It's Coming!!!

Sectigo is offering a "bargain" (not nearly as good as SetupBuilder's)
to help the transition to hardware key storage.

Even if your certificate still has some time left on it, it's worth
considering renewing it (with SetupBuilder prices) prior to the
hardware requirement that begins on June 1.

As if code-signing certs weren't already enough of a
pain-in-the-asterisk

The
"bargain"](https://sectigo.com/ssl-certificates-tls/code-signing-campaign
)

From Sectigo's website:
>What is Changing?
>
> As of June 1, 2023, all Code Signing Certificates must comply with the new CA/B Forum regulations to ensure that the subscriber’s private key is generated, stored, and used in a suitable FIPS-compliant hardware.
>
> We recognize this requires customers to commit to a heavy lift. Between now and April 24, 2023, you can purchase Sectigo OV Code Signing certificates and lock-in the use of software-based Code Signing certificates for the next three years and will not be required to switch to a hardware-based token during that time. At the end of your 3-year certificate, Sectigo will ship a free FIPS-compliant token with an extra 12 months of OV Code Signing Certificate validity to you.

On 29 Mar 2023 18:26:04 -0400, Kelvin Chua wrote:

Hi, Kelvin,

I renewed mine in January. It was a REAL PAIN this time.

I was going to write up the experience; but because everything will
change in a couple of months decided it wasn't worth the effort.

I did, however, explain here what I needed to do:
https://clarionhub.com/t/codesigning-need-alternative-to-comodo/5802/16?u=jane

You should put in a ticket and push them. Things will not happen
automatically.

jf


>I placed my order with Comodo on Friday ,10 March ,2023-05:46:53 PM
>under discount offerred by SetupBuilder.
>
>Until today, I have not receive my certificates.
>
>Thanks.
>
>Kelvin Chua
>SINGAPORE
>

Hi Jane,

I submitted 3 tickets so far, no one responded at all.

I will try to purchase other certificates next time, it is really hell
to me; they simply don't bother at all.

Thanks.

Kelvin Chua
SINGAPORE

Kelvin,

Did you try telephoning them? I phoned them multiple times. Don't
try on weekends because you'll probably get somebody who can't do
anything.

I think this is the number I used:
International: +1 (914) SECTIGO (732-8446) and then press the option
for "order validation".

jf

Hi Jane,

Will try calling them tonight.

Thanks.

Kelvin Chua
SINGAPORE

Did you get your certificate, Kelvin?

Jane Fleming

Hi Jane,

On 3/29/2023 15:52 PM, Jane Fleming wrote:
> Sectigo is offering a "bargain" (not nearly as good as SetupBuilder's)
> to help the transition to hardware key storage.

Is that the $498 with up to 29% off with multi-year? And $40 for
"standard shipping"? So what does it take to start a code signing
certificate business? Most lucrative "business" on the planet these days!

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

And... no one answer emails...no cost!

Kelvin Chua

So you bought the 4 year certificate at $798, is that correct?

And thanks for the info.

Ray Rippey
VMT Software

On 3/29/2023 1:52 PM, Jane Fleming wrote:
> FIPS-compliant hardware.

NO!!
I bought the $200 three-year SetupBuilder certificate in January (no
hardware token).

Just reminding people that the no-hardware option will shortly
disappear :-(

jf

On 05/04/2023 17:28, Lee White (Lodestar Software) wrote:
> Andre,
>
>> If what you listed is taking you five
>> years to develop, with respect, something is wrong somewhere.
>
> WOW! You don't have any ongoing projects?!

No bespoke projects here. But our main project is for the vertical
market that has been ongoing for 40 years with a new build each week
that includes new functionality. But it does not take five years to
include functionality that can take weeks or perhaps even days or hours.
And that was my point.

>> RDP protocol is a major security risk.
>
> I've done tons of work on client servers using RDP. Granted it was
> also across a VPN but who doesn't use one of those these days?

Folk who have moved on from this and now use web apps and native mobile
apps using soap and rest services. In many cases VPN's [also not secure
enough] have proved painfully slow and problematic - a last resort.
Really, the world at large has moved on from desktop ONLY. And count
yourself lucky if you have not yet had RDP or VPN hacked. It is a
favorite point of intrusion.


I still do client work on their servers using RDP and VPN but the
protocol should preferably not be used for end user access.

Andre Labuschagne

Andre,

> > WOW! You don't have any ongoing projects?!
>
> No bespoke projects here. But our main project is for the vertical
> market that has been ongoing for 40 years with a new build each week
> that includes new functionality. But it does not take five years to
> include functionality that can take weeks or perhaps even days or hours.
> And that was my point.

But you missed mine or else that project has taken over 40 years to
complete.

I've never ever seen a software project that was ever complete. If it
wasn't an ongoing process it would falter and become useless. This was
in reply to your reply to Arnor and the project he's still moving
forward even after 5 years.

> >> RDP protocol is a major security risk.
> >
> > I've done tons of work on client servers using RDP. Granted it was
> > also across a VPN but who doesn't use one of those these days?
>
> Folk who have moved on from this and now use web apps and native mobile
> apps using soap and rest services. In many cases VPN's [also not secure
> enough] have proved painfully slow and problematic - a last resort.
> Really, the world at large has moved on from desktop ONLY. And count
> yourself lucky if you have not yet had RDP or VPN hacked. It is a
> favorite point of intrusion.
>
> I still do client work on their servers using RDP and VPN but the
> protocol should preferably not be used for end user access.

You missed my point. I've worked on projects on a clients server where
they wanted everything to remain local during production. I, and many
other Clarion developers, working in tandem on the same project. Not
referring to a finished program running anywhere although that project
was for desktop use since their clients didn't need nor want anything
other than desktop.

The entire world has NOT moved away from desktop! Your customer base
may have but I do desktop only work and the lights are still on!<g>

--
Lee White

RPM Report Preview: http://www.cwaddons.com/products/rpm/
Creative Reporting: http://www.CreativeReporting.com

Hydrogen, the only CLEAN fuel and the future of clean air.

I don't understand the argument; it's like two brain surgeons
arguing who has the better tools. The solution is the advantage,
not the tools.


--
John de la Torre
CA, USA

"Lee White (Lodestar Software)" <svng_REMOVE_THI
S_@_AND_THIS_lodestarsoftware.com> Wrote in message:r
> Andre,> > WOW! You don't have any ongoing projects?!> > No bespoke projects here. But our main pr

John de la Torre,

> I don't understand the argument; it's like two brain surgeons
> arguing who has the better tools. The solution is the advantage,
> not the tools.

Andre mentioned 5 years to write a solution, I simply pointed out
that, knowing Arnor, it was an ongoing project being updated over a 5
year period, not that it took 5 years to complete.

Personally I don't have a preference what others use or how fast they
can create programs or what platform their products are aimed for. I
just know I have a preference for desktop applications which are the
preferred targets for the contracts I've had over the years. And, yes,
I prefer Clarion since it does everything I need and creating viable
programs is fast.

No arguments, just opinions between developers.

--
Lee White

RPM Report Preview: http://www.cwaddons.com/products/rpm/
Creative Reporting: http://www.CreativeReporting.com

Hydrogen, the only CLEAN fuel and the future of clean air.

I'm not sure what is happening. It made me change my password, then I
logged in. Then it only gives me an option for 3 years and is $519.00. I
must be missing something. Also I guess I have to get my certificate
using IE. I guess I'm not getting the discount.

Ray Rippey
VMT Software

On 05/04/2023 19:28, Lee White (Lodestar Software) wrote:
> The entire world has NOT moved away from desktop! Your customer base
> may have but I do desktop only work and the lights are still on!<g>

Present continuous tense - they are moving ever more off LANs and WANs
and into the cloud. Yes, there are some industries that are lagging but
in the end resistance is futile. The great thing about AS is that you
can write for the desktop and only serve the app in a browser. You get
the best of both worlds.

Projects are never complete. You are either in a bespoke or vertical
market. In either case the project is never complete. This applies to
all software including operating systems etc.

Andre Labuschagne

Hi Jane,

On 3/30/2023 14:36 PM, Jane Fleming wrote:
> Just reminding people that the no-hardware option will shortly
> disappear :-(

When I go via Lindersoft, it shows the price for 3 years at $200. But
when I log in, it shows the 3 years at $519. So I think that ship may
have sailed already. This is what I see on the Lindersoft site:

When I click on Order Now, I get this:

If I hit the order button there, using MS Edge, I get:

So, I think the ship of digital certificates has sailed at Sectigo (who
comes up with names like that - sounds like a bug!<g>)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Ray,

On 3/30/2023 16:01 PM, Ray Rippey wrote:
> I'm not sure what is happening. It made me change my password, then I
> logged in. Then it only gives me an option for 3 years and is $519.00.
> I must be missing something. Also I guess I have to get my certificate
> using IE. I guess I'm not getting the discount.

Same here. See my reply to Jane. I think this ship has sailed. I'm
good until November so I'll start saving up<g>

Best regards,


--
Arnor Baldvinsson
Icetips Alta LLC

These people say Sectigo raised prices on March 7:

https://www.thesslstore.com/blog/code-signing-price-changes-as-cas-align-with-new-industry-standards/#:~:text=provided%20hardware%20token.-,Sectigo,for%201%20year)%20from%20%24179.

Jane Fleming

> Same here. See my reply to Jane. I think this ship has sailed. I'm
> good until November so I'll start saving up<g>

I think it is time to start delivering web apps that can run in a browser
or on a mobile device and just be done with desktop apps or app store/play
store apps.

One code base and none of the code signing, hardware BS, AV problems, etc.

Like the sage wisdom from "War Games" the only way to win is not to play!

Besides the next generation of computer users is not smart enough to know
the difference anyway!

:-)

Charles

--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)

www.clarionproseries.com - ProDocument, ImageEx, ProScan, ProImage, ProPath
and other Clarion developer tools!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
-------------------------------------------------------------------------------------------------------

I still don't understand the benefits of certificates! Maybe
hackers can buy certicates, too. Or they can hack other valid
certificates. Is this some kind of legitimate extortion; an
extortionware?


--
John de la Torre
CA, USA

798/4 is 199.50, 519/3 is 173.00.. $26.50 difference per year. So I
think I'm going the $798 route for just a little more money, and I get
the hardware usb in year 4. My current certificate expires in August, so
might as well get it done now.

Not sure what the link is, but I did see where Sectigo bought ComodoCA.
Once they get a monopoly all bets are off and we get raked over the
coals with no place else to go I guess. Still, a couple hundred a year
isn't too bad.

I'm with Arnor, these guys are making a good living.

Ray Rippey
VMT Software

Hi Ray,

On 3/31/2023 14:47 PM, Ray Rippey wrote:
> 798/4 is 199.50, 519/3 is 173.00.. $26.50 difference per year. So I
> think I'm going the $798 route for just a little more money, and I get
> the hardware usb in year 4. My current certificate expires in August,
> so might as well get it done now.

Where did you see 798/4? I only saw the $519 for 3 years... 798 for 3
millisecond of computer time and 5 milliseconds to write it to USB then
pay $40 to have said USB shipped.... Yeah, not bad business model<g>
Allegedly they do some checking, but I knew a guy who worked at Comodo
and his comment on it was that "none of us know what we are doing or
supposed to be doing" That gave me a really fuzzy and warm feeling
about code signing companies<g> In my experience if I just ignored
their requests they got tired of me and sent me the certificate. In one
case they sent it to me and the day after 2 or 3 different people
emailed me for additional information. Sorry guys, you slept through
that one!<g>

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

The $798 was on the Sectigo website if you purchase 4 years worth, you
can have the software certificate for 3 years, then the dongle on the
4th year included. But, my understanding is you have to order before
April 23, as that is the last time Certificates and be purchased as
software... after that you have to go with the dongle. So if you wait
until November, then you have to get the dongle.

When I first got my first certificate is was a real PITA. I had to
establish a Dun and Bradstreet record, show my business license, get a
phone call. With Sectigo I think we're starting all over with the
verification again. I figure once I'm verified with them, it's just a
matter of money after that. I never had trouble with Comodo after the
first time... I hope it's like that with Sectigo. I guess the comment
from Comodo is why they had to sell out?

I know one thing for sure, if my potential customers download our demo
and it gives a warning about possible malicious software because it's
not code signed, I lose a lot more money than this certificate costs.

Ray Rippey
VMT Software

Hi Ray,

On 3/31/2023 16:36 PM, Ray Rippey wrote:
> Comodo after the first time... I hope it's like that with Sectigo. I
> guess the comment from Comodo is why they had to sell out?

Wouldn't surprise me!

> I know one thing for sure, if my potential customers download our demo
> and it gives a warning about possible malicious software because it's
> not code signed, I lose a lot more money than this certificate costs.

Absolutely! It's not like we have a choice if we want to stay in this
business! There used to be a word for this... Yes, extortion!<g>

BTW: How DO you get the software certificate? Do you have to use IE,
or how does that work now?

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Charles,

1. I tested out .NET MAUI. Well... a bit slow in running.

2. Subsequently tested blazor. Fast but utilizes plain
html/javascript/css for display and doesn’t have any out of the box
components aside from what comes with the default app template.

3. Taking course on flutter and dart now. Flutter utilizes material
design, and comes with a ton of nice looking widgets. Flutter is the
platform and dart is the language. It is fast.

Thanks.

Kelvin Chua
SINGAPORE


On 4/1/2023 6:55 AM, Charles Edmonds wrote:
> On 31 Mar 2023 11:44:42 -0400, Arnor Baldvinsson wrote:
>
>> Same here. See my reply to Jane. I think this ship has sailed. I'm
>> good until November so I'll start saving up<g>
>
> I think it is time to start delivering web apps that can run in a browser
> or on a mobile device and just be done with desktop apps or app store/play
> store apps.
>
> One code base and none of the code signing, hardware BS, AV problems, etc.
>
> Like the sage wisdom from "War Games" the only way to win is not to play!
>
> Besides the next generation of computer users is not smart enough to know
> the difference anyway!
>
> :-)
>
> Charles
>

And then you need to buy https certificates.


--
John de la Torre
CA, USA

> 1. I tested out .NET MAUI. Well... a bit slow in running.

Thanks for the report!

> 2. Subsequently tested blazor. Fast but utilizes plain
> html/javascript/css for display and doesnʼt have any out of the box
> components aside from what comes with the default app template.

I've heard that about it too.

> 3. Taking course on flutter and dart now. Flutter utilizes material
> design, and comes with a ton of nice looking widgets. Flutter is the
> platform and dart is the language. It is fast.

What are you using (or planning on using) for the datatbase/backend?

Charles

--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)

www.clarionproseries.com - ProDocument, ImageEx, ProScan, ProImage, ProPath
and other Clarion developer tools!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
-------------------------------------------------------------------------------------------------------

I'll let you know. I just spent the $798... but on a Friday I won't
pursue it until Monday. I know I'm starting over for business
verification... so I've got to get that done before I get my
certificate. I'm curious if they need IE as well. I don't think I have
it on my Windows11 computer. Should be interesting. I just spent a
crapload of money with these people, I'm going to hold their feet to the
fire.

Ray Rippey
VMT Software

On 3/31/2023 3:37 PM, Arnor Baldvinsson wrote:
> BTW: How DO you get the software certificate? Do you have to use IE,
> or how does that work now?

> I still don't understand the benefits of certificates! Maybe
> hackers can buy certicates, too. Or they can hack other valid
> certificates. Is this some kind of legitimate extortion; an
> extortionware?
>
>

In the latest version of Windows 10 & 11, executable that are not code
signed cannot be run. You will have to switch off the UAC completely
and a couple of other settings...

Kelvin Chua

So clarion examples will not run unless code-signed. And the most
famous program "Hello World"?


--
John de la Torre
CA, USA

Hi John,

On 4/1/2023 10:51 AM, John de la Torre wrote:
> I still don't understand the benefits of certificates! Maybe
> hackers can buy certicates, too. Or they can hack other valid
> certificates. Is this some kind of legitimate extortion; an
> extortionware?

The Solarwinds hack was a perfect example. Russian hackers got into the
build servers and added malicious code into their code base BEFORE it
was code signed. The company essentially codesigned the hackers code
with theirs and this way they were able to gain access to government
agencies in the US and large companies like Microsoft and anyone else of
Solarwinds' 33,000 Orion customers!

Best regards,



>
>
--
Arnor Baldvinsson
Icetips Alta LLC

Hi Arnor,

My point exactly. Code-signing after the hack is useless since you
don't know if you already got hacked. It used to, that CRC-check
was good enough. Maybe clarion's new compiler option can take
care of that issue.


--
John de la Torre
CA, USA

Precisely.

Kelvin Chua

So it's protection money...


--
John de la Torre
CA, USA

Hi Charles.

>> 3. Taking course on flutter and dart now. Flutter utilizes material
>> design, and comes with a ton of nice looking widgets. Flutter is the
>> platform and dart is the language. It is fast.
>
> What are you using (or planning on using) for the datatbase/backend?

Will use firebase for the time being.

Thanks.

Kelvin Chua
SINGAPORE

$798/4 (with "free" dongle "later") was in the link in my first post -
directly from Sectigo without Friedrich's discount. Click the "Add to
Cart" button to see the 4-year option.
https://sectigo.com/ssl-certificates-tls/code-signing-campaign

Jane Fleming

Hi Jane,

On 3/31/2023 15:36 PM, Jane Fleming wrote:
> $798/4 (with "free" dongle "later") was in the link in my first post -
> directly from Sectigo without Friedrich's discount. Click the "Add to
> Cart" button to see the 4-year option.
> https://sectigo.com/ssl-certificates-tls/code-signing-campaign

Right! Yes, I had been there before! Sorry, this is rather confusing
stuff ;)

Best regards,


--
Arnor Baldvinsson
Icetips Alta LLC

Hi Charles,

> I think it is time to start delivering web apps that can run in a browser
> or on a mobile device and just be done with desktop apps or app store/play
> store apps.
>
> One code base and none of the code signing, hardware BS, AV problems, etc.

That's what I have been working on for my main client for the past few
years :) He runs all his Clarion programs for the big clients via
remote desktop, but you still have to code sign them.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

> I think it is time to start delivering web apps that can run in a browser
> or on a mobile device and just be done with desktop apps or app store/play
> store apps.

Hi Charles

Well, well, well.

The problem is quite simply the end user experience and especially the
deprecation of really nice functionality that is standard on the
desktop. Solutions that depend on web-based only in my view are toast.
Same with desktop only. And of course native mobile app only.

But Clarion has a cunning solution that is ever evolving - AS. Still
early days with some annoying stuff to iron out but it could be just
what the doctor ordered. In my view it solves the any device in most
circumstances for the sort of apps that Clarion programs deliver. But
it will never replace native mobile apps. Had those in production now
for about 8 years - a different concept altogether.

My guess is if you do not offer all three - desktop apps with the
desktop experience, so-called web apps and native mobile apps - you are
going to be toast, unless you are servicing an industry whose users have
not noticed the planet they are living on. Just like like John Cleese's
late mother who who lived through two world wars and major technology
revolutions without noticing any of it.

As for code signing - I see the benefits but it has turned into a racket
of sorts. Just been through the nightmare. Went for one year. I am
not sure that the hardware angle will pan out as they plan it to nor if
buying a certificate that spans many years will be supported after the
hardware thing is in play. I have seen this game before. There are a
few actors on the stage and they are in cahoots. Definition of a
techno-pessimist - a techno-optimist with loads of real life experience
- that is I - the singular perpendicular.

Cheers
Andre

> I lose a lot more money than this certificate costs.

If you are in a vertical market it is not an option. If your binaries
are not code-signed you come across as a back street operation.

Andre Labuschagne

On 01/04/2023 00:37, Arnor Baldvinsson wrote:
> There used to be a word for this... Yes, extortion!<g>

Indeed - two other things come to mind - the public mobile app stores.
Google not so much but certainly Apple.

Andre Labuschagne

> 1. I tested out .NET MAUI. Well... a bit slow in running.
>
> 2. Subsequently tested blazor. Fast but utilizes plain
> html/javascript/css for display and doesn’t have any out of the box
> components aside from what comes with the default app template.
>
> 3. Taking course on flutter and dart now. Flutter utilizes material
> design, and comes with a ton of nice looking widgets. Flutter is the
> platform and dart is the language. It is fast.

Too many dependencies that are shifting and moving and disappearing
parts. With all of these there is still serious deprecation from the
desktop experience. RIA is still the future. Running two apps, one on
the server and one on the client, underpins all these solutions, with
so-called AJAX in play and code and data moving in between the server
and the client and vice versa. Have apps like this in production for
about eight years now. It looks great in the classroom until tens of
thousands of end users get their hands on it. Any browser based
solution is extremely cumbersome fo the end user unless you have a
painfully simplistic program, on the user interface that is.

Just my experience in the trenches.

Andre Labuschagne

Hi Andre,

> The problem is quite simply the end user experience and especially the
> deprecation of really nice functionality that is standard on the
> desktop. Solutions that depend on web-based only in my view are
> toast. Same with desktop only. And of course native mobile app only.
>
I think that really depends on what kind of solutions they are. I use
several browser/web based only solutions that are fantastic and have no
desktop part and don't need it.

For the past few years I have been building a web application for my
client that includes among other things interfaces for Google Drive and
Gmail, PDF export of data, event calendars in PDF, as well as connection
via web service to his Clarion applications as well as data push via
CURL to web service on the site end to send data back and forth. Parts
of those will always be on a desktop - at least in the foreseeable
future and parts of it will always be on the web. The desktop
applications are all run via remote desktop and shortcuts on the user's
local machine, so essentially it all runs online, both desktop and
browser based :)

Best regards,


--
Arnor Baldvinsson
Icetips Alta LLC

> I think that really depends on what kind of solutions they are.

Yes it does.

Sometimes I wonder if Clarion programmers are in a world of their own.
Most are not in the world that I live in. So what you say is 100% correct.

All the things you mentioned has zip to do with lots of data processing.
And all of what you mentioned is very quick to do [like in a few days]
with an excellent tool such as WX. We do it all the time. The problem
with browser based is that it is systemically broken and dysfunctional
for quick data processing and complex algorithms. I can give you many
examples where it just does not cut the mustard. Which is why AS is so
appealing and has so much potential.

And as for anything RDP based, even using the protocol, well, do not get
me started.

Andre Labuschagne

Hi Andre,

> All the things you mentioned has zip to do with lots of data
> processing. And all of what you mentioned is very quick to do [like
> in a few days] with an excellent tool such as WX. We do it all the time.

Great! I'll have my client contact you when he needs to get this
converted to WX!<vbg> I 100% guarantee you would NOT be able to do what
we have been working on for the past 5 years "in a few days"

> And as for anything RDP based, even using the protocol, well, do not
> get me started.

Seems to work fine. My client has been doing this for many years and
while it is a pain to get set up properly once it's done it's rock
solid. But it takes people who know what they are doing to make it
work! My client has been preparing to move to Azure for some of his
clients for MFA. It takes months to get this set up properly.

Best regards,

>
>
--
Arnor Baldvinsson
Icetips Alta LLC

> Sometimes I wonder if Clarion programmers are in a world of their own.
> Most are not in the world that I live in.
>

Correct.
Although use the word Market instead of world.

I have 2 major applications at this point. One makes no sense at all on
the web, the other no sense without it.


Sean H

>> All the things you mentioned has zip to do with lots of data
>> processing. And all of what you mentioned is very quick to do [like
>> in a few days] with an excellent tool such as WX. We do it all the time.
>
> Great! I'll have my client contact you when he needs to get this
> converted to WX!<vbg> I 100% guarantee you would NOT be able to do what
> we have been working on for the past 5 years "in a few days"

Be careful what you say or think you know. We have done exactly that
with WX. It is what RAD is all about. Thousands of built in functions
with hundreds of examples, for desktop, web apps and native mobile apps.
And direct access to the developers. No third parties required.
Until you have experienced the speed of development you are pretty much
in the dark on this one. I was. The hundreds of Clarion developers who
once used Clarion also were. If what you listed is taking you five
years to develop, with respect, something is wrong somewhere. Perhaps
the wrong tool(s)? BTW, there are plenty of WX developers who also have
Clarion in their arsenal. There is a saying in the WX world that if you
are taking long to get something done you are doing it wrong.

>> And as for anything RDP based, even using the protocol, well, do not
>> get me started.
>
> Seems to work fine. My client has been doing this for many years and
> while it is a pain to get set up properly once it's done it's rock
> solid. But it takes people who know what they are doing to make it
> work! My client has been preparing to move to Azure for some of his
> clients for MFA. It takes months to get this set up properly.

As I said, RDP has been cocked by most businesses we have contact with.
They will not touch it for security reasons alone. One of the reasons
why VPNs have been born.

But again, this is just our experience in a vertical market and seeing
what is going on in the market generally. If you have anecdotal
evidence with one customer those do exist. There are some wins and some
folk have got lucky. RDP protocol is a major security risk.

Andre Labuschagne

Andre,

> If what you listed is taking you five
> years to develop, with respect, something is wrong somewhere.

WOW! You don't have any ongoing projects?!

> RDP protocol is a major security risk.

I've done tons of work on client servers using RDP. Granted it was
also across a VPN but who doesn't use one of those these days?

--
Lee White

RPM Report Preview: http://www.cwaddons.com/products/rpm/
Creative Reporting: http://www.CreativeReporting.com

Hydrogen, the only CLEAN fuel and the future of clean air.

> Correct.
> Although use the word Market instead of world.

Correct - except I hardly come across any users these days in any market
who need at least some of what they do on desktop and web apps and
native mobile apps. And for many tasks native mobile apps will do just
fine. It is the power users who need the functionality and experience
of the desktop. So you have to mostly offer all three.

> I have 2 major applications at this point. One makes no sense at all on
> the web, the other no sense without it.

The sense is brought to the table by the users, not the developers.
That was a hard lesson to learn. Never dictate to your market. Never
have your vision restricted by your skill set or the tools you use.
Another hard lesson to learn. If you do not provide it there is a
competitor around the corner who will.

Andre Labuschagne

Same for me. I do have some of my clients wanting to access it on the
web. I partnered with a company that can host their program(s) for as
low as $99 for 2 to be able to access it. Plus it can run on Chromebook
and it runs fast. That's in addition to our monthly fee of course. We'll
see how this plays out. I think I have all of 2 clients using it. My
clients are repair shops so they are just fine with their software
running locally with no internet required. Some use it in their work
trucks so they don't have internet all the time.

If I really had to change, I would. But I don't want to. I really like
working on our software and improving it. I've been working on this
particular piece of software for 12 years. The previous software I
worked on was for video rentals, and I worked on it for 30 years... all
in Clarion from Dos to Windows 7. Then the bottom dropped out of that
market of course.

I'm old enough to think I can get away with just working on this until I
fall over.

Ray Rippey
VMT Software

On 4/6/2023 8:30 AM, Lee White (Lodestar Software) wrote:
> Personally I don't have a preference what others use or how fast they
> can create programs or what platform their products are aimed for. I
> just know I have a preference for desktop applications which are the
> preferred targets for the contracts I've had over the years. And, yes,
> I prefer Clarion since it does everything I need and creating viable
> programs is fast.

Hi Jane,

I had utilized the on-line chat and managed to liaise with them. They
asked for selfie, scanned copies of my ID, my company registration
information... but... still yet to receive the certificate.

Will remind them not to forget me again tonight.

Thanks.

Kelvin Chua
SINGAPORE

> I don't understand the argument; it's like two brain surgeons
> arguing who has the better tools. The solution is the advantage,
> not the tools.

The analogy does not hold. In the case of brain surgeons the patient
does not decide on the approach and tools to use. In the case of end
users of applications they get to decide on the solution they want - and
increasingly it is work from anywhere on the planet and on any device
and anytime of the day or night. And if a particular vendor does not
meet that demand then another will.

There a few things in life that you cannot avoid - death and taxes - and
now you can add to that offering software solutions in the cloud. You
can run but you cannot hide.

Andre Labuschagne

Well that was interesting and time consuming. I went ahead and paid for
the 4 year deal. I had to call them for each step during validation. I
handled it mostly by email. Giving them the money was easy though.

For validation, I called them, sent my DL, my face with my DL, and a pdf
showing the page for the state of Oregon having my business license.

Then, I called a day or two later and they finished the validation while
I was on the phone. (Press 2)

Then I fumbled around trying to convert the .crt and .pem files to a
..pfx file. I found a good website to download the openssl binary so I
didn't have to compile it. Unfortunately I can't remember which one, but
here is a wiki with links to binaries.

https://wiki.openssl.org/index.php/Binaries

I had to run the start.bat to get it to recognize the openssl command
from my directory. It can be run from the program files openssl-Win64
folder and it gets you to the prompt. Then change directories to where
your certificates are. The guy at Sectigo had me rename my .crt files to
..pem files. I don't know why.

Then I create a command in my scratch pad until I got it right... then
pasted it and ran it. It asked me for a password when I finally got it
working. The password doesn't display at all, so it's weird. Type it in,
press enter and type it in again. Don't forget it.

Finally got my pfx, tried it with setup builder under the tools, and the
sha1 certificate seems to expire in 2033. The sha2 seems to expire in 3
years and 3 months.

Hope this helps someone.. oh, and here are the command lines for
openssl. The first is the format, then the 2nd is what I actually used.

openssl pkcs12 -export -in /path/to/your/Certificate.pem -inkey
/path/to/your/private key.pem -certfile /path/to/your/CA bundle.pem -out
/path/to/your/mycertificate.pfx

openssl pkcs12 -export -in cert_69910.pem -inkey
VMTSoftware_cert_69910_key.pem -certfile cert_69910_ca_bundle.pem -out
vmtcertificate.pfx


Ray Rippey
VMT Software

What a nightmare :-(

Friedrich

They are vetting you, and you're giving confidential info to them.
Who is vetting these people?


--
John de la Torre
CA, USA

Ray Rippey <support@vmtsoft.com> Wrote in message:r
> Well that was interesting and time consuming. I went ahead and paid for the 4 year deal. I had to

Hi Friedrich/Ray

> What a nightmare :-(

I signed up a week ago. Got email Monday about sending documents. Did
all that and uploaded and they show in their online document list.
Tuesday I got an email almost identical to the one on Monday. Haven't
had time to deal with is, so I wonder if they need more. Just submitted
ticket as it is not clear (at least not to me) if they need more
information, if they couldn't validate the information, if they are
working on it, or what. I opted for the 4 year $800 - maybe I'll be
retired at the end of that! Well, it's the thought that counts, right?<g>

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi John,

On 4/14/2023 13:58 PM, John de la Torre wrote:
> They are vetting you, and you're giving confidential info to them.
> Who is vetting these people?

Classic quis custodiet ipsos custodes!

I think they are vetted by the next level up - the issuers of the root
certificates. If I look at exe code signed by me, with certificate from
Comodo (I think it was still Comodo when I bought it...) it shows the
"Signer Information" as GLobalSign TSA and their certificate information
shows it's a 10 year certficate valid from May 23, 2016 to June 23rd
2027 ( so 11 years and 1 month - bit odd combination)

This page explains a bit about SSL certificates and root vs intermediate
certificates:
https://www.thesslstore.com/blog/root-certificates-intermediate/

Best regards,

>
>
--
Arnor Baldvinsson
Icetips Alta LLC

I had to call them. after I sent them my pic and dl, I waited 2 days and
nothing. So I called, and (press 2) and they validated me right there on
the phone and sent me an email for the phone call validation. Did that,
then actually had to call them to activate the download button... which
I did with them on the phone... etc.

Ray Rippey
VMT Software

Good thing they didn't ask for blood, urine, and underwear sample.


--
John de la Torre
CA, USA

Ray Rippey Wrote in message:r
> I had to call them. after I sent them my pic and dl, I waited 2 days and nothing. So I called, and

> Good thing they didn't ask for blood, urine, and underwear sample.

That comes with the USB model!

You just pee into an opening on it, prick your finger on the pointy end and
then plug it into your PC.

It auto-connects to their server and automatically downloads your certs
when they are satisfied that they have everything they need to ruin your
life!

Isn't technology wonderful???

:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)

www.clarionproseries.com - ProDocument, ImageEx, ProScan, ProImage, ProPath
and other Clarion developer tools!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
-------------------------------------------------------------------------------------------------------

> That comes with the USB model!
>
> You just pee into an opening on it, prick your finger on the pointy end and
> then plug it into your PC.
>
> It auto-connects to their server and automatically downloads your certs
> when they are satisfied that they have everything they need to ruin your
> life!
>
> Isn't technology wonderful???

LOL!

Techno-intoxication on steroids.

Andre Labuschagne

Provided them with selfie and photo shot of my ID.

Waited for more than a month.

Call them, asked them is it that I am too old and not handsome, that is
why they are still holding my certificate.

It is now that they mention I must be holding my ID before I took my selfie.

See, see. Now I really know how difficult to deal with them! In the
first place they simply have to tell me to hold my ID and take a selfie.

Darn idiot!!

Kelvin Chua

What is that, some kind of "proof of life "? It's not only
extortion but self-hostage taking. :-)


--
John de la Torre
CA, USA

Kelvin Chua Wrote in
message:r
> Provided them with selfie and photo shot of my ID.Waited for more than a month.Call them, asked th

> Darn idiot!!

ROFLMAO!

I can tell you it took me a week to get oe done - just recently. Zero
communication. Similar thing - they could not see something clearly.
But never told me! And they wanted this, then that, then this like
this, And then not that like this but and not this like not that.

And worse of all, there was a massive lost in translation over the
phone. I was dealing with a call centre in Manchester [UK] and the
person helping clearly was not native English language. Broken English
with a complete distortion of tenses and prepositions and basic grammar.
How I got through it only the universe knows. I may as well have
landed on a planet in a galaxy in another universe.

It does not have to be this way. It turns out that the help centre for
HP machines in Africa is in Tunisia. Some of the best computer support
I have received. Incredible knowledge of their products and clarity and
sufficient command of the English language. I was gobsmacked and told
the lady so.

I feel your pain. We all do.

Andre Labuschagne

They make me feel like a prisoner...

Kelvin Chua

On 4/18/2023 4:05 AM, John de la Torre wrote:
> What is that, some kind of "proof of life "? It's not only
> extortion but self-hostage taking. :-)
>
>

And you have to pay for your own meals.


--
John de la Torre
CA, USA

Kelvin Chua Wrote in message:r
> They make me feel like a prisoner...On 4/18/2023 4:05 AM, John de la Torre wrote:> What is that, s

Feel like helping the robbers to count my money robbed...

Kelvin Chua

On 4/18/2023 9:02 AM, John de la Torre wrote:
> And you have to pay for your own meals.
>
>

And if you are short, they already know where you live.


--
John de la Torre
CA, USA

Kelvin Chua Wrote in message:r
> Feel like helping the robbers to count my money robbed...On 4/18/2023 9:02 AM, John de la Torre wr

Hi John,

On 4/17/2023 20:02 PM, John de la Torre wrote:
> And you have to pay for your own meals.

And the toilet paper. And the water...

I created a ticket with them on Friday, no response yet. You'd think
for the money we pay they could write an email! Just thinking about
it. Clarion is a small nice and I don't know how many of us buy code
signing certificates. Say 1,500. If we each pay $799, that's
$1,198,500. We aren't talking pocket change here!

Best regards,

>
>
--
Arnor Baldvinsson
Icetips Alta LLC

Hi Arnor,

I am still fuzzy about this scheme. Seems like you are paying them
to verify who you are; not whether you are the author of the
software or if the software is free of malware.
Also, it doesn't endemnify the buyer if these two conditions are
breached. Am I missing something?

--
John de la Torre
CA, USA

Arnor Baldvinsson Wrote in message:r
> Hi John,On 4/17/2023 20:02 PM, John de la Torre wrote:> And you have to pay for your own meals.And

> I am still fuzzy about this scheme.

Simple - it gives the end user a false sense of confidence.

And now I understand that it is required for Windows 11. It seems as
though the app will simply not run going forward. For now it is a dirty
little message that the OS may not trust this app. We had the same with
Apple Enterprise even though code signed for Apple. The first time
installed on the app they had to download your profile which is also
code signed by Apple and then they had to "trust" the app. Talk about
confusing the end user! By design I suppose.

It is all about "trust".

Andre Labuschagne

I hope it's a class action suit waiting to happen.


--
John de la Torre
CA, USA

Andre Labuschagne Wrote in message:r
> On 18/04/2023 06:30, John de la Torre wrote:> I am still fuzzy about this scheme.Simple - it gives

> I am still fuzzy about this scheme. Seems like you are paying them
> to verify who you are; not whether you are the author of the
> software or if the software is free of malware.
> Also, it doesn't endemnify the buyer if these two conditions are
> breached. Am I missing something?

A valid Authenticode signature only guarantees that it was signed by a
person having access to the private key of the issued certificate
(identity verification), and when operating system checks the signature
it can confirm that the content of that executable hasn't been changed
after the signature by malware or by some other reason (integrity
assurance).

If a particular code signing certificate is used for malware by a bad
actor, certificate authority will eventually revoke that certificate as
stated in their code signing customer agreements. At that moment, all
previous signatures made by that code signing certificate will be
invalidated and new signatures aren't possible, thus protecting other
users of that app (well, at least if they haven't totally turned off UAC
in Windows and/or their antivirus checks Authenticode signatures).

Cheers,
--
Timo

But the sender can not authenticate the receiver, right?
Seems like you need a PGP-like authentication.

--
John de la Torre
CA, USA

Timo Multanen Wrote in message:r
> On 18.4.2023 7.30, John de la Torre wrote:> I am still fuzzy about this scheme. Seems like you are

On 18/04/2023 12:58, John de la Torre wrote:
> I hope it's a class action suit waiting to happen.

+1

The entire tech industry is a lock in of sorts. I often wonder when
humanity is going to march on them as they did when storming the Bastille.

Apple is a good example. The Apple Store is exhibit A. I see their PC
sales [laptops and whatever else they call them these days] is 30% down
in the last quarter or perhaps year on year. I saw the headline and
thought - I am not surprised. You can only peddle so much hype and then
you get caught in your own loop. When the iPhone14 was released Steve
Jobs daughter famously remarked that there was nothing significantly
different from the iPhone13. This industry seems to be driven by hype
and lock in schemes such as code signing. Like lawyers and accountants
who hide behind governing bodies and codes and legislated billings and
so on.

Andre Labuschagne

> A valid Authenticode signature only guarantees that it was signed by a
> person having access to the private key of the issued certificate
> (identity verification), and when operating system checks the signature
> it can confirm that the content of that executable hasn't been changed
> after the signature by malware or by some other reason (integrity
> assurance).
>
> If a particular code signing certificate is used for malware by a bad
> actor, certificate authority will eventually revoke that certificate as
> stated in their code signing customer agreements. At that moment, all
> previous signatures made by that code signing certificate will be
> invalidated and new signatures aren't possible, thus protecting other
> users of that app (well, at least if they haven't totally turned off UAC
> in Windows and/or their antivirus checks Authenticode signatures).

In theory yes.

There are ways to mask and emulate and the OS nor the issuer will be the
wiser. The Dark Web is your friend. Pick your poison.

It really is a game that works most of the time and for the average user
[like me].

They just need to make it more seamless like Apple and the fuss will go
away.

Andre Labuschagne

Hi Timo,

On 4/18/2023 06:07 AM, Timo Multanen wrote:
> A valid Authenticode signature only guarantees that it was signed by a
> person having access to the private key of the issued certificate
> (identity verification), and when operating system checks the
> signature it can confirm that the content of that executable hasn't
> been changed after the signature by malware or by some other reason
> (integrity assurance).
>
> If a particular code signing certificate is used for malware by a bad
> actor, certificate authority will eventually revoke that certificate
> as stated in their code signing customer agreements.

I wonder if that has ever happened and then how many times and how LONG
it took those authorities to actually act on it. Given that it can take
weeks or months for them to act when a developer gives them money, I
seriously doubt they act any faster if someone reports a breach of
signature!

And who knows WHERE to report it? I checked the certificate on a MSI
that I recently installed. I have zero reason to doubt it, but just to
check for fun. I was able to find one website address:
https://www.ssl.com/repository/ This only addresses the buyer of the
certficate as far as I can tell. I don't know what happens if a exe is
tampered with - I assume it pops up a message and that may have some URL
to report it to.

When I did a google search for report code signing certificate breach,
this was the first thing that came up:

https://www.hackread.com/github-code-signing-certificate-breach/

"GitHub revealed that on December 7th, 2022, hackers had gained
unauthorized access to several of its code repositories and stolen
code-signing certificates for two of its desktop apps: Atom and Desktop.
The repositories were used in the planning and development of these
applications."

And this: https://about.signpath.io/code-signing/media-coverage

That article doesn't have a date on it, so I have no idea how old it is,
but it mentions 2019, so it's not too old.

Bottom line as I see it, is that code signing is NOT secure and if
hackers get their hands on them, well then the software's and
developer's reputation is toast.

Not a warm and fuzzy feeling :)

--

Arnor Baldvinsson
Icetips Alta LLC

They respond better on the phone.

Ray Rippey
VMT Software

Trust but verify. I think we have to have some trust in order for
anything anywhere to function. I have had a couple of customers in the
past that wouldn't let me on their computer to fix an issue. I can try
and walk them through it, but in the end it was trust me, or your stuff
doesn't work.

I have a lot of customers and they don't 2nd guess me when I want to get
on their machine and do whatever needs to be done. They have to trust
someone.

It is a shame there are a few bad actors in the software world that
really screw things up for the rest of us. Hence, code signing. Like I
said before, because it's MS that is doing the actual security of
checking for a signature, they should be the ones paying for the code
signing and doing the actual verification.

Perhaps someday all will be well, no bad guys out to screw people. And
pigs will fly.

Ray Rippey
VMT Software

On 4/18/2023 3:42 AM, Andre Labuschagne wrote:
> It is all about "trust".

That's not much help for us on the other side of the planet

Sean H

On 18.4.2023 20.49, Arnor Baldvinsson wrote:
>
> On 4/18/2023 06:07 AM, Timo Multanen wrote:
nature by malware or by some other reason
>> (integrity assurance).
>>
>> If a particular code signing certificate is used for malware by a bad
>> actor, certificate authority will eventually revoke that certificate
>> as stated in their code signing customer agreements.
>
> I wonder if that has ever happened and then how many times and how LONG
> it took those authorities to actually act on it. Given that it can take
> weeks or months for them to act when a developer gives them money, I
> seriously doubt they act any faster if someone reports a breach of
> signature!

I suppose they all have a process to report and revoke known cases of
malware. https://sectigo.com/support/report-abuse :
"If you have come across malware signed with a Sectigo- or Comodo-issued
Code Signing certificate please send as much detail as possible to:
signedmalwarealert@sectigo.com​ ". Or for Digicert at
https://problemreport.digicert.com/ .

If you know that your code signing certificate was stolen, you can and
must report and request revocation yourself.

Antivirus company security researchers probably also report known signed
malware cases to issuing CAs and to other AV vendors as well or via
samples submitted to VirusTotal and later confirmed to be malware can be
identified.

> Bottom line as I see it, is that code signing is NOT secure and if
> hackers get their hands on them, well then the software's and
> developer's reputation is toast.

Code signing isn't a total solution to all security concerns of
applications, but it is a lot better that just running a unsigned
executable files, since there is no way to know if those executable
files were changed on transit from the software publisher to you - sure,
checksums can be used, but those could be changed as well by a malware
actor if they had access to publisher's web site. And checking checksum
of every version of every exe on a computer with the updates wouldn't
really work without Authenticode.

The point of June 1 change of having code signing certificate private
keys on secure USB tokens or HSM key storage is just that they can't be
stolen, as the private key cannot be copied from those.
https://www.entrust.com/blog/2022/09/ca-browser-forum-updates-requirements-for-code-signing-certificate-private-keys/
.. Of course it doesn't prevent bad actors from using your credentials if
they have full access to your environment (since legitimate usage has to
be possible somehow), but it is much better than having the certificate
private key in a file or exportable from certificate storage.

There could be a app vetting and code review process from the OS vendor,
but I think that having that on Microsoft Windows isn't really doable,
since there are hundreds of development tools and languages available
for Windows platform, making it nigh impossible to do code review even
by automation (different story on Android and MacOS/iOS). And there
would be a cost and delay for that vetting process as well.

Cheers,
--
Timo

It seems like buying an expensive sticker, slapping it into a pc,
and declaring it genuine. And if the sticker is stolen, we will
send you another one. It is giving you a false sense of security.
Maybe it is cheaper to buy liability insurance, in case your
software can cause damage to your customers' business.



--
John de la Torre
CA, USA

Timo Multanen Wrote in message:r
> On 18.4.2023 20.49, Arnor Baldvinsson wrote:> > On 4/18/2023 06:07 AM, Timo Multanen wrote:nature

On 19/04/2023 03:04, Sean Hennessy wrote:
> That's not much help for us on the other side of the planet

Indeed. It is funny how Americans think the world is all about them.
Like the World series in which only American teams participate [and yes,
I know all about the origin of the name].

I am currently on European times and was able to phone Manchester in
England. It helped but there was some pretty serious lost in
translation as the person I dealt with is definitely not of English
extraction.

Andre Labuschagne

Hi Ray,

On 4/18/2023 13:17 PM, Ray Rippey wrote:
> They respond better on the phone.

I find it interesting that there is no link to the ticket in the email I
got and the ONLY option that I find on their website is to SUBMIT one.
Every support system I have worked with has a) included a link to the
ticket online, b) had an option when submitting to open existing
tickets, c) had an option to reply to the ticket email, d) had a link to
their support online, NOT just to create a ticket.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Timo,

On 4/19/2023 05:40 AM, Timo Multanen wrote:
> The point of June 1 change of having code signing certificate private
> keys on secure USB tokens or HSM key storage is just that they can't
> be stolen, as the private key cannot be copied from those.

USB sticks can be stolen:( There are also methods out there to copy
data of USB sticks that are locked down and are supposed to be
completely protected from copying:( Seen it done. Unfortunately :(

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

On 19.4.2023 15.34, John de la Torre wrote:
> It seems like buying an expensive sticker, slapping it into a pc,
> and declaring it genuine. And if the sticker is stolen, we will
> send you another one. It is giving you a false sense of security.
> Maybe it is cheaper to buy liability insurance, in case your
> software can cause damage to your customers' business.

Hi John,

Code signing can be a bit of a hassle, but it does have its benefits as
well.

1) Certificate authority verifies the identity of the software publisher
to some extent, more so for Extended Validation code signing certs. The
yearly cost of the certificate shouldn't be too much to software
companies or even individual developers, but it will somewhat weed out
mass requests from fraudulent parties, and the certificate authorities
do some work in vetting and running all the required public key
infrastructure for which they obviously want to be compensated. Lowest
price I can find is $39.99 a year for Certera Code Signing Certificate
(3 years).

2) If one takes appropriate care of the one's code signing certificate,
nobody can alter and redistribute one's binaries.

3) A normal end user or organization doesn't get scary warnings when
running one's binaries and can check that all the software from Their
Favorite Company, Inc. haven't been tampered with.

Microsoft has been relatively slow in their pace of requiring code
signing. I think it was introduced back in Windows 2000, XP didn't
require it but started to show some warnings for unsigned executables,
UAC in Vista-> made it pretty much a requirement, and SmartScreen from
Windows 8 onward even more so. But even now default settings in Windows
11 allow running unsigned executables with some prompts. SmartScreen
might block it, though, if the app doesn't have high enough reputation.
Installers probably require a code signature to work properly in most
cases (don't have first-hand experience on that, since we don't use
them, we just distribute a zip file with all the necessary files).

And as a bonus, a valid Authenticode signature can be used to really
lock down an environment with Microsoft AppLocker rules, so that only
whitelisted publishers' apps can be run.

But in the end, it is up to every developer and company to weigh the
cost/benefit for code signing and decide what is the best for them and
their use cases.

Cheers,
--
Timo

On 4/19/2023 5:34 AM, John de la Torre wrote:
> It seems like buying an expensive sticker, slapping it into a pc,
> and declaring it genuine. And if the sticker is stolen, we will
> send you another one. It is giving you a false sense of security.

> Maybe it is cheaper to buy liability insurance, in case your
> software can cause damage to your customers' business.

I sure don't want to go down that road. If they could, customers would
be suing software companies all of the time. That would effectively end
development for a lot of smaller software companies. There are too many
variables to guarantee the software won't cause damage to your business.
Improper usage, OS, computer hardware, and a ton of other things that
can damage files and cause incorrect results. No thanks.

We live on our reputation and make sure if there is an issue we correct
is ASAP. But our license statement makes sure we stay out of trouble.


Ray Rippey
VMT Software

> USB sticks can be stolen:( There are also methods out there to copy
> data of USB sticks that are locked down and are supposed to be
> completely protected from copying:( Seen it done. Unfortunately

Also seen it done.

The whole code signing enterprise is a fiasco.

But we have to do it so the humble end user does not get a fright when a
silly not trusted message pops up.

Andre Labuschagne

On 19/04/2023 23:29, Ray Rippey wrote:
> I sure don't want to go down that road. If they could, customers would
> be suing software companies all of the time. That would effectively end
> development for a lot of smaller software companies. There are too many
> variables to guarantee the software won't cause damage to your business.
> Improper usage, OS, computer hardware, and a ton of other things that
> can damage files and cause incorrect results. No thanks.
>
> We live on our reputation and make sure if there is an issue we correct
> is ASAP. But our license statement makes sure we stay out of trouble.

Agreed - if code signing merely offers another layer of security and
barrier against litigation, irrespective of its technical efficacy, just
do it. The end user does not get nasty messages when launching your
program. That alone is worth it. It is a no brainer for that reason alone.

Andre Labuschagne

Ahh.. so it's a premium nag-free subscription plan. Finally, it
made sense.


--
John de la Torre
CA, USA

Andre Labuschagne Wrote in message:r
> On 19/04/2023 23:29, Ray Rippey wrote:> I sure don't want to go down that road. If they could, cus

I can just imagine where I have to use my USB Stick and I can't find it.
I'm pretty organized on the computer, but sometimes physical
organization doesn't work well. I guess I'll buy a safe. One that's
heavy and it takes some effort to move it. I won't forget where it's at
then!

Ray Rippey
VMT Software

On 4/20/2023 2:46 AM, Andre Labuschagne wrote:
> On 19/04/2023 20:41, Arnor Baldvinsson wrote:
>> USB sticks can be stolen:( There are also methods out there to copy
>> data of USB sticks that are locked down and are supposed to be
>> completely protected from copying:( Seen it done. Unfortunately
>
> Also seen it done.
>
> The whole code signing enterprise is a fiasco.
>
> But we have to do it so the humble end user does not get a fright when a
> silly not trusted message pops up.
>
>

Sooner or later, you have to pay a yearly subscription just to
turn on your own computer.


--
John de la Torre
CA, USA

Ray Rippey Wrote in message:r
> I can just imagine where I have to use my USB Stick and I can't find it. I'm pretty organized on t

Hi Ray,

On 4/20/2023 15:46 PM, Ray Rippey wrote:
> I can just imagine where I have to use my USB Stick and I can't find
> it. I'm pretty organized on the computer, but sometimes physical
> organization doesn't work well. I guess I'll buy a safe. One that's
> heavy and it takes some effort to move it. I won't forget where it's
> at then!

Yeah, having to keep up with a USB stick... I know I have about 10 of
them. Never find them! Then you move and... well, can't find
anything! It will probably live with my camera - that is something I
have never lost and I've had one for close to 50 years<g>

Best regards,


--
Arnor Baldvinsson
Icetips Alta LLC

On 20/04/2023 23:59, John de la Torre wrote:
> Ahh.. so it's a premium nag-free subscription plan. Finally, it
> made sense.

Yes - just like Apple!

You put your app into the Apple Store and we fleece you for 30% of any
of your revenue, or

You run the Enterprise option [serious apps do not belong in the store]
and we tell your users that you are not a trusted developer and they
need to take a few steps to trust you. This fills the end user with
horrors.

A money making enterprise of note - you are spot on.

Windows code signing is a milder version of this.

Andre Labuschagne

On 20/04/2023 22:46, Ray Rippey wrote:
> I can just imagine where I have to use my USB Stick and I can't find it.
> I'm pretty organized on the computer, but sometimes physical
> organization doesn't work well. I guess I'll buy a safe. One that's
> heavy and it takes some effort to move it. I won't forget where it's at
> then!

Been using dongles with WX for many years now. At first they were odd
but they make a lot of sense in more than one way only.

The only danger is theft - if you are programming on site [which I never
do any longer] a rogue staff member or person wondering by may may
mistake them for a flash drive. The same with any flash drive really.

But nothing that a bit of care cannot solve. You can either buy a safe
or hang it next to your wedding tackle that I guess you take care of.
You get the picture.

Andre Labuschagne

On 20/04/2023 23:44, John de la Torre wrote:
> Sooner or later, you have to pay a yearly subscription just to
> turn on your own computer.

LOL

Andre Labuschagne

HI Andre,

On 4/21/2023 04:19 AM, Andre Labuschagne wrote:
> The only danger is theft - if you are programming on site [which I
> never do any longer] a rogue staff member or person wondering by may
> may mistake them for a flash drive. The same with any flash drive
> really.

Those can be copied too. Even with copy "protection" there are ways
around those. If one looks hard enough and long enough there are ways
around most obstacles ;)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

> HI Andre,
>
> On 4/21/2023 04:19 AM, Andre Labuschagne wrote:
>> The only danger is theft - if you are programming on site [which I
>> never do any longer] a rogue staff member or person wondering by may
>> may mistake them for a flash drive. The same with any flash drive
>> really.
>
> Those can be copied too. Even with copy "protection" there are ways
> around those. If one looks hard enough and long enough there are ways
> around most obstacles ;)

Indeed.

One only has to look for "Dongle backup service". I know Clarion/WinDev
developers who have had their USB "dongles" stored safely in a safe deposit
box for years and have never looked at them after they were purchased.

Charles

--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)

www.clarionproseries.com - ProDocument, ImageEx, ProScan, ProImage, ProPath
and other Clarion developer tools!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
-------------------------------------------------------------------------------------------------------

On 21/04/2023 20:55, Arnor Baldvinsson wrote:
> Those can be copied too.

Indeed. There is no real security with any technology.

Andre Labuschagne

On 21/04/2023 21:27, Charles Edmonds wrote:
> ne only has to look for "Dongle backup service". I know Clarion/WinDev
> developers who have had their USB "dongles" stored safely in a safe deposit
> box for years and have never looked at them after they were purchased.

You just need them for upgrades which is an annual affair.

Andre Labuschagne

On 21/04/2023 5:32 pm, Andre Labuschagne wrote:
> On 21/04/2023 20:55, Arnor Baldvinsson wrote:
>> Those can be copied too.
>
> Indeed. There is no real security with any technology.
>
>
That's because people "misuse" the term security.
It doesn't (shouldn't?) mean absolute protection, merely the ability to
resist.
Only thing that is absolutely secure is something that is totally
useless ..... if such a thing can exist

Jock Springer

Hi Jock,

On 4/22/2023 08:05 AM, Jock Springer wrote:
> It doesn't (shouldn't?) mean absolute protection, merely the ability
> to resist.
>
It has been established that resistance is futile!<g>

As I get older I've gotten more cynical about "safe" and "secure" Maybe
because I've seen so many things cracked in the almost (oh, God, hate to
admit it) 40 years I've been in this utter mess with call computers<g>

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Arnor,

Is it true that new malware is deployed through driver
installation, and it will bypass code-signing? I wonder if even
an AV can catch it.


--
John de la Torre
CA, USA

Arnor Baldvinsson Wrote in message:r
> Hi Jock,On 4/22/2023 08:05 AM, Jock Springer wrote:> It doesn't (shouldn't?) mean absolute protect

Yep, it's all relative and like all relatives you can only trust them so
far.
Running up on 44 years for me but just under 40 trying to write code

Jock Springer

On 22/04/2023 15:05, Jock Springer wrote:
> Only thing that is absolutely secure is something that is totally
> useless ..... if such a thing can exist

The only "secure" computer is one that is switched off and locked in a safe.

When people use the term "security" they mean they are reasonably safe.
They are not. Nowhere near.

Andre Labuschagne

On 22/04/2023 19:03, Arnor Baldvinsson wrote:
> It has been established that resistance is futile!<g>
>
> As I get older I've gotten more cynical about "safe" and "secure" Maybe
> because I've seen so many things cracked in the almost (oh, God, hate to
> admit it) 40 years I've been in this utter mess with call computers<g>

+1

Exactly my experience and time line. Forty years chasing bugs and BS
and mostly not getting hacked but ready for it every minute of the day.

You can be certain of death, taxes and the failure of technology. This
realization comes with age.

What blows my mind is that programmers of all people think that there is
a way to secure technology. The only folk who do not think so are the
aged and those who work trying to develop better security systems every
day of their lives.

Andre Labuschagne

Use abacus...

https://upload.wikimedia.org/wikipedia/commons/b/be/Abacus_4.jpg

Kelvin Chua

The uncle at a nearby provision shop is still using this abacus.

He told me he is very 'green' because he use abacus; no energy needed,
no carbon emission, not waste. He has been using it for the past fifty
over years. He said if it was a computer, he would have to replace it
dozen times....

Kelvin Chua

MS is going to get us with their Windows store. Already on some
computers I have to turn off the S mode so they can download our screen
sharing software or our actual software. I'm probably losing money
because people think if it's not in the MS store, it's probably not
safe. I did a quick glance at putting our software in their store, and
it didn't look easy. I would imagine they get a % too.

But I still say if they burn the tons of small developers out their,
they'll burn themselves too. No us, no them.

Ray Rippey
VMT Software

Hi Ray,

On 4/18/2023 13:17 PM, Ray Rippey wrote:
> They respond better on the phone.

I spent over an hour with them today. Takes forever for them to find
anything - or in this case admit they couldn't do their job and I had to
do it for them.

They claimed they couldn't verify the address for my company. After
running around this back and forth it turned out they couldn't OPEN the
Wisconsin Secretary of State website where they needed to to do the
search. I mean, it took me like 15 seconds to find it (never looked
before) find the option to search the company directory, fire off the
search and find the company!

Quote from the transscript:

"We accept this link https://www.wdfi.org/"

10 minutes later:

"Actually its not opening for us can you please send as pdf file"

That is the Wisconsin Department of Financial Institutions that is
linked to from the Secretary of State website for company search.
Scroll down to the "Business Search" Click the "Learn More" button and
you are on their corporate search page
https://wdfi.org/apps/corpSearch/Search.aspx

They had to ask ME to print it to PDF and submit it to them!

Yeah, all warm and fussy about all the security and safety this
provides! How the heck do they know I didn't just throw it together in
Word?

Anyone who claims that this somehow verifies anything is not firing on
all cylinders!<g> Basically I'm providing them with the OFFICIAL proof
that the information I provided is correct. So what if I'm a hacker
waiting to distribute some doomsday virus out there?

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

I had the same issue. They couldn't access the site for Oregon and I had
to print it to a PDF.

There is nothing that I couldn't fake including the selfie with the
license. When I first did this with Comodo, I had to sign up with the
BBB and some other thing. It was much more rigorous. Whatever. I got it
done and have my code and it worked in Setupbuilder. That's all I care
about. I had to call them for everything else even after they confirmed
all my stuff. I guess they like getting called on the phone. Not sure if
it's their online software or just their operators, but they need some
serious improvement.

Ray Rippey
VMT Software

Hi Ray,

On 4/24/2023 17:54 PM, Ray Rippey wrote:
> I had the same issue. They couldn't access the site for Oregon and I
> had to print it to a PDF.

To me it means that they are blocked on either end from actually doing
what they need to do and that is very concerning. How can a security
company not have "access" to regular web sites? I'm pretty sure this
will be the last time I deal with Sectigo - this experience is leaving a
very bad taste in my mouth. It was never easy to deal with Comodo, but
normally they at least tried. Sectigo basically lets you do their work
for them. I suspect the work is farmed out to some place where their IP
addresses are blocked and they can't do their job.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Ray,

On 4/24/2023 15:17 PM, Ray Rippey wrote:
> MS is going to get us with their Windows store. Already on some
> computers I have to turn off the S mode so they can download our
> screen sharing software or our actual software. I'm probably losing
> money because people think if it's not in the MS store, it's probably
> not safe. I did a quick glance at putting our software in their store,
> and it didn't look easy. I would imagine they get a % too.

I'm not too familiar with it, but isn't the store only for apps? I.e.
UWP apps, not "regular" 32/64bit desktop applications? Can you even put
non-UWP apps in the store?

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

I could be mistaken about putting a regular app like ours in the store.
It seems like you could, but I'd have to read much more about that.

That being said, on many computers it won't install our app, or
splashtop our screen sharing software without turning off the S mode and
allowing external programs to be installed. I think that's where they're
heading. Hard to say.

Ray Rippey
VMT Software

Hi Ray,

On 4/25/2023 18:31 PM, Ray Rippey wrote:
> That being said, on many computers it won't install our app, or
> splashtop our screen sharing software without turning off the S mode
> and allowing external programs to be installed. I think that's where
> they're heading. Hard to say.

I haven't had an issue installing Splashtop, except with one company
where an IT company sets everything up and locks it so that users can't
install anything. I understand that and they have been very good about
installing it for me or open it up temporarily so users can install it.
But yeah, it's a PITA to deal with. If it keeps going like this the
only thing you'll be able to run on a windows computer is Windows ;)

Best regards,


--
Arnor Baldvinsson
Icetips Alta LLC

it's a PITA to deal with. If it keeps going like this the
> only thing you'll be able to run on a windows computer is Windows ;)

Looks that way, Arnor.

Just serves to reinforce my plan to exit the trenches within the next
few years.
In 3 years time I'll be eligible for full NIS pension (Social Security
to the Americans LOL ) & same year my wife can also retire from her
workplace with full pension benefits so here's hoping it all comes together.

Plus I'm tired of having to work. Not work itself but having to do so.

Jock Springer

Hi Ray,

On 4/24/2023 17:54 PM, Ray Rippey wrote:
> I had the same issue. They couldn't access the site for Oregon and I
> had to print it to a PDF.
>
> There is nothing that I couldn't fake including the selfie with the
> license. When I first did this with Comodo, I had to sign up with the
> BBB and some other thing. It was much more rigorous. Whatever. I got
> it done and have my code and it worked in Setupbuilder. That's all I
> care about. I had to call them for everything else even after they
> confirmed all my stuff. I guess they like getting called on the phone.
> Not sure if it's their online software or just their operators, but
> they need some serious improvement.

Agreed! I got the phone verification call this morning. Went to
voicemail (was otherwise occupied) and I could barely understand the
message. I posted on my ticket asking for more information and got a
second call and got a code. Called back and after trying to figure out
how to get through their phone menu (there really should be an automated
system for this where you call back and just punch in the code) I got
someone on the line and read him the code. After that it went down hill
as the connection got worse and worse and there were several second gaps
in between quarter second of sounds. I heard something about Alabama,
but that was about all I could make out of that conversation. A few
minutes later I got an email saying that the certificate was ready for
download.

Problem is I cannot find any place to download it! The status still
says "Validating" Still no response.

The people I have talked with, chatted with and emailed with, none of
them are native English speakers. I'm pretty good with accents if I can
hear what is said, and I could barely understand every other word on the
phone and the email/chat conversations were borderline weird<g> Even
their phone menus sounded almost like Stephen Hawking's 1980 speech
synthesizer.

Nothing really happened until I told them that if someone didn't start
doing something quickly, I would report the charge on my card as
fraudulent. Then all of a sudden things started to happen!

Despite them telling me that my certificate is ready to download, the
status still says "Validating" - that's 75 minutes after I got the
email saying it was ready.

I don't think I will do business with Sectigo again. I am so beyond
underwhelmed with their service. If I was paying $10, OK, not bad, but
not satisfactory, but for $800 I would expect to get better service.
Comodo wasn't easy to deal with, but this Sectigo thing has sank way
below the surface. Just sad.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Mine did the exact same thing.. so I waited a day, still nothing.
Finally I called them, again, and the validated got the validation on so
I could download. Then I had to figure out how to extract and they sent
me an Email. Huge PITA. I got these guys for 4 years. I might go with MS
next time, they have a service.

I can't retire... but it's not like my job is that stressful, and I like
it. I get my SS now which is a nice bonus every month. If I can just
keep my mind for a little longer.

It will be OK in the end. And if it's not OK, it's not yet the end.

Ray Rippey
VMT Software

On 4/26/2023 9:57 AM, Arnor Baldvinsson wrote:
> Despite them telling me that my certificate is ready to download, the
> status still says "Validating" - that's 75 minutes after I got the
> email saying it was ready.

> I could be mistaken about putting a regular app like ours in the store.
> It seems like you could, but I'd have to read much more about that.
>
> That being said, on many computers it won't install our app, or
> splashtop our screen sharing software without turning off the S mode and
> allowing external programs to be installed. I think that's where they're
> heading. Hard to say.

Hi Ray,

Win32 apps can now be distributed via Microsoft Store
https://developer.microsoft.com/en-us/microsoft-store/desktop-apps , and
for "normal" apps (not games) I think there isn't even any kind of
revenue sharing needed with Microsoft, so you would get 100% of the app
revenue.

You would just need a one-time payment of $99 for a company developer
account and then do all the necessary stuff to meet the app
certification requirements
https://learn.microsoft.com/en-us/windows/apps/publish/publish-your-app/app-certification-process?pivots=store-installer-msi-exe
.. And then submit your app via Partner Center.

Haven't done that myself, but it seems possible if you're using a
well-behaved MSI or EXE installer.

Cheers,
--
Timo

Timo,

we have done it in the past, with the help of JP. This was a nightmare and
so we stopped that project.

Friedrich

My main problem is my program does not conform to MS standards like
putting the program in a program files folder and the data in the data
folders.

I thought about it. But it is so much easier for me and my customers
when I have to move stuff around... one folder off the root and I've got
it all except for any registrations in the system registry like for the
install program or some of the com software. We're kind of a main
program on the machine so most don't care and it's really never hurt us.

But thanks for the info.

Ray Rippey
VMT Software