Calling GnuPG "email encryption software" really understates its importance. It's also used in countless applications to encrypt data at rest, and GPG signatures are used to secure the distribution of software. For instance, GPG is an essential part of the package managers of Debian, Ubuntu, and RedHat.
Seems odd that the MANY projects dependent on GPG don't donate enough to GPG to employ one guy.
Do Free Software project with funding 'pay it forward' to the volunteers on other projects they heavily depend on? (I don't really know) If not, they deserve to suffer the consequences.
I freely confess to being flabbergasted by these displays
of less-than-rigorous thought processes.
How would a free software project 'pay it forward'?
They are in a very similar position, aren't they?
Edit: For some reason, I can't reply to child comments (probably a cool-off time-out at work?).
Just a short note here, then: $1.25e6 for the FSF translates
to 10 developers like Koch being paid (the donation page quotes "120000 EUR").
That's ten. For the whole FSF. As an example of a well-funded project.
I'm not going to comment on that. HN would rightly give me months of cool-off time.
There are many free software projects that are decently or well funded. They have no problem meeting their donation requests, and having a good budget year over year. These projects are usually end user facing, in a way that their dependencies aren't.
It seems reasonable that these projects should consider adding items to their budget to redistribute funds to projects that they depend on.
Some probably do this, however I think the GP was suggesting that something like this become more common.
> There are many free software projects that are decently or well funded. They have no problem meeting their donation requests, and having a good budget year over year.
Too bad OpenSSL wasn't one of them until after the big "heartbleed" incident.
The core infrastructure projects don't seem to get as much funding as they ought to, especially given almost everyone relies on them (even if they don't realize it).
Prior to Heartbleed and the industry rallying to fund critical projects, OpenSSL only received an average of $2,000 USD a year[1]... that's pathetic.
Over the next three years, the Linux Foundation will receive a combined total of $3.9 million from Google, Intel, Amazon and others to fund core infrastructure projects such as OpenSSL. Sounds good until you take a step back...
> Intel will invest "$300 million to help improve the pipeline for women and minorities, actively support the hiring and retention of diverse candidates, and fund programs that support the positive representation of women and minorities in technology and gaming industries."
> "Google Gives $775,000 to Nonprofit for Tech Diversity
CODE2040 said Monday it received $775,000 in grants from the tech giant to support the launch of free training programs for more than 5,000 black and Latino college engineering students over the next two years."
It's interesting with the Outreach programme in GNOME (I think that's what it's called), because if you periodically look at planet.gnome.org, there are interesting things going on with developers within that outreach programme.
But there are also justified backlashes to the programme, given that there is a perceived priority given to the programme in some areas instead of writing software. The argument is that not everyone and their dog needs to be involved with writing software, so why should we encourage them to? You don't see such pushes in dentistry, the car industry or anything like that; "Are you a WOMAN? Then join the car industry!".
Strangely we do in IT though, where it is the belief that we should make EVERYONE code!
> You don't see such pushes in dentistry, the car industry or anything like that; "Are you a WOMAN? Then join the car industry!".
Yes you do. Every single fucking time this comes up someone says "you don't see this in construction". It's rebutted every time it comes up and it's really fucking easy to do a simple web search to find examples of programmes to get men into teaching or nursing or to get women or minorities into construction.
Replying to myself to mention that I am neither for or against the GNOME outreach programme!! - I am entirely an observer! I haven't used GNOME since GNOME2 due to disliking the new interface; I periodically check on there to see what's going on GNOME world and it is quite interesting, both for developments and also for what's going on internally with disagreements and discussions between people.
I thought I ought to add that because I suspect people are thinking that I dislike the programme? Either that or people like down voting with no reply.
With regard to the encouragement for everyone and their dog to take up coding, I see it a lot but in truth I do not see the same things in other professions - I have never seen a push to make youngsters take an interest in banking or journalism yet over here in the UK there is a push to make programming/coding a part of the national curriculum for youngsters, hence the introduction of the Raspberry Pi to encourage that.
Didn't GNOME almost go bust last year and hold an emergency donation drive, due entirely to granting too many paid internships (or similar) to people who aren't established GNOME developers, or even programmers?
No. The GNOME foundation is managing the funds of the outreach program (which doesn't have anything to do with GNOME, really, except it started there), so when some of the sponsors (think big corps) of the outreach programme didn't pay their agreed upon share on time, the foundation ended up in trouble. It was simply a liquidity problem which was solved when they received the sponsorship money.
That's at least how I think it went, you can go look it up, the details are online.
In addition, some projects that are not well-funded as a project are "funded" in the sense that companies pay people to work on them, for example Microsoft paying Simon Peyton Jones to work on GHC.
Firefox is kinda special because they get a lot money from whoever pays them to be the default search engine, doesn't matter if it's Google or Microsoft or Yahoo. There's only so much software that can get away with that, GPG certainly can't.
All of the Debian developers are volunteers, am I wrong? Slackware can barely support one employee, the founder. OpenSSH falls under OpenBSD, which also supports just the founder, everyone else volunteers, and they DO volunteer some serious time and do important things. They also had problems raising funds, there were discussions on HN about that here, and I'm sure there will be more in a year or two.
From: http://www.openbsdfoundation.org/campaign2014.html :
* If $10 were given for every installation of OpenBSD in the last year from the master site (ignoring the mirrors) we would be at our goal.
* If $2 were given for every download of the OpenSSH source code in the last year from the master site (ignoring the mirrors) we would be at our goal.
* If a penny was donated for every pf or OpenSSH installed with a mainstream operating system or phone in the last year we would be at our goal.
This is kinda depressing.
Is there someone from the Debian project here? I'm wondering if they could afford to run their own mirrors around the world if they had to. Could they cover hardware, colo and bandwidth costs, if they had to? I'm just curious.
> There's only so much software that can get away with that, GPG certainly can't.
That's the point -- the ones that can should support the ones that can't, which are often foundational components of the reason the ones that can, can get money in the first place.
Perhaps GPG should annually auction off which nation-state security service or online advertising company's public key gets automatically added to the recipients list for each encrypted message? </cynical>
Debian... seems to mostly get by on volunteer labor and be ok with it, or it did when I was involved with them. Has that changed? I suspect that in some ways Debian is underfunded given the amount of work they do. Perhaps money would make some things happen faster there.
The Apache Software Foundation does a decent job at fundraising, and even employs a few people to do stuff like administration. Most of the projects get by with companies that pay people to work on them, which seems to work out pretty well.
Firefox/Mozilla make most of their money with deals: Google and Yahoo, last I remember.
I don't know about OpenSSH.
It's possible, but mostly donations don't seem to work unless it's big chunks of money from companies.
> The Apache Software Foundation does a decent job at
> fundraising, and even employs a few people to do stuff
> like administration. Most of the projects get by with
> companies that pay people to work on them, which seems
> to work out pretty well.
The ASF budget is roughly 1.2 million a year, the bulk of
which goes to maintaining infrastructure for 200+ projects.
The significant losses due to Ubuntu development and related expenses are why Canonical as-of-late has been turning focus away from Ubuntu towards other markets such as Mobile and especially Enterprise (a la Red Hat's turf).
Ubuntu itself is a central part of their cloud business, so Ubuntu is indeed profitable for them. What's not profitable is their desktop and end users' market.
That's not quite how it gets expensed (nor how it works).
Canonical's cloud business might be profitable (even though Canonical as a whole is very-mush-so-not), however their cloud business is not coupled to Ubuntu, ie. they could use any Linux Distro, or any OS for the matter.
Ubuntu is a total loss center for Canonical. It's surprising to a lot of people given it's popularity... but popularity doesn't equal profitability... especially when most users don't pay anything for the software (not even support fees).
Not sure what "of course" means here... it's very possible to be profitable off your OS Development division... look at Red Hat, SUSE, etc. They pay for the development from support payments... they collect support payments because enterprise wants their OS... it's a positive feedback loop. The better the OS, the more enterprise pays, the more funding RH can put into the OS dev team, the better the OS gets, the more support fees they collect, etc etc etc...
Canonical has not been able to successfully charge for support like RH and SUSE have figured out.
> But it is a net gain for the company, and in fact without it the rest wouldn't exist.
It's not a net gain unless the company can be profitable as a whole and subsidize (and justify the enormous expense) off-put by tertiary services, etc.
... right now Ubuntu project is responsible for Canonical being perpetually in the red... every quarter, since their foundation. Canonical could very well just run enterprise support contracts, or push their cloud services. They don't have to use Ubuntu... any OS would suffice. They aren't somehow coupled to Ubuntu to the point if Ubuntu didn't exist, Canonical wouldn't either.
I wonder what happened behind the scenes that basically killed Ubuntu in its tracks.
Circa 2008, before the Unity and Pulseaudio switches, it was considered by pretty much everyone the premiere Linux distro. I don't see why they could not get support contracts with Dell, HP, etc to sell Ubuntu computers and provide the tech support in exchange for positive cash flows.
Even today Dell is still doing Sputnik and in European countries you can buy HP hardware with Linux. Why is Canonical not taking advantage of the fact that they could be making money off support for their desktop OS through all the hardware vendors?
> I wonder what happened behind the scenes that basically killed Ubuntu in its tracks.
Ubuntu has never been profitable for Canonical. Shuttleworth's game-plan was always long-term minded regarding Ubuntu -- but as we've seen as-of-late, Canonical is shifting focus to other markets they view as potentially profitable. Shuttleworth has committed to keeping Ubuntu alive, but it's no longer Canonical's sole hope for income.
> I don't see why they could not get support contracts with Dell, HP, etc to sell Ubuntu computers and provide the tech support in exchange for positive cash flows.
This isn't just a problem for Ubuntu, but for most end-user linux distros. People always joke with Linus when the "year of the Linux desktop" will finally arrive... The people who use Linux as their daily driver generally don't need the support, and for the ones who do, well it's a lot less marketshare than Windows.
> Even today Dell is still doing Sputnik
Besides Sputnik, and some Linux-only end-user manufacturers like System76, there really isn't a lot of choice for pre-installed Linux end-user computers.
It's weird too, because Sputnik is $50 more expensive than the windows version of the same hardware. (probably some Microsoft deal going on here).
Linux comes pre-installed on majority of server hardware (server hardware than comes with any OS at all that is), and Linux dominates this field. But the "year of the linux desktop" hasn't quite arrived yet. I do hope it comes soon.
> Besides Sputnik, and some Linux-only end-user manufacturers like System76, there really isn't a lot of choice for pre-installed Linux end-user computers.
I've used System76 and Zareason. System76 are Ubuntu-only (and the hardware may have issue with other distros); Zareason will support any Linux.
You know, I actually didn't know about Zareason. Their website seems to have pretty reasonable price for the hardware you are getting, and I love having a choice of my preferred distro to run (I'm a Fedora guy).
I run full-time linux on my laptop and my goto hardware has typically been a Thinkpad T series.
> Canonical is shifting focus to other markets they view as potentially profitable.
Is it about profits, or - I'm going to be kind of cynical here - chasing taillights? The way they seem to bounce around from one thing to another (mobile phones! embedded!) makes it feel like the latter.
> The way they seem to bounce around from one thing to another
I tend to agree... modern Canonical feels like a company that lacks focus (probably because they aren't quite sure what the focus ought to be after realizing Ubuntu might not ever turn a profit for them).
The people who would buy computers with Linux probably wouldn't pay for tech support. Enterprises might, but not individuals. Plus I suspect that Microsoft is pretty keen to defend Windows on the consumer front - I've heard stories of deep OEM discounts on the condition that they don't offer alternative OSes.
I mean in the same way you buy a Dell notebook and get two years of phone support, you would get the same with a Dell Ubuntu notebook but Canonical would provide it and Dell would pay them for it.
I mean that the people who would buy a Dell Ubuntu notebook mostly wouldn't use phone support. If Dell thinks the same, they wouldn't pay Canonical very much to provide that support. They do now sell the XPS 'Developer edition' with Ubuntu; I have no idea whether they pay Canonical for support, or how much that makes.
The FSF had revenue of 1.25 million in 2013. I'm not trying to comment on where it came from or where it went to. I'm only pointing out that they are not in a very similar position.
Typical credit card fees are 2.9% + 30c. Assuming that they have regular fees at not non-profit rates(which tend to be lower), it would make their average donation amount to be around $7.14
With that many transactions they should be able to negotiate a lower fee than that. My company did a bit over 4 million in CC transactions last year and our rate is 1.9% and I believe the flat rate per transaction is 25 cents.
As someone else pointed out 2.75%-2.9% is common, often thre is a charge per transaction too (on the order of 25cents after it's all said and done). The fee can change based on the card type (the merchant pays a higher fee on rewards cards normally...someone has to pay for rewards!) and international purchases can have additional fees. Charges backs can also bump up fees, ditto for outsourced fraud protection.
This is partly why I stopped donating to the FSF. They're dumping some amount of that money into misguided PR campaigns rather than helping out the developers trying to make free software better.
1.25 million USD is really not a lot of money at all... especially given all of the projects the FSF supports under the GNU umbrella.
If they had zero expenses other than staffers, at a very modest 65,000 USD a year that would not even cover 20 people.
The EFF, FSF are the only real "good guys" out there fighting for your techie rights every day... They could really use your donations and support (even if you don't agree 100% with all of their message).
> How would a free software project 'pay it forward'?
As mentioned by the grandparent comment, GPG is in use by Debian, Ubuntu and RedHat package managers. Whether or not you count those three as free software they have plenty of money to pay forward to a piece of software that underpins their entire stacks.
Unless I've missed something big in the past 2 years even the Debian Project Leader is still a volunteer[0]. If most/all money's going to operating costs it's hard to make the case they're holding out on somebody. They also have a record of treating their upstream quite well so I'd need some evidence to believe they're dropping the ball.
I am having a hard time to find financial statements from Debian.
Ubuntu, or rather Canonical, being a private company, doesn't seem to release financial information.
The Ubuntu main page doesn't even provide a 'donate' link anymore.
Which leaves RedHat, at last. A public company, of course[0]:
Operating profit 2014: $ 1.3e9
Net total income 2014: $ 178.3e6
This article claims that $222k was the budget for 2012 for Debian, down at the bottom. It also claims the budget should be $19B, if paid at market rates.
You're off on your numbers. The 120k are for him plus one developer. By that estimate that's 20 people for the FSF.
However, a lot of commercial entities use pgp as core of their business: all software packaged for the linux world is signed with gpg one way or another. All commercial distributions depend on it at their very core. I'm amazed that they don't fund gpg at least partially.
The thing is, the underfunded dependencies that are the most vital are those that are widely used by many projects. If it was normal to chuck a small percentage of available funds to dependencies, the money would start to add up.
A cultural and structural change is needed when things like GPG get nothing, while viral, superficial and gimmicky work gets snapped up for millions or billions, when end users choose free products that threaten privacy and flood our world with advertising rather than pay the price of a cup of coffee for quality trustworthy products.
What this and all other software projects need is marketing. There is just too much noise out there. We landed on a comet last year and we still needed marketing to let the people know about it. If we invented free energy tomorrow, we'd all hear about it via some sort of marketing. Marketing is much, much easier to implement than cultural and structural change.
"Pay it forward" means to grant a favor or gift on a random person, in remembrance of one who did a favor for you before. The idea is to initiate a chain of favors and gifts to brighten the world in general.
It's a play on words though, by analogy with "Pay it back" which is returning a favor to one who did a favor for you first (like paying back a debt). In the case of large distros being heavily reliant on GPG and other upstream projects, I think the applicable term here is "pay it back".
Upstream developers helped out Debian, et al, and now Debian needs to pay those developers back. Arguably, by gifting their distros to the world at large, they're already "paying it forward".
Me too. This software is too important to not have someone dedicated to it full time.
I left a note that he (like the EFF and the ACLU) should have a recurring donation option, or at least an option to receive a once yearly email asking for a donation. There are many people that would happily go with a recurring donation if that option were available.
Watching the bar on the GnuPG homepage is pretty encouraging. Since the article was written, we've donated nearly €30k more. It looks like the problem was that people hadn't heard about it, not that we're all too selfish to donate.
I just chipped in $25.
Edit: Over €10k more in the hour since this comment. It's now 2/3 of the way to the funding target.
This was posted on HN 2 months before I donated £50 at that time so i wouldn't say it didn't get enough exposure.
It's just that it takes a lot of media attention to get you to your goal plus a lot of the donations a coming from regular developer who understand the importance of this instead of the big companies profiting from this software.
GPG is an integral part of the Open and Free internet.
Imagine all the workflows that depend on verified encryption signatures like Debian, Ubuntu, etc and that's just software distribution, not counting privacy issues like journalists, political dissidents, whistle blowers, etc using it for secure communications.
It was pretty easy to donate, took me less than 2 minutes. I encourage everybody that is able to make a donation, however small, every euro counts.
Ditto. Was just talking with one of my employees this week about setting up encrypted email. Right now we use OTR chat for any sensitive stuff, but that's not always the most convenient channel. Like most others I had no idea this project was so under-funded.
Really happy to see that this post on HN has traction, and delighted to watch the counter go up. GPG and other security projects need a way better tech PR push.
We're our own worst enemies. Software developers have this sort of circular firing squad where nobody wants to be the first to keep their source closed and try to charge for it. Because then you're just "greedy" and not pure enough.
But that'll never change unless all of a sudden we say "Ok, on the count of 3, everybody stop giving away their hard-earned expertise for free. 1... 2... 3..." We're like musicians nowadays. We love it, so we do it without insisting on compensation.
A few months ago, I Show HN'd an open source project, but reserved the copyright to the code. The commenters immediately took note of this and I felt compelled to switch it to an MIT license. (It was open source for security reasons, if you're wondering.) I'm glad I did, but the point remains: there was pressure to conform.
> Software developers have this sort of circular firing squad where nobody wants to be the first to keep their source closed and try to charge for it.
Er, the first to keep their source closed and try to charge for it happened a long time ago, and there are huge numbers of developers at firms from one-man shops to massive megacorps still doing it today.
The idea that closed-source for-profit development is a novel idea that violates norms in the software development community and that everyone is afraid to try is cute, but, you know, completely contrary to the actual facts of both the current state and history of software development.
Why in the world would this be downvoted? There is nothing inflammatory about this post at all. He's bringing up a widely debated point in our industry.
> nobody would trust closed source encryption software.
ORLY? Have you read much source for BitLocker or FileVault, recently? WhatsApp? Skype? And those are just the most popular ones off the top of my head...
No, and I wouldn't trust myself to read it either. But, there's a fair chance that someone I trust eventually will and that they'll point it out when they see something fishy.
I see the encouragement to switch to an open source model a lot too. When a closed-source or close-licensed project is posted, you get a few commenters saying how great it'd be if the project was open source because then the community would benefit. Call me a cynic but in reality, this likely means "please make the source and licence more open so that I can use it without paying you".
I say this because I know that when I am looking for libraries to use at work in commercial software, I have to look for BSD-style code and now actively steer clear from GPL and LGPL code (static builds for me please).
It isn't to be malicious but it's mainly because I would like to continue living. Giving away things I have spent years working on doesn't pay my mortgage or put food on the table.
> where nobody wants to be the first to keep their source closed and try to charge for it
Seems like there's another option -- open source your project and also charge for a license to use it. By open sourcing people will trust it more which will cause its value to go up. And then more people would be willing to pay for it.
> Seems like there's another option -- open source your project and also charge for a license to use it.
If you open source your project, unless you're using an unusual definition of open source, you've provided a free-of-charge, sublicensable license to use, modify, and distribute it. (Or, at least, a license that the licensee is free to sublicense without charging the sublicensee or paying an additional fee to you, so even if you are charging for the direct licenses, the more you sell the greater the probability that it will be available at no charge.)
You could open source it and charge a fee for professional support, however, which is a fairly common model.
As I understand it, that's what he did. He open sourced it and kept copyright on it. That would mean that everybody would be free to read it as posted but wouldn't be able to use it or distribute it without permission.
Releasing something under an open source license usually involves retaining copyright but is, itself, giving permission to use, distribute, modify, and distribute modifications. Pretty much every open source project either retains copyright of the work or is composed of the work of developers who each retain copyright of their portion of the work.
The problem is that in practice most people in almost any free software project do not have the funds personally to afford donating all the time.
I mean, I feel the burn when I give money to Debian, Arch, KDE, etc - but I do it because I know I have to, because the software is so important to me. The $500 or so I donate each year is a lot of money to me, and I'm in the US - I cannot imagine how much donating to these projects would hurt the international users who make significantly less than the 15-25k or so I make annually.
I don't know how KDE managed it, but Blue Systems (http://en.wikipedia.org/wiki/Blue_Systems) is a Germany company founded by one Clemens Tönnies, Jr. Don't know anything about the guy, but he is somehow paying 10+ KDE devs without a business model. I've donated a lot to Kubuntu, but I cannot imagine in a million years they get enough donor money to fund all the devs they employ.
But those kinds of philanthropies, the way Mark Shuttleworth keeps Canonical afloat, seems to me to be the only practical way to keep free software afloat. You cannot ask a million destitute people to donate money they need to eat or sleep comfortably, but we as a community don't have the charisma or ears to get fat cat donors to foot the bills. Probably because software freedom does not matter as much when you are wealthy - you can just pay to get the software you want made anyway, and you might even be able to bribe companies to give you the source if you care enough.
And I recognize a huge portion of the donor pool for most free software projects isn't either end of this spectrum, but people like me making something above the poverty line and below extravagance that donate what they can where they can, but that is consistently shown to not be enough. And I imagine it is more because it takes millions of average joes paying dollars to match what one millionaire can do in an instant.
If it's a registered non profit you can donate and 'write it off' too. The idea that a 'big company' should do the donating is short sighted. That big company is made up of individuals. If everyone reading this donated $100, the problem posed by the article would disappear.
My point is that it's probably easier to get a company that is turning a profit off of something to donate a single large sum, than to convince a million people to donate $1.
If your effort is half as good, you still get half million people to donate $1.
On the company case, one million is not pocket change, so this will be a serious decision that has to be approved by several independent branches within the organization, each with veto power. Screw one of those and it's a deal breaker.
Furthermore, I'd say that this decision is one that is particularly difficult to frame for the company. While corporations do understand direct costs very very well, they are practically hardwired to ignore/exploit the gift economy. So the discussion will be stirred towards what indirect benefits will the company receive from donating to a worthy cause (public relations, tax exceptions, etc) and away from the consequences of letting a (unacknowledged) strategic partner to go under.
Not to say that a corporation cannot assume stewardship of a distressed project, but it almost always requires executive fiat to get over the bureaucracy.
It's easier still for a business to pay for a support contract, contributing to Canonical's revenue. Perhaps they could send a small fraction of that money to projects like GPG.
Ubuntu is not making money, and Mark Shuttleworth keeps infusing the company with his own pocketbook whenever it goes in the red. They might be doing something on the server / corporate support contracts end nowadays, that has really taken off in the last few years, but you might as well just ask Mark to hire Werner Koch.
Red Hat is among the largest funders of OSS development in the world. We need more companies acting like Red Hat.
I don't know how we get there when companies like Apple eat such a huge portion of the consumer OS and application dollar and companies like Microsoft and Oracle eat such a huge portion of the corporate dollar.
Red hat pays people to write open source software. The skinflints are the companies publishing closed source stuff and the consumers using free software.
My name isn't even on the list of recent donors anymore, that's going fast! Maybe he'll wake up tomorrow and hit refresh a couple times to be sure there's nothing wrong with the counter, hehe.
...which indicates to me that GnuPG wasn't sold properly. It's not just a "privacy tool" -- it's one of the ways that software (including OpenSSL) is securely distributed. I would guess that quite a few of the CII's members benefit from GnuPG and don't even realize it.
GPG's goal is about privacy, while OpenSSL is more of a toolbox with most of the tools you need for anything crypto-related.
I imagine those people need to control integrity of the software, to make sure it is deployed correctly on their servers and distributed securely to their clients and users, and OpenSSL has all they need for that. Privacy, OTOH, is unneeded because they are not (or rather much less) after their own or their users' privacy.
Thanks for the donation link, I just used it. It seems odd to me that an article bemoaning the fact that GnuPG's author is going broke gives no information at all on how to help rectify that condition.
> It's also used in countless applications to encrypt data at rest
exactly. Given the number of corporate laptops encrypted by the corporate IT with that software , and thus definitely some "license" style good money were paid by the corporations to some entities ... i never believed in the magical concept of trickle down and sounds like it doesn't work here too.
What is the simplest program out there right now, open-source, that will let me sign binaries with a key?
I'm experimenting to do a dead-simple licensing system using SSL certs and signing--rough idea is, cert is from me, and when it expires, software says "lol no get new cert".
I'm sure this has been done before, but the amount of custom license management code I've seen in the wild makes me wonder...
By all means. Ed25519 (which underlies signify) is a pretty decent modern signature scheme. (tweetnacl.c also implements it, in less code.)
It also seems you want to expire things, so I do feel I have to warn you that signatures are a totally separate thing to a secure time source, which is a whole different bag of marbles.
However, since what you're designing sounds like a logic bomb/copy protection/DRM system, I must say what I've been saying for the last quarter-century or so: please do not design your software to deliberately fail. That is a bad call: trust me on this one. Any crypto that you do to support it, even if the crypto itself is sound, is just tapdancing around a failure state.
Software is shareware, gets a little naggy within 30 days of license expiration, send money to get a new license file, which makes the nagging go away. No cessation of service.
I'm not worried about clock spoofing--I assume basically good-faith customers.
Signing would help people from just copy-pasting certificates around. If they want to go into the executable and rewrite the routines, well, there's only so much one can do, yes?
If you assume basically good-faith users: why nag them? After they registered? Aren't they assuming basically good-faith authors? Why do you think people who you'd nag after they registered would copy-paste keys but not download a crack?
(Your registrations are time-limited? That's very unusual for self-described "shareware". That's pretty much "commercial, but your demo nags".)
You're welcome to choose whatever business model works for you, of course, but take it from me, this one's straight from the early '90s. I hope it works for your users too.
Here is a link to the donation page: https://gnupg.org/donate/index.html