# Visual Basic > Universal Windows Platform and Modern Windows Experience >  Authenticode

## IanS

Not sure where I read this but is it true that the App Store will only accept apps that are authenticode signed with a Symantec certificate.

Won't my Thawte certificate be good enough ?

Thanks
Ian

----------


## SJWhiteley

From what I can see, yes (I knew a VeriSign certificate was required, didn't know they were 'owned' by Symantec). It's a good few hundred bucks, so, I can understand the concern.

Note that the Windows 8 (Metro) apps are handled differently: you submit your package to Microsoft, they test it to meet quite stringent requirements, and is signed by MS. A certificate, in this case, is not required, only for desktop apps.

Basically, though, you are only paying for the privilege of posting your [desktop] application to the Microsoft app store window. You still have to perform all the payment transaction yourself, download, etc. The certificate issue is a tough pill to swallow as a requirement - and a double whammy for those with a different, but no less secure, certificate.

----------


## IanS

> Note that the Windows 8 (Metro) apps are handled differently: you submit your package to Microsoft, they test it to meet quite stringent requirements, and is signed by MS. A certificate, in this case, is not required, only for desktop apps.


My understanding was that MS wouldn't accept it at all unless it was signed by the developer with a "VeriSign" certificate.





> Basically, though, you are only paying for the privilege of posting your [desktop] application to the Microsoft app store window. You still have to perform all the payment transaction yourself, download, etc. The certificate issue is a tough pill to swallow as a requirement - and a double whammy for those with a different, but no less secure, certificate.


I didn't know that I could post "Desktop" apps to the MS App Store. As it stands though I don't have problem installing my desktop apps on Windows 8 RTM. It's happy to accept either my Thawte or my Comodo certificates.

Actually, Thawte and VeriSign are BOTH owned by Symantec. Which makes me wonder why a VeriSign Certificate is double the price of the Thawte certificate. Are they saying that Thawte is 'less' secure ?

----------


## IanS

Earlier today I sent this email to MS




> To: Solution Partner Expert Team
> Subject: Win8 Apps and Authenticode
> 
> I've been lead to believe that the Win8 App Store will only accept apps that are authenticode signed with a VeriSign certificate.
> 
> Won't my Thawte certificate be good enough ?
> 
> Thanks
> Ian


and got this answer




> Hi team,
> 
> Is it true that only a VeriSign certificate is acceptable for Windows 8 store submissions? 
> 
> Thanks!
> -Nichole


 :Confused:   :Confused: 

Who is 'Nicole' and why is she answering my email with her own question - or did the MS cut-n-paste chimp just send me somebody else's question because it sounds a bit like mine ?

----------


## SJWhiteley

> My understanding was that MS wouldn't accept it at all unless it was signed by the developer with a "VeriSign" certificate.


Hmm, I didn't think that was the case - perhaps I'm wrong, then. In which case, even the Metro App Store is out of reach of your average hobby coder... ! I'd better double-check that, but I do recall the last stage of 'certification' was Microsoft signing the package.






> I didn't know that I could post "Desktop" apps to the MS App Store. As it stands though I don't have problem installing my desktop apps on Windows 8 RTM. It's happy to accept either my Thawte or my Comodo certificates.
> 
> Actually, Thawte and VeriSign are BOTH owned by Symantec. Which makes me wonder why a VeriSign Certificate is double the price of the Thawte certificate. Are they saying that Thawte is 'less' secure ?


Really, it's just a 'store front' - or more like a 'yellow pages' for apps. You have to provide a link to your own web site where they can download the app. You can easily (obviously) bypass the Microsoft storefront completely, and people can find your app through other means (Google, for example). The Microsoft store front is mimicking the Apple model - a one-stop shop where you can find apps for your device/computer. A requirement for your app to be showcased is that it is signed by VeriSign. I'm not sure how they can enforce that, since the app is actually downloaded from your site, but I haven't looked at the Desktop App steps in great detail.

I'm a novice when it comes to app distribution to a non-vertical market - code signing generally isn't important for custom applications - but am investigating what is needed to try and hedge my bets that the WinRT on a mobile device has any penetration into an industrial environment.

----------


## SJWhiteley

Here's a couple of reference links:

Windows 8 app certification requirements
http://msdn.microsoft.com/en-us/libr.../hh694083.aspx

This above page does not note any signing requirements, but the submission steps documented on an MS blog indicate that MS signs the app package as one of the last steps.

Certification requirements for Windows 8 desktop apps
http://msdn.microsoft.com/en-us/libr.../hh749939.aspx

This does indicate the application needs signing, but does not specify that VeriSign must be used. Doesn't mean that VeriSign is _not_ required, but the whole thing is relatively complex if you haven't accommodated all the requirements in current apps. MS have a lot of investment, it seems, in the store, so wouldn't suprise me if there are many, many, departments working on this whole 'windows 8 experience' and one hand doesn't know what the other is doing. Indeed, Microsofts home web side is designed to look like a Windows 8 app. Neat and Unifying - if your eyes can stand the obnoxious colors - which I have a real hard time with.

So, it also doesn't surprise me that MS employees are also confused: so-called Windows 8 MS representatives (and experts) on the Windows 8 community forums are complete idiots. Granted, some of the the questions/comments/rants are not of a particularly high quality, but still.

----------


## brad jones

I asked a Microsoft person as well. The answer I got today is:




> Using a certificate within the app itself?  I dont see anywhere that limits to what Certificate Store is allowed and also I would find that hard to believe that they would limit to only Symantec and not others such as Verisign and Thawte.
> 
> http://msdn.microsoft.com/en-us/libr.../hh464941.aspx

----------


## Lightning

For WP7, with a quite similar marketplace, the file is signed by MS itself.

----------

