Welcome to WebmasterWorld Guest from

Forum Moderators: phranque

Message Too Old, No Replies

Thawte/Verisign Software Download Certificate

12:41 am on Mar 26, 2009 (gmt 0)

Junior Member

5+ Year Member

joined:Feb 5, 2009
votes: 0

Im considering purchasing the Thawte digital certificate (authenticode) for a downloadable game client application but we have a technical question we have been unable to find an answer to (even by speaking to Thawte themselves).

The basic issue is that we are eventually going to have affiliates who can refer traffic for revenue share.

The way it works is that when a user (who is referred by an affiliate) downloads the client, the server puts the affiliate ID into the game launcher (setup.exe).

So when a user then installs the client and then registers to become player, the client uses affiliate ID for the registration step (ie to ensure that the affiliate gets the credit for the referral).

Therefore, the server changes (or patches) the game launcher (setup.exe) with an affiliate ID.

My coder has told me that because of this we cannot sign the launcher because each time it is patched the certificate will become invalid.

Have any of you had this problem? Is this correct? If so, is there a way we can get around this problem?

6:56 pm on Mar 26, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member kaled is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 2, 2003
votes: 0

That is almost correct. Unfortunately, there is not an area in the signature code that can be customised and then read back later. This would have been easy to implement but I guess nobody thought to do so.

Your only option is to sign one copy for each affiliate. When a new version is released, you'll either have to delete all the signed copies and arrange for new signed copies to be created on demand or you'll have to create a new set of signed copies.

The signing process is very quick unless you need to include a timestamp (recommended). In this case it may take a few seconds to connect to a timestamp server.

I would recommend creating new signed copies on demand if you running on a Windows server, but if you are running on something else this might be tricky.