ShopMate Internet Download and Internet Installation Security

Softhard Solutions ShopMate Business Accounting Software for Businesses

Get Internet Installation of Business Accounting Database Software Offer

Hi everyone,

Many users are asking about the ShopMate Internet and AzureMate Download and Installation and the Internet Installation Security that is associated with it. In this post I would like to explain more fully the Digitally Singed Software and how it works.
Those of you who want to know more of what Softhard Solutions ShopMate or AzureMate are, learn more about ShopMate or AzureMate.

All our downloads come from our Microsoft Azure data storage server, using secured 'https://' protocol.

The difference between Windows Installer and the Internet Installer is that we could create the Windows Installer and, therefore, could guide you through the correct steps to install ShopMate. The Internet Installer is run by Microsoft Technology, ClickOnce, which should be trusted and which installs ShopMate or AzureMate on your computer, independently of us. The ClickOnce allows you to be automatically notified about any changes in version upgrades we implement, the users of Windows Installer would have to check with us periodically on our website. When you use the Internet Installation, ShopMate is installed on your computer for current user in so called SandBox configuration, meaning that only the user who installed ShopMate can run ShopMate afterwards.

ShopMate or AzureMate Internet Installation

Typically, you would use the ShopMate or AzureMate Internet Installation Setup on machines that have full, partial or timed access to the Internet Network. ShopMate Internet Installation is the preferred way because the Deployment of ShopMate and any of its later updates to customer users is simple, easy and mostly interaction free.

For ShopMate or AzureMate Internet Installation and deployment, Softhard Solutions is using the Microsoft ClickOnce Technology. A ClickOnce application is a .NET Framework (system) client application combined with manifest files that describe and authenticate the application and supply installation parameters.

The application is installed on the client computer in a so called "SandBox", per currently logged in User only and, therefore, totally self contained and secured and the application can be run afterwards only by this same user on that machine. So, say there are 5 different users using the same machine and all want to use ShopMate, all 5 users must run the Internet installation, 5 installations will exist on that machine. This is ok, the ShopMate Internet Installation has a very small footprint.

One Shortcut, to run ShopMate, is created on your desktop by the setup. Two more entries are created, one in the Start button on your windows Task Bar to access and run ShopMate and another one is created in the (32 bit) Add/Remove Programs or (64 bit) Uninstall Programs section of your Control Panel to be able to remove ShopMate. The Icon for removing ShopMate is created by ClickOnce setup and is different looking from the normal ShopMate Icon.

ClickOnce makes it easy for our customer users to receive all ShopMate Updates that we implement and publish by being notified automatically about current changes when they run ShopMate. Unlike in Windows Installer of ShopMate, they do not loose any settings they may have set and the installation of the updates is done smoothly, behind the scenes, without any interaction.

The user clicks on the Install link just once and the software is downloaded from our website download page and installed on user's machine without any further interaction. This only works in theory. When your Browser security and later the windows security kicks in at the actual installation, the user has to make choices that the security is presenting and, obviously, click more than once.

Packaged software uses branding and trusted sales outlets to assure users of its integrity, but these are not available when code is transmitted on the Internet. Additionally, there is no guarantee that the code hasn't been altered while being downloaded unless the secured 'https://' protocol (all our downloads from our Cloud Microsoft Azure data storage server are using this protocol) is used instead of normal, unsecured, 'https://' protocol.

Browsers typically exhibit a warning message explaining the possible dangers of downloading data, but do nothing to actually see whether the code is what it claims to be. A more active approach must be taken to make the Internet a reliable medium for distributing software.

ShopMate Internet Installation Security
So what should be done to secure the installation?
The deployment software must be digitally signed using Authenticode signing. Publisher information based on the Authenticode signature will be displayed to the user in the permissions dialog box during installation, to show the user that the application originated from a trusted source and that the application has not been altered.

It is a cryptographic signature that consists of a public and private key; generally issued by a certification authority (CA) that can vouch for its authenticity.

Digital certificates are a core component of the Microsoft Authenticode authentication and security system. Authenticode is a standard part of the Windows operating system. All ClickOnce applications, like ShopMate, must be signed with a digital certificate, regardless of whether they participate in Trusted Application Deployment (CD, DVD) or not. Without any digital certificate the application will not even compile.

So, we did that. We purchased a Digital Certificate (for big bucks mind you) from a reputable certification authority (CA) and signed ShopMate and all of its components (assemblies) with it. That got Softhard Solutions into the Microsoft's "Trusted Publishers List" which is distributed into every windows system in the world.

But...

When the CLR (common language runtime - system) loads an assembly (component) which has an Authenticode signature, it will always try to verify that signature. This is in contrast to the Windows Installer loader, which will verify the signature of a file only in specific instances, such as when the file is an ActiveX control.

This verification can be quite time intensive, since it can require hitting the network several times to download up to date certificate revocation lists, trusted publishers, and also to ensure that there is a full chain of valid certificates on the way to a trusted root (CA).

So, when an Authenticode signature is applied to an assembly it's not unheard of to see a large delay in the application and component startup while that assembly is being loaded.

Well... This was totally unacceptable...

To fix these problems, we decided to go down the road of removing the certification authority's digital signature certificate and, since all ClickOnce applications must be digitally signed, creating and using our own, self signing certificate, which does not do the above checking, only checks for tampering once, to return the ShopMate and AzureMate applications and their assemblies loading performance back to "normal".

This was done with a cost...

The loss of being included in the Microsoft's "Trusted Publishers" list and, therefore, relying on our customer users' trust of our website from where they install the ShopMate application. Look at our website, we are partners with the Google Search Engine and member of the Google+ Social Network.

Only reputable websites are allowed to publish Google adds and be members of Google+ social network. Google would not allow us to publish their adds if we were not a reputable and trusted website. If Google trusts us - can you? Please read the above independent audit, public description of softhard-solutions.com website.

The cost was too high...

During this period of not being included in the Microsoft's "Trusted Publishers" list, all was ok for a while and then, we slowly noticed a dive in our sales. This was due to Microsoft ever increasing drive for safer web. People are more and more aware of dangers that the web presents. With this drive they have meanwhile improved the Authenticode signature reading so now, when an Authenticode signature is applied to an assembly it has no large delay in the application and component startup while that assembly is being loaded.

So now we have gone back to digitally sign all our assemblies and components and are included in the Microsoft's "Trusted Publishers" list, which means downloading from us is totally safe for you again.

So what happens when you press the Install ShopMate Database or AzureMate Application button?

For any ShopMate prerequisite you do not have installed on your machine, extra windows security pop-up will ask you if you want to Save the file or Run it. The publisher of these prerequisite files is usually Microsoft but it may not show it. You only need to run it on your system to install it, if you do not have one on your system yet, so press the Run button.

When you click Install ShopMate or AzureMate Application button the ShopMateSetup.exe installer file is downloaded, for AzureMate the AzureMateSetup.exe installer file is downloaded. Depending on your browser, most save the file in your user Downloads folder.

Safari Browser
In Safari you can choose to save or run the installer. Click Run button. This will save the file and start the installation.

Firefox Browser
In Firefox you can choose to save installer. Click Save File button. This will save the file.

Chrome Browser
In Chrome the installer is saved. You may get a warning that this file is not commonly downloaded and may be dangerous and shows Discard button. This happens after each new release of ShopMate and will disappear in time since the installer file is digitally signed. In that case press the down arrow and click Keep button. This will save the file.

Internet Explorer Browser
In Internet Explorer you can choose to save or run the installer. Press Run button. This will save the file and start the installation.

If you have not clicked any Run button, after saving the file, navigate to it and run it by clicking or double-clicking the file. This will start the installation. First any prerequisites are downloaded and installed and then, finally, when the Windows Security asks you if you want to Install the Application, click the Install button to start final installation.
The security pop-ups, if any, when you run the ShopMateSetup.exe (and the Prerequisites), is there for your protection. Never run any executable (.exe) file you download unless it is digitally signed, it clearly shows the publisher name if it is, or you know it is safe to run it. All our assemblies (.exe, .dll etc.) are digitally signed. The Prerequisites are signed by Microsoft Corporation.

When the actual installation of ShopMate starts, windows security pop-up, showing "Softhard Solutions" as the publisher, will ask you if you want to Install the application or Do Not Install it.

The reason why it is showing "Softhard Solutions" as publisher" is explained above. The ShopMate application is digitally signed with a reputable certification authority (CA) certificate which signed ShopMate and all of its components (assemblies) with it and, therefore, we are included in the Microsoft's "Trusted Publishers List".

The publisher of the ShopMate and AzureMate applications is us, Softhard Solutions and the application is being downloaded and installed from our Google trusted website, so, go ahead, push the Install the application button with trust that the application comes from a good source, Softhard Solutions.

When ShopMate launches, follow the instructions carefully, especially when it comes to entering of your Company Trading Name and all other business details.

I hope these instructions will help you understand a little more about what is going on behind the scenes of Downloading and Installing ShopMate with Internet installation. If you have more questions please contact us by e-mail.

Softhard Solutions ShopMate team...