Renew your Windows Code Signing Certificates by December 31, 2015

December 14, 2015

Happy Holidays! In this busy time of year, reserve some time for another (hopefully not too expensive) chore that might be unexpected.  Due to the industry push to move from the SHA-1 hashing algorithm to the more secure SHA-2 (e.g. SHA256) hashing algorithm, you may need to purchase or renew your certificates, even if they are still valid.

For various reasons, the deadline for action is December 31, 2015.

Call to Action

Ensure that you purchase or renew (and start using) one or more code signing certificates by December 31, 2015.

The required certificates depend on whether you sign User Mode and/or Kernel Mode Windows modules:

  1. User Mode files (e.g. msi, exe, etc.) must be signed with a SHA-2 certificate starting after December 31, 2015.
  2. Kernel Mode drivers (e.g. .sys files) can be signed with either a SHA-1 or SHA-2 certificate, but SHA-1 is most compatible — even for Windows 10.  But:  December 31, 2015 is the last day you can purchase a SHA-1 certificate.  EDIT 12/29/2015:  Microsoft has rescinded this deadline.

User Mode Q and A

Q:  What happens if I continue to use my old, still valid, SHA-1 certificate after December 31?

A:  Windows will ignore your signature as if your files were unsigned.

Comodo:

After these dates have passed, Microsoft software such as Internet Explorer® and Windows® will reject code signing and SSL certificates that use SHA-1.

Microsoft:

On Win 7 and above, blocked on 1/1/2020 if time stamped before 1/1/2016, otherwise, blocked after 1/1/2016 for Mark of the Web files.

Q:  Will there be compatibility issues if I sign with SHA-2?

A:  No, not for User Mode.  (Kernel Mode does have compatibility issues, see below.)  SHA-2 for User Mode is supported in Windows XP SP3 and later.

Comodo:

This is a list of popular software that supports SHA-2:
Windows XP 3 and above (including Windows 8.1, 8.0 and Vista)

Windows Server 2003 and above

Q: I already have a SHA-1 certificate.  Do I have to spend money and buy a SHA-2 certificate also?

A: Contact the Certificate Authority (CA) which issued your SHA-1 certificate (e.g. Comodo, DigiCert, GlobalSign, etc.).  They should give you a SHA-2 version for free, which has the same expiration as your original SHA-1 certificate.

Q: I already have a valid SHA-2 certificate.  Do I need to do anything?

A: No, congratulations, you are good to go!  Just make sure you sign with it starting January 1, or earlier.

Kernel Mode Q and A

SHA-1 Certificate Availability

Q:  I don’t have a SHA-1 certificate, but I don’t plan to sign kernel mode modules yet.  Can I wait to purchase a SHA-1 certificate until I need it?

Q:  I currently have a SHA-1 certificate, and it is valid for some time to come.  Why do I have to renew it by December 31?

A:  December 31 is the last day that you can purchase or renew a SHA-1 certificate.  So it is now or never.  EDIT 12/29/2015:  Microsoft has rescinded this deadline.

CA/Browser Forum

Effective 1 January 2016, CAs MUST NOT issue any new Subscriber certificates or Subordinate CA certificates using the SHA-1 hash algorithm. […]

Effective 16 January 2015, CAs SHOULD NOT issue Subscriber Certificates utilizing the SHA-1 algorithm with an Expiry Date greater than 1 January 2017 […]

Microsoft

CAs SHOULD issue SHA-2 only, unless developer is targeting Vista and Server 2008 (for them, CAs MAY issue SHA-1)

Also, I recommend getting a multi-year certificate — On December 7, 2015, I got a SHA-1 version of my DigiCert EV SHA-2 certificate; both are valid through 2018, despite the above warning that the SHA-1 version should expire no later than January 1, 2017  — to minimize the possibility of having to deal with certificate issues again for as long as possible.  When it expires, you will be forced to switch to SHA-2 (or SHA-3 or whatever the standard is by then), and deal with whatever rules are in effect.

However, prior to your new SHA-1 certificate expiring, the industry could disqualify it for kernel mode, the same as it did for SHA-1 User Mode (which is disqualified on January 1).  So try to strike a balance between getting a certificate for too short or too long a time period.

Q: I already have a SHA-2 certificate.  Do I have to spend money and buy a SHA-1 certificate also?

A: Contact the Certificate Authority (CA) which issued your SHA-2 certificate (e.g. Comodo, DigiCert, GlobalSign, etc.).  They may give you a SHA-1 version for free, which has the same expiration as your original SHA-2 certificate.  I have a DigiCert EV SHA-2 certificate, for which I was given a free SHA-1 certificate with the same 2018 expiration date.  I also have a Comodo Authenticode (non-EV) SHA-2 certificate which expires in 2018, and thus far, Comodo has only offered to give me a free SHA-1 certificate that expires on December 31, 2015!  So your experience may vary.

The summary on the MadCodeHook forum is that DigiCert and GlobalSign are proven to still issue SHA-1.  There is a question of whether businesses are treated differently from individuals.

Q: I already have a SHA-1 certificate with a long time left until it expires.  Do I need to do anything?

A: No, congratulations, you are good to go!

SHA-1 vs. SHA-2

Q: Why is SHA-1 better than the newer and the more secure SHA-2?

A:  SHA-1 is completely compatible with Windows XP through Windows 10.  You can sign one driver package for all of these OS’s, using the tried and true method of using a cross certificate.  It remains the only option for XP and Vista.

Q: But won’t my software be more secure if I sign it with with a SHA-2 certificate?

A:  No, the purpose of signing software is to prove that you created it. The way it works is when your customer downloads/installs/loads your software, it is Windows that verifies your signature and reports something like “Verified Publisher:  <the company name from your certificate>.

An attacker can use the more insecure SHA-1 to more easily spoof your signature on software that the attacker creates (e.g. malware).  Such malware would appear to have come from you.  Windows would report “Verified Publisher:  <the company name from your certificate>.  But, this scenario, appalling though it is, can happen even if you sign your legitimate software with SHA-2.  An attacker can still sign the malware with a spoofed SHA-1 signature of yours.  So you can see that whether you sign your software with SHA-1 or SHA-2, it makes absolutely no difference in the likelihood of being spoofed.

Q:  Well, even if my software isn’t more secure by signing with SHA-2, doesn’t signing with SHA-2 make me a good Windows developer and improve the overall Windows ecosystem?

A:  No, if Windows accepts SHA-1, it is vulnerable to SHA-1 attacks, such as the above spoofing example.  The only thing that strengthens the Windows ecosystem is for Windows to invalidate SHA-1, which so far it is not doing for Kernel Mode (but is for User Mode).

(My speculative opinion with no applicable knowledge:  Since MS is invalidating SHA-1 for User Mode, but is continuing to accept SHA-1 for Kernel Mode, perhaps the payoff to do so is not as great as for User Mode.)

SHA-2 Compatibility

Windows 7

Q: I don’t care about XP and Vista.  I only care about Windows 7 and later (8, 8.1, 10). Aren’t these OS’s compatible with the more secure SHA-2?

A: For Kernel Mode, Windows 7 is only compatible with SHA-2 if the little-known update KB3033929, released in March, 2015, is installed.  For marketing reasons such as lack of customer comprehension and technical ability, and the difficulty of installing in certain cases (e.g. having a multiple-boot configuration of Windows and various distributions of Linux or using a non-Windows boot loader), you may not want to make this update a prerequisite for using your software.  (I surely don’t.)

SHA-1 Compatibility

Windows 10

Q: Are there any limitations of signing with SHA-1 for Windows 10?

A: The limitations are described in the Microsoft Code Signing FAQ:

  • A cross-signed driver using a SHA-1 or SHA-256 certificate issued after July 29th, 2015 is not recommended for Windows 10.
  • A driver signed with any certificate issued after July 29th, 2015, with time stamping, is not recommended for Windows 10.
  • A driver signed with any certificate that expires after July 29th, 2015, without time stamping, will work on Windows 10 until the certificate expires.
  • Enterprises may implement a device guard policy to modify the driver signing requirements using Windows 10 Enterprise edition. Device Guard provides an enterprise-defined code integrity policy, which may be configured to require at least an attestation-signed driver. [Ed. An “attestation-signed driver” is one that is signed by Microsoft through the SysDev portal (see below).]

At the very least, you can sign with a certificate (SHA-1, non-EV SHA-2 or EV SHA-2) without timestamping, and it will be good until your certificate expires.  But timestamping is highly recommended so that the signature lasts “forever”.  And even this will work, even though it’s “not recommended” (whatever that means).

Besides this, there is an additional caveat regarding Windows 10 Enterprise.  Windows 10 Enterprise supports a feature called Device Guard, which can be used by IT Admins to set a policy disallowing non-EV certificates (including SHA-1 certificates, as EV is not an option for SHA-1).

TechNet

8 Required:EV Signers In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All future Windows 10 and later drivers will meet this requirement.

(Personally, I do not have any customers that are running Windows Enterprise that are setting this policy.)

Q: Isn’t an Extended Validation (EV) SHA-2 certificate required for Windows 10?

A: For Windows 10, an expensive and inconvenient EV SHA-2 certificate is required to use the Microsoft SysDev portal.  But a non-EV SHA-2 or SHA-1 (all SHA-1 certificates are non-EV) are fine if you don’t use the portal.  And it is not required that you use the portal to sign your Kernel Mode software for any current release of Windows.

Q: But I’ve heard that Microsoft requires us to use their SysDev portal for Kernel Mode on Windows 10?

A: No, there is a “transitional policy.”

OSR blog – quoting Microsoft Program Manager James Murray:

Windows 8 style kernel mode code signing will continue to work, as long as the certificate was issued prior to Windows 10 RTM (the cut off).

Q: Um, this says my certificate works only if it was issued before the Windows 10 RTM date.  So isn’t it too late to get a SHA-1 certificate for Windows 10?

A: No, as discussed above, the Microsoft Code Signing FAQ now says certificates issued after July 29 will also work, subject to the limitations above.  Furthermore, the verbatim quote from Microsoft Program Manager James Murray was originally

Cross-signing will continue to work, as long as the cross-signing certificate was issued prior to Windows 10 RTM (the cut off).

Here, it says it is the cross certificate whose date matters, not the developer’s certificate.

However, in discussion on the OSR NTDEV list, messages #95 – 97, it was discussed that the effective date of the cross certificate could not possibly have any bearing on whether the signature was accepted by Windows 10.  As such, the post author intentionally altered the quotation to “clarify” that it was the developer’s certificate that needs to be issued before the RTM.  Here is what the blog now says:

Windows 8 style kernel mode code signing will continue to work, as long as the certificate was issued prior to Windows 10 RTM (the cut off).

In hindsight, it seems that the original wording was the correct one, given Microsoft’s clarification that “any certificate” can indeed be used for Windows 10.

David Grayson’s blog and MSDN thread are additional sources that it is the expiration date of the cross certificate that is important:

However, there is a really nice loophole. For backwards compatibility, kernel-mode drivers signed with a valid cross-certificate that pre-dates Windows 10 will continue to pass signing checks in Windows 10. The cross-certificate from GlobalSign was issued long before Windows 10 and it expires on 2021-04-15. Therefore, you should be able to sign kernel-mode drivers for Windows 10 with a regular GlobalSign code-signing certificate until then.

Please see the April Fools Day announcement from Microsoft:
http://blogs.msdn.com/b/windows_hardware_certification/archive/2015/04/01/driver-signing-changes-in-windows-10.aspx
It says:
“To ensure backwards compatibility, drivers which are properly signed by a valid cross-signing certificate that was issued before the release of Windows 10 will continue to pass signing checks on Windows 10.”

Microsoft continues to be vague.  In addition to the above points, the Microsoft Code Signing FAQ also says

A cross-signed driver using a SHA-1 certificate issued prior to July 29th, 2015 will work on all platforms starting with Windows Vista through Windows 10.

Again, it is not clear whether they are talking about the developer’s SHA-1 certificate, or the cross-signing certificate from the CA.

Anyway, when in doubt, try it!  The DigiCert SHA-1 cert issued after the Win 10 RTM date works for me on Win 10 Pro x64 with SecureBoot enabled. I tested on a Windows 8.1 Hyper-V VM (Generation 2, with SecureBoot enabled). The guest OS is Windows 10 Pro x64, Version 1511 (10586.17).

There are other success stories sprinkled into the threads cited in this post.

SHA-1 – Windows 10 Summary

Microsoft clearly wants their SysDev portal (and EV certificates) to be used for Windows 10, and any allowance of non-EV SHA2 and SHA-1 with cross signing is being done with sheer reluctance and non-transparency.

Microsoft has a history of doing this. I am reminded of a similar situation when MS was encouraging converting from the ANSI charset to the Unicode charset.  Yes, there are advantages to using Unicode (e.g. easier localization), but also disadvantages (e.g. 2x the memory).  And ANSI is still supported in Windows, but is “not recommended”.  But I still use it when it make sense.

Despite Microsoft using vague phrases like “not recommended”, SHA-1 works today on Windows 10, and Microsoft has made a pattern of further relaxing its SysDev portal (and EV certificate) requirements.  The SHA-1 compatibility with previous Windows versions is so great that I recommend using it for Windows 10 until it is definitively prohibited.

To continue using SHA-1, ensure your certificate is renewed for a sufficient time period.

 


Free 30 day trial
DCSoft RegEditX – Tweaks for RegEdit
When you RegEdit, remember the ‘X’

Hyper-V — Remote Desktop: Good, Virtual Machine Connection: Bad

February 10, 2015

I run Hyper-V virtual machines (VM’s). I copy and paste using the clipboard between the host and VM’s, and between the VM’s themselves. A lot. So it is truly annoying when the clipboard doesn’t work. And no, it doesn’t work if you simply do what comes naturally — find the VM in the built-in Hyper-V Manager, right click, and select Connect.

This opens a window of your VM, using “Virtual Machine Connection”. But this window doesn’t support the clipboard, nor any of the following:  redirected audio, drives, or printers. There is something new called Enhanced Session Mode which does support them, but only if the client OS is Windows 8.1 Enterprise or Windows Server 2012. I don’t know about you, but those aren’t the OS’s I typically put into my VM’s. So this would seem to be a worthless feature.

Thankfully, there is an easy alternative. Just use the Remote Desktop Connection application (connecting to other computers via Remote Desktop), which is built into all Windows. Remote Desktop has for years supported all of the missing clipboard and redirection of client resources such as printers.

[Caveat] Again related to the client OS running in the VM – the client OS needs to support “being a Remote Desktop host” (being connected to via Remote Desktop).  For example, Windows 7 Home Premium does not support this, but Windows 7 Professional/Ultimate does.

[Setup] You will need to enable Remote Desktop in the client OS and know the client’s Computer Name in order to connect to it.

Short wish: One of the things missing from Remote Desktop that VMware Workstation has is dragging the client desktop window to resize it, and then the client “hardware” display settings are changed so that it matches the new window size. The client remains optimally sized, as intended.

One client, One VM

February 10, 2015

Juggling several client projects at once requires some sort of dedicated computer resources for each of them. Happily the state of the art makes it very easy. At first, I used just one computer and just juggled.  Then I installed SysInternals Desktops to be able to switch to different screens for each client.

This proved too little, as each client eventually needed incompatible Visual Studio configurations. For example, the .NET projects benefited from add-ins like .NET Demon (continual rebuilding of the project), but this was incompatible with C++ projects. In addition, some clients required the Qt add-in, different versions of the Windows SDK, some required the DDK, etc. One needed the Dev Express ASP.NET controls, but that license was only for that client and I couldn’t use it for other projects.

Clearly the easiest way to assure an optimum environment for each client was a dedicated PC. While I do have enough computers to do this, so many physical machines makes for a very crowded desk, and I only have one good keyboard, mouse, and 30″ monitor, Happily, the performance of virtual machines makes this an unnecessary cost and inconvenience.

Which virtual machine software is the best? The cheapest and best performing is Hyper-V. Compared to my other favorite, VMware Workstation, it is a Type 1 hypervisor,  which allows for faster performance, and it’s now included free with Windows 8(.1).

So my main development machine is a 3 year old Core i7, with 24 GB RAM and 1 TB SSD. I can run several Hyper-V VM’s with dedicated 4-6 GB of RAM simultaneously. Since most of the time they are just sitting idle, the one or two I am working in are very fast performing.

It is such a productivity booster to be able to Remote Desktop into these VM’s from anywhere on the Internet (although mostly from the Hyper-V host machine itself) with all the apps open exactly as I have left it. As I get older, my memory forgets things like what is the next thing to do for a client, and seeing all the apps there just as it was when I last worked on it saves me many minutes of ramp up time.

So it works great, and I wouldn’t change a thing.  The one irritant is the initial setup of the VM’s.  The number of installs you need to perform grows proportionally to the number of VM’s you create.  But this is not as bad we it could be.  First, we can create a “reference VM” which we clone to start all the new ones; the reference VM has all our must-have apps installed and configured, so these automatically work for all our new VM’s.  This also helps with software that allows only a limited number of installations – when such software is installed, it checks a server on the Internet to see how many times prior the license file was installed.  But after installation, it doesn’t check the Internet anymore.  So if the VM is subsequently cloned, that software is none the wiser.   (I realize this subverts the letter of the license, but not the spirit — I paid for a license to have full use of the software, I can’t help it if the software has a license that does not keep pace with how people use computers today.)

The second thing about all these installs is that they go way faster now, with the SSD.  Even gargantuan packages like Visual Studio and Office install (relatively) very quickly.

Qt Book Download: C++ GUI Programming with Qt 4 Second Edition by Jasmin Blanchette and Mark Summerfield (Prentice Hall)

January 30, 2010

Let me tell you, this is my kind of book.  On page 3 it has this listing:

#include <QApplication>
#include <QLabel>

int main(int argc, char *argv[])
{
QApplication app(argc, argv);
QLabel *label = new QLabel(“Hello Qt!”);
label->show();
return app.exec();
}

This opens a popup window with a label in it.

Then on page 5, it says to show bigger text with “Hello” in italics and Qt in red, replace

QLabel *label = new QLabel(“Hello Qt!”);

with

QLabel *label = new QLabel(“<h2><i>Hello</i> <font color=red>Qt!</font></h2>”);

That’s right.  Labels can have HTML formatted text in them!

The next page shows 11 lines of code to create a button that exits the app when pushed.

When I first started reading this book while waiting for my dinner to arrive, I thought to myself, this Qt thing is right up my alley.  And this book is also right up my alley, the pragmatic, no nonsense introduction to a pragmatic, no-nonsense C++ application framework.  There’s a reason why it is required reading for new hires at Nokia….

Best of all, it’s FREE! Published under the Open Publication License, it is perfectly legal to distribute.  It’s currently hosted on the dcsoft.com website here:  download, but no guarantees if I will have to take it down if my bandwidth gets used up!    You can always download the torrent. But it’s such a good read, I recommend you purchase a hard copy.

Edit April 25, 2009:  The book’s source code is available for download from InformIt.

How to: Setup Qt 4.5+ Visual Studio Integration

January 30, 2010

(NOTE:  This post was originally published on Mar 06, 2009.  It was subsequently moved to the wordpress.com blog service and updated reflect the many comments.  Thank you for contributing your comments!

QT IS NOW RELEASED UNDER LPGL

Qt is a cross platform GUI toolkit which was acquired from Trolltech by Nokia.  Starting with Qt 4.5, it is dual-licensed under both LPGL and Commercial.  The Commercial license can be a bit pricey, but the LPGL license means you can use it free of charge to develop proprietary, commercial, closed-source software.  Instantly, Qt has become available to a wide audience of software developers (DCSoft included).  Thank you Nokia!

More than a year ago, DCSoft has become very interested in Qt.  Much as we love MFC, it hasn’t changed much since 1999, and this is 2009.  Qt is easy to learn given its concise syntax and documentation, plugs into Visual Studio (more below), comes with a supported toolset including Designer (a resource editor), Linguist (a localization tool), and Qt Creator (an IDE), giving Qt more momentum than MFC, and a higher performance alternative to .NET.  It’s easily one of the best ways to create Windows apps, never mind it can also target Mac, Linux, and several embedded devices.

Starting with Qt 4.6, the LPGL version now comes pre-built for Visual Studio 2008 RTM.  If this fits your need, you can simply install it and skip to INSTALL VISUAL STUDIO ADD-IN. However, you will need to build Qt yourself if:

  1. You are using VS 2008 and you have installed SP1 and/or the ATL Security Update, and you are building your app with the _BIND_TO_CURRENT_VCLIBS_VERSION defined (or another means to specify the non-RTM version).  This is because both Qt and your app need to be built with the same version of the Visual Studio redistributables, and Qt has been built with RTM, but your app is not being built with RTM.
  2. You are using any version of VS 2005.  This is because Qt does not come prebuilt for VS 2005.

Here’s how to get our favorite IDE (Visual Studio 2005/2008) working with Qt!

DOWNLOAD QT SOURCE CODE

As the option to download only the Qt source code is a bit obfuscated on the current Nokia website, please follow these directions:

  1. Go to http://qt.nokia.com/downloads and click the Go LGPL button.
  2. Since you want only source code, look at the Qt: Framework Only column on the right.  Click e.g. Download Qt libraries 4.6.1 for Windows (VS 2008, 194 MB) — choose the VS2008 one.
  3. This starts the download for pre-built Qt.  But we don’t want that as we will be building Qt ourselves.  A page will appear with <Source code available on this link>.  Cancel the Save As dialog in your browser to cancel the binaries download you had clicked on, then click on this link, e.g. http://get.qt.nokia.com/qt/source/qt-everywhere-opensource-src-4.6.1.zip
  4. Unzip the file into e.g. c:\qt\4.6.1-vc.  Please use a path with no embedded spaces, as the Qt build tools have issues with them.

SET ENVIRONMENT VARIABLES

Open Computer Properties | Advanced system settings | Environment Variables:

  1. Edit environment variable to add:  QTDIR = c:\qt\4.6.1-vc
  2. Edit the PATH environment variable to add:  %QTDIR%\bin
  3. Either close all command prompts and Visual Studio instances, or reboot the computer so the new command-line takes effect.

BUILD VC++ VERSION OF QT

  1. Open a Microsoft Visual Studio Command Prompt, which is a command console with environment variables set for the specified VS.  This is easily accomplished using Start | All Programs | Microsoft Visual Studio 2005 (or 2008) | Visual Studio Tools | Visual Studio 2005 (or 2008) Command Prompt.
  2. Cleanup any previous build:
    1. c:\> cd c:\qt\4.6.1-vc
    2. c:\qt\4.6.1-vc> nmake distclean
    3. c:\qt\4.6.1-vc> rm -rf tmp*  // <– recursively remove all tmp\ folders and files

This requires finding a *nix workalike.  I use Total Commander to search for Tmp*, select all the found files, and delete them with one keystroke.

3. Run Configure to target platform vc2005 or vc2008:

c:\qt\4.6.1-vc> configure -platform win32-msvc2005 <other options as needed>

Substitute win32-msvc2008 for VC2008

Run Configure with no parameters to see a help screen.  Configure generates nmake compatible makefiles to build all the Qt DLL’s, tools, and demos.

4.  Run nmake to build.

c:\qt\4.6.1-vc> nmake

It will take awhile, but this grinds through building the specified Qt DLL’s, tools, and demos with Visual Studio.

INSTALL VISUAL STUDIO ADD-IN

The Qt Visual Studio Add-in is indispensible for developing Qt apps in Visual Studio. The Add-in has replaced the previous Qt Visual Studio Integration, which was only available to Commercial customers.  Now the Add-in is used by both LPGL and Commercial licensees, and the Integration has been deprecated.  While the Add-in does not allow integrated .ui editing (it instead launches Qt Designer to edit .ui files), it is fully supported and maintained by Nokia, whereas the Integration hadn’t been modified since the 4.3/4.4 timeframe.

Because Visual Studio Express does not allow add-ins, using these free versions of Visual Studio is not recommended for Qt development.  You need at least Visual Studio Standard (Pro, Team System, etc. of course will also work).

1.  Download and install the Qt Visual Studio Add-in to install the Qt plug-in into Visual Studio (both 2005 and 2008 are supported by the add-in).

2.  Start Visual Studio.

3.  Select menu Qt | Configure Qt Versions.  Add c:\qt\4.6.1-vc.

4.  Now Qt is fully functional, and you can use VS2005/2008 to build Qt apps.

QT IN VISUAL STUDIO

1.  See Qt menu item.  Launch Qt Designer (the Resource editor) and Qt Linguist (the localization tool).

2.  Create new Qt projects.  File | New project, select Qt4 project.

3.  Read Qt Help.  Available from Help menu (Qt help is merged in with Visual Studio Help and viewed in Document Explorer.)  Or, manually launch

C:\Qt\4.6.1-vc\bin\assistant.exe

4.  The Whole Tomato Visual Assist X plug-in is highly recommended to develop Qt within Visual Studio.  See this blog entry for tips.

Reducing our commute with GotoMyPC and Camtasia

January 22, 2010

One of the big benefits of being an offsite consultant is the improved quality of life.  Having commuted every workday for years, it is truly a blessing to gain an extra hour or two per day, as well as the energy normally spent gritting teeth as traffic inches forward.  Not to mention the gas savings (even my Honda Civic which gets 33 miles per gallon, at $4/gallon, this is still worthwhile).

Still, nothing beats a face to face meeting, and we’ve seen contractors fail to deliver and subsequently fall from grace with the client, due to misundrestandings that simply don’t occur when you’re regularly onsite.  How to get this benefit without actually being there?  We’ve become instant fans of GotoMyPC and Camtasia, both of which have saved us many commute hours.

GotoMyPC allows us to access a PC using a browser.  Although there are cheaper solutions such as LogMeIn (which is free), GotoMyPC’s performance (approaching that of Microsoft Remote Desktop) and ease of use make it well worth the cost.  As an additional benefit, you can share your desktop with another person over the Internet; he or she can use mouse and keyboard to control the desktop simultaneously with you.  It’s like the two of you are collaborating side by side, but it’s actually better because you have your own private screen/keyboard and don’t have to share!  It’s hard to beat GotoMyPC for two-way, interactive communication.

Camtasia records your screen along with your voice, making it easy to create Flash-based videos (which look good and aren’t huge).  Since everyone has the Flash plug-in, simply e-mail the url where you’ve uploaded the video and it instantly streams to their browser and starts playing within seconds.  Creating videos allows clients to see the product actually running as well as deep dives into the Visual Studio IDE to discuss technical coding issues.  Compared to being there, the information is conveyed with near 100% accuracy.  Both client and contractor prefer it to a physical meeting, since it’s less stressful and eliminates another time commitment.  I figure if I can save a handful of trips per year to client sites by recording Camtasia videos, it will easily pay for itself.

Unfuddle.com – our journey from the comforts of Visual SourceSafe

January 22, 2010

As many Windows developers know, there is no source control system that is as easy as Microsoft Visual SourceSafe.  It comes with many versions of Visual Studio and is the justifiable default.  We’ve been using it for many years now, and laughed when we saw other developers keeping multiple directories with various versions of source code on their hard disks.  Seriously, if you are doing that, you really need to do yourself a favor and start using SourceSafe.  It gives you a safety net to easily go back to known good points in your development, as well as quickly determine what code you have changed.  It will also shield your from other people’s code changes, since it will do the painful merging for you at checkin time (you only have to resolve conflicts when the same lines of code are changed by someone else; most notably, in resource.h and the .rc file!)  Once you try it, you will feel so much more secure, that you will not go back.  SourceSafe looks like Windows Explorer, so you have very little to learn.  You will be up and running very quickly.

Alas, we stayed with SourceSafe as long as possible, but eventually outgrew it.  When remote subcontractors became involved in our projects, SourceSafe no longer suited, as it is far too slow for remote access over a VPN.  We also got tired of running Analyze all the time, and it was a constant reminder that we were using a not-totally-supported product.  We also yearned for integrated bug tracking (where you can associate a bug number with a checkin, and thus easily access the code from the bug report).  But what else is there beyond SourceSafe?

We were looking for a package that was as simple and inutitive as SourceSafe, yet more reliable and usable to access remotely.  Since SourceSafe is free if you have Visual Studio, cost is also an issue.  The short list included:

  • SourceGear – designed similarly to SourceSafe, but solving the reliability and remote access problem.  Con:  expensive, setting up server is complex.
  • Perforce – a rock solid package, but depot/clientspec concept is complex, P4Win is not pretty.  Con:  expensive, setting up server is too complex, Diff and merge tools are lacking, Integrated bug tracking with Bugzilla doesn’t work well.
  • Seapine – Many of the same benefits and disadvantages of Perforce, but on the whole more user friendly.
  • Subversion – at first, this OpenSource project left us cold, but after some friendly hands pointed us to the TortoiseSVN client, we were quickly won over by it’s simplicity and well-constructedness.  But installing the server still was very complex, and there was no integrated bug tracking.

Solution:  use Subversion, but through a hosting service  The server is already set up, and the service also adds integrated bug tracking.  We’ve been using Unfuddle.com for about a month now and are very happy with it.  We also tried and were reasonably happy with CVSDude.com but prefer the more polished UI of Unfuddle.  As well, the proprietary Unfuddle Ticket system (bug tracking) is just superb, much better than Trac (which is another open source bug tracking project that supplements Subversion).

“Hosted” you say?  Surely you would never store the crown jewels of source code on someone else’s server.  No sir!  Well, admittedly, we held off on using a hosted solution for several months until the pain point of not having a collaborative version control system forced our hand.  We simply were not going to invest in setting up an Internet-facing server of our own; not only is this not our expertise, but it also requires getting a business-class (symmetric upload and download speeds) broadband connection for it.  So it was hosted or nothing.

And we do take precautions.  All Unfuddle access is via https.  As for storing the source code on a third party’s server, that is really no different than hosting your company’s e-mail on someone else’s server, and exchanging source code with other developers through e-mail attachments is quite common.  So when you look at it like this, you could argue that the risk of using a third party server is the same for both e-mail and source code, and that risk is deemed sufficiently low for both practices.

We highly recommend Unfuddle for mere mortals (like us), and if you are more of a propellor-head, then you may be more at home with CVSDude.

Welcome to the DCSoft Blog

January 22, 2010

Welcome to the DCSoft blog… here you will find useful tidbits from our experience running a small software consulting company.