Signing binaries and getting on Steam

legal-entity.md

Introduction

For a while now, we have been talking how we get our OpenTTD binaries signed, and how we would get published on Steam. There are many aspects to this, and I am trying to put all that in a single place.

Signing binaries

None of the current developers really has experience with this. So most of this information is collected from googling, asking on reddit, asking on twitter, etc. Please, if you have any experience with this and read here things that are wrong or could be done cheaper, let us know!

Code Signing Certificate

Depending on the platform, there are different needs for signing binaries. What they all have in common: you need a Code Signing Certificate. They come in two flavours: OV and EV (Extended Validation). For example, on Microsoft platform, an EV bypasses their SmartScreen (the nag-screen you get when you downloaded and application and start it for the first time). An OV still shows it, and over time, as you gather trust, it will fade away. With an OV it does allow you to run it without going through hoops. [1] [2] [3]

The price of such certificate heavily depends on which authority you use.

• Comodo / sectigo charges $166 for OV and $299 for EV, per year.
• GlobalSign charges $289 for OV and $410 for EV, per year.
• SSL.com charges $129 for OV and $349 for EV, per year. They do give heavy discounts if we order multiple year in advance.
• GoDaddy charges $199 for OV, per year. GoDaddy does not seem to offer an EV. (Mind you, their Driver Signing Certificate is a very old product; you can't even sign Drivers for Windows 10 with it, which require an EV.)
• DigiCert charges $499 for OV and $699 for EV, per year.
• Certum charges $129 for OV and $359 for EV, per year. Certum has one other offer, an Open Source one, for $25. But, there is a but. That only works if you request the certificate from a personal name. This will also be stated on the name on the certificate, "Developer ....".
• ksoftware charges $84 for OV and $349 for EV, per year.

In all cases, we need a legal entity to request the certificate.

Apple

Next to these costs, from what we understand, for Mac you also need an Apple developer account. This costs $99 dollar per year.

We need a legal entity to request an account.

Platforms

Steam

To signup for Steam (via Steamworks), you need a legal entity, with a valid banking accountnumber. You need to proof your identity. After this, you can create an account.

Depending of the country the company is created, there will be some money involved in getting a bankaccount on the company.

Microsoft Store

We are on the Microsoft Store.

Legal entity

As you might have read, everything needs at least a legal entity before we can do anything. This comes in three forms:

1. put it on the personal name of one of the developers
2. find a "shell" company that hosts open source projects (Apache, ..)
3. create a limited liability legal entity in some country

Personal name

Although this is fully plausible, and even the cheapest solution, there are some questions that needs answering:

1. what if that person leaves the community or becomes unreachable?
2. are users going to trust a random name they see on their binaries?
3. what happens if such person is held liable in what-ever form, in regards to OpenTTD?
4. are we financially supporting this person for the costs he makes during all this?

They can all get their answers. For example, if we minimize what we do under such entity, 1) can simply mean someone else goes through the hoop the year after. 2) will always be a pain, but maybe people don't notice. 3) we can say "that is not going to happen". 4) seems like the most sane thing to do.

Nevertheless, these questions need answering, and someone needs to be willing to do so.

Umbrella company

There are several companies that accept Open Source projects, allowing to use them as a legal entity. They mostly even help with all kinds of things. Apache Foundation is of course one of them, or Software Freedom Conservancy. There is also an Europe based on, techcultivation, but this doesn't seem to be anything just yet. We can only find a whitepaper about it, and that is about it for now.

There are a few things to keep in mind with these companies:

1. it is unknown to us what the impact is of moving OpenTTD under their umbrella. It is clear that you put all your assets in there. For example, SFC keeps 10% of the donations (which is fair, I guess). These things have to be investigated and worked out.
2. most of them are US-based. The EU was busy with these kind of things, but to our knowledge, there is none yet. Most (all?) of the OpenTTD developers are EU-based. To us the legal impact of moving everything to US is unknown.
3. it is unclear of a Foundation like Apache would accept a game like OpenTTD.

Limited liability legal entity

The Netherlands

For this, I (TrueBrain) looked into how to do this in The Netherlands. I cannot speak for any other country, as I live in The Netherlands. In The Netherlands we have a concept called "Stichting", which is a legal entity where there is a board in charge. The board can be anyone, as long as they have proven their identity at the notary. We can change who is in the board at any time. It is strongly suggested there are always 3 members in the board.

Such "Stichting", in the way we would set it up for OpenTTD, cannot pay people. It would only accept donations and spend it on infrastructure, certificates, etc. It (most likely) won't have to pay VAT.

By law, this "Stichting" is liable, unless the board was negligence; this is unlikely in our case.

There are costs involved to set this up: ~300 euro one-time fee, and a fee for mutations.

There are two drawbacks:

• a "Stichting" need a Dutch home address at all times. It doesn't matter who is in the board, as long as the address is a real address in The Netherlands.
• the name of the "Stiching" needs to contain the word "Stichting"; so "OpenTTD Stichting" would be the name. This name will be shown on certificates too.

Most likely similar solutions exists in other countries (in Europe).

UK

orudge, see below in comments, gave some input on this. In the UK you can launch a company for 15 pound (a year it seems). It would have one (or possible more) directors.

Yearly some documents have to be filed, and that is about it.

As of yet, nobody checked with a notary or lawyer if this works for our situation. The assumption is it would, given the collective experience with running companies in the UK. It might be worth checking with a notary/lawyer before proceeding with this solution.

Germany

michi_cc, see below in comments, gave some input on this. There was some more chat about it on IRC. Bottom-line: not a valid option.

Denmark

nielsm, on IRC, gave some input on this. Bottom-line: not a valid option.

For completeness, as well as Apache Foundation, we have also had suggestions about talking to https://twitter.com/fsfe and https://en.wikipedia.org/wiki/Software_Freedom_Law_Center

Researching all this and taking advice of course takes time :)

As far as I can see, an EV certificate needs to be kept on a separate hardware key store. I'm not sure if would be possible to integrate that to a cloud-based release workflow.

For Apple, the certificate seems to included in the developer account. To register as an organization, the org needs to have a D-U-N-S® Number. It's not immediately clear if a Stichting can get or have one.

The DUNS-number was also a thing with Steam. IIRC.

For German law, an "Eingetragener Verein" would probably be the best choice. It is a lot more complicated compared to a Stichtung, though. You need 7 members to register, and at least 3 members after that at all times. Additionally, you need to have bylaws, member meetings and probably some stupid recurring paperwork.

I agree that an association-like structure will probably be a better fit than a foundation-like structure.

A UK company can be registered very cheaply and easily (cost about £15, and a similar annual fee to file some documents), and now requires just a single director/secretary. It does of course have to pay taxes (corporation tax at 19% on annual profits), so would not be a good vessel for donations. If there is an umbrella organisation that can take us, then that might well be the best option in the long run, but I can't see why there couldn't be an "OpenTTD Ltd" that is used to sign binaries, publish OpenTTD to app stores, etc. OpenTTD Ltd would not accept donations, they would remain (for now at least) with me, then when a certificate needs purchasing, I would pay OpenTTD Ltd the $150 or whatever and OpenTTD Ltd would then go off and purchase the certificate, and would otherwise hold no monetary assets (and hence pay no taxes, or very trivial amounts). I am very much not a lawyer, but I don't see why this shouldn't be possible.

If we really wanted to go down the road, OpenTTD Ltd could also hold an OpenTTD trademark, though I'm not in a particular hurry to pursue that myself.

Some questions about the UK corp: in The Netherlands as a normal company you have to make money. Are there these kind of restrictions in the UK too? That is the reason in The Netherlands we need a Stichting, instead of a (free) "BV" (normal company).
If we use such Ltd only as shell Corp for licenses etc, are there any liability risks towards the owner of said Corp?
As you mention not being a lawyer (never knew :p), possibly wise to check with someone about these details before we consider this an option. I called a company here that helps with setting up companies, and talked to a notary for 30 minutes or so. He could much better articulate the things to keep in mind. Would be lovely if we could add that to the UK picture?

Tnx for the details btw, much appreciated!

Technically yes, but there's no reason you can't make your expenses and income balance out (or have expenses of £150 and income of £151). You could register a charity in the UK which is not profit making, and which can benefit from Gift Aid schemes etc, but that's significantly more complicated in terms of requirements, accountability, etc. (Hence a proper foundation, operated by people who know what they're doing, would be better!)

With regards to liability, a Limited company is a limited liability company, i.e. directors cannot be held personally responsible if the company is unable to pay its debts. There are some exceptions, but if we are using this simply as a shell corporation, I think we should be OK:

Overdrawn director’s loan accounts
Signing a personal guarantee
Debts have accumulated due to fraudulent means (such as taking on credit you knew you wouldn’t be able to repay)
Director misconduct
Continuing to pay shareholders dividends whilst the company is insolvent
Withdrawing and/or using company funds for non-business activity; this is an offence known as misfeasance
Disposing of the company's assets at undervalue or no value

I don't unfortunately have the time or immediate means to try to arrange a consultation with somebody, but I am happy to register and operate a UK company under this basis if we wish to go down this route. (I've run my own hosting company as a Ltd company since 2009.) As noted, it would be for licensing only, and donations etc would be kept separate.

That doesn't sound like a bad idea, form a company whose business is offering binary signing and publication services to its sole customer, the OpenTTD project.

I appreciate the offer, as always.

The thing that still worries me a bit, and I worded it poorly: a company doesn't have to make profit, but it needs to pay an employee for it to be a valid company. And it should be in the order of 30000 euro a year. Is there no such rule in the UK?
Without some outside consult I am a bit hesitant of such solutions. We are not lawyers, and solving problems after the fact is difficult. So I would strongly suggest someone calls a notary if we want to take the UK route. At least I was a bit surprised by the little rules I did not know, despite operation my own company for many years now ;)

Another thing to consider of course is that this still has a busfactor of 1 :) so for certificates that can be fine; for trademarks it is not.

Otherwise the solution is the same as the Dutch or German version, so I guess we are all considering our own legal entity as a solution. That is a good thing :)

This means we need next steps. On one hand we need to agree we are going to spend donation money on this yearly. On the other hand we need to agree on the form. Both not something for this gist ;)

No, there's no such rule in the UK. A company does not have to pay dividends, or employ anyone. It just requires a minimum of 1 director. (There can be more directors, and indeed they can even be overseas I believe - the 'registered office' just needs to be in Scotland, in the case of a company I set up.)

The UK option is probably the cheapest and most 'admin-free' option, from what I can gather, but I would only be intending it as an intermediary for offering certificates/app store hosting, and nothing more. Hence if for whatever reason we then needed to close it, or we do join a foundation elsewhere, we don't have any assets per se to have to move.

In the UK we also have Community Interest Companies (CIC), they have quite strict rules, I have been around the set up of one, but I don't know the details.

Right now work calls, but I can look at this later. Or we can just go the Stichting route?

No, there's no such rule in the UK. A company does not have to pay dividends, or employ anyone. It just requires a minimum of 1 director. (There can be more directors, and indeed they can even be overseas I believe - the 'registered office' just needs to be in Scotland, in the case of a company I set up.)

The UK option is probably the cheapest and most 'admin-free' option, from what I can gather, but I would only be intending it as an intermediary for offering certificates/app store hosting, and nothing more. Hence if for whatever reason we then needed to close it, or we do join a foundation elsewhere, we don't have any assets per se to have to move.

That sounds very much less hassle-free than anything I find here as option in Germany. This option would have my vote - we don't need more than just an entity to which certificates are issued and which could be used as legal entity for business purposes with app stores or similar.

Unless of course andy's solution is even more interesting :)

I looked into UK CIC, it requires statement of purpose, and approval, and annual filings of social outcomes. It's not a route we would want to pursue.

Current best options look like:

• Stichting
• UK Limited company

Like orudge, I've been running UK limited companies for years, and I can get accountancy and some legal advice for free. But my gut feeling is that the Stichting looks more appropriate.

I suppose it depends on whether we want a vessel for donations etc (which would be ideal long term, but I think requires some careful thought to understand the appropriate implications and responsibilities), or a simple solution to the current signing issues.

Yeah, seems to be either short term do UK or do more longterm in NL.

UK would be the way of least resistance.

The NL variant has more protection in terms of legislation as there is always a board of 3 (and part of the legislation will make sure that as long as 2 out of the 3 agree, things can go on). This also indeed means we can do donations via it, trademark, etc. Basically it would live forever :)

In regargs of implications and responsibilities, the company that will help setup the Stichting assists in this. They know how to do that, and basically does everything for you. So we got that covered. (and as it is done by a notary, you can be asure it is correct too :D). And yes, I did a bit of work here ;) I wanted to be sure this would be a possible solution, and not based on my own view of the law :D (as this stuff scares the shit out of me)

Stupid gist commented before I was done typing.

Anyway, my main concern with the UK road is that we again postpone solving the complete issue. The NL road solves it in a more permanent state. And this is the balance point for me. Do we want a quick fix and be done with it, or do we want to invest a tiny bit more and have it solved for good. At least, that is what is balancing in my head atm.

Personally I rather do UK, as that means I have to do less work. But when I look at OpenTTD as a whole, I rather do NL, as that would remove this issue for good.

Choices :)

Once you set up the corporation, how much will it cost for annual income tax filing and bookkeeping? In my personal experience, I've found that to be surprisingly expensive for a small corporation...

Once you set up the corporation, how much will it cost for annual income tax filing and bookkeeping? In my personal experience, I've found that to be surprisingly expensive for a small corporation...

probably depends on the country.

Once you set up the corporation, how much will it cost for annual income tax filing and bookkeeping? In my personal experience, I've found that to be surprisingly expensive for a small corporation...

For a Stichting, the only yearly work is tax filing really, and you can get an exempt for that with a company this size. That means the only thing you have to do is to keep a book of what you get and spend a year, and store that somewhere for a few years. Very minor bookkeeping. That is one of the reasons I was looking into that form ;)

For the UK variant, orudge is already doing that for his own company, so I am sure he knows the work he would be getting into.

But yeah, from experience too, having a normal company that makes money, requires you to spend silly amounts of time a year to get everything in order .. ugh :P But luckily enough we can avoid most of that.

If we had a UK “holding” company for the very limited purposes I described, there’s a £13 filing fee per year, plus 19% tax on profits - however, if income = expenses (or expenses + £1), profit will be very minimal and tax will too. As there will be very few transactions going through the accounts, a spreadsheet will be sufficient for accounting. Total cost maybe £15/year. VAT registration not required under £85K turnover. Can also get a fee-free business bank account for this trivial amount of turnover.