers to your virtual instrument or plugin whereas “installer” is the software that installs your code onto your customer’s computer. Both the code and the installer should be signed.

Installer Signing

At present, both Microsoft and Apple require signed installers for smooth software installation.

Code Signing

Currently, only Apple requires the signing of the code itself (Windows does not require this). Code signing is required on macOS in order to pass Apple’s notarization process. Without proper notarization, the software cannot be run on Catalina or later versions of macOS.

How do I get my Code Signing certificate?

To sign your code, you’ll need an account with a Certificate Authority (CA) that will store, sign and issue your digital certificates. The Certificate Authority acts as a trusted party that you (the owner of the code) and your customer’s computer turn to in order to verify that a piece of software can be trusted.

macOS:

If you are developing a product for macOS, Apple is your Certificate Authority. You’ll need to contact Apple’s developer program (https://developer.apple.com) to get your certificate. This certificate can be used to sign both your code and your installer.

Windows:

There are over 100 Certificate Authorities around the world that can handle installer signing for your Windows-based product. One that we can recommend is DigiCert. Here is a write up on how to acquire a code signing certificate with DigiCert.

When should I sign up?

We recommend signing up with your Certificate Authority at least 1-2 months before the launch of your first product. We have heard from our customers that this process can take a month or more, so be sure to start the process well in advance of your expected launch date to avoid delays.

Note that this initial sign up is a one-time event. Once you have a certificate issued by your Certificate Authority, you use the same certificate details in Gorilla Compiler when building new products or launching updates to existing products. There is generally no need to go back to your Certificate Authority or make any changes to your license unless your business details have changed.

What happens if my certificate lapses?

It’s important to renew your certificates on time for as long as you plan to sell new products. If your license lapses, the code signing process will not complete successfully.

Note that any code that was signed while your certificate was valid will continue to install smoothly on your customers’ computers. Only new code (such as new products or updates to existing products) will fail this process.

What do I do once I have a certificate?

Once you have your certificate from your Certificate Authority, the rest of the process happens inside our Gorilla Compiler.

Launch Gorilla Compiler and select the Code & Installer Signing tab from the left. Enable code and installer signing by checking the “Enable” box at the top of the tab and enter your information below. Detailed instructions are included near each field to help you if you are not sure.

To see if the signing was successful just right-click the installer, select properties from the context menu and check the “Digital Signatures” tab.

Note: We do not access or store any of your sensitive certificate details. This information is always stored locally on your computer and is never transferred over the Internet when you use Gorilla Compiler to build a plugin.

What if I get stuck?

If you are having trouble with code or installer signing, contact us through our Gorilla Engine help desk. We’re here to help!

---