Code signing certificate?

[highend01]

Hi,

can anyone recommend a particular code signing certificate authority (there are a lot of them...)?

I probably have to sign .exe files in the future (if the current commercial project is going to be implemented). Prices vary a lot and they are per year not a one time sale *sigh*.

[Shades]

Most certificate vendors sell a certificate that valid for a year. After that year has passed, you need to pay up again. How much you need to pay varies, depending the nature of the use. Personal use is not that expensive, commercial use however...

Now I do not know if a certificate with the sole purpose of signing code is valid for 1 year only. It is a rather short period as software can be in use for longer intervals and yearly renewal becomes quite a headache for every user making use of the software.

StartSSL is a company that offers free and paid for certificates, there are others that do the same. Better check these out first before you commit to any vendor.

[Jibz]

I've looked at the ones from K Software in the past, but not had enough reason (or money) to get one. They resell Comodo certificates.

As I understood it, it is important to get a certificate that includes access to a time-stamping service, because then your signatures will be valid even if you stop paying yearly.

I don't think they offer EV certificates, but I doubt you'd need one anyway.

[Ath]

Now I do not know if a certificate with the sole purpose of signing code is valid for 1 year only. It is a rather short period as software can be in use for longer intervals and yearly renewal becomes quite a headache for every user making use of the software.

-Shades (October 16, 2015, 07:46 AM)

When using a time-stamp server during the actual signing process, the executable is signed 'indefinitely', only if that part is left out the end of the certificate also expires that exe (it behaves as if it isn't signed any longer). Using the /t <timeserver-url> option on signtool seems mandatory, IMHO. This implies that internet-access is mandatory during the signing process . AFAICS, most time-stamp servers are freely accessible to anyone.

[JavaJones]

We (Planetside Software LLC) have one from K Software. They seemed to have the best price on a Comodo cert. The process is a little annoying to get any cert, but having dealt with StartSSL before for an SSL cert, I felt it was *less* annoying to deal with K Software. They hand you off to Comodo for verification anyway. And ultimately I don't think there's a way around much of the identity verification hassle. That's sort of the point I guess.

Anyway, I would not say this is a super strong recommendation for K Software, but I can say that it worked fine and the price was right.

- Oshyan

[highend01]

Thanks for all the comments and suggestions!

K Software seems to be really cheap in comparison to all the other vendors I've looked up. If the contract get's signed I try to get a certificate from them

Regards,
Highend

[mouser]

Just ordered a new code signing certificate.  I had to leave K Software, they did not respond at all to emails.  The entire code signing process feels like it was designed to inflict maximum frustration.

[x16wda]

We've used RapidSSL (= Digicert) certs for years now for corporate web sites, they've been generally inexpensive and the process (bought through Servertastic as a reseller) is pretty straightforward. Never had a need for code signing, but their certs are $425us or $625us for a one year cert, discount if you get multiple years. How does that compare, out of curiosity?

RapidSSL/Digicert code signing certs

[mouser]

https://comodosslsto...com/codesigning.aspx

$70-$85 per year code signing certificate -- prices have come down in last few years.  I could not afford to spend hundreds of dollars for the luxury of it.

[highend01]

I've ordered a new 3 year Comodo code signing certificate via https://codesigncert.com/ on the black friday deal for 149 $. Ordering was easy but the process to get the certificate issued later on (done by sectigo.com) was a real nightmare. Had to open a ticket and on each new mail (waiting time: 2-3 up to 7 days) I had to deal with a different support person who (ofc) didn't read the previous conversation, ignoring the documents I had attached, ...). In the end they issued the certificate but not with the data that I had provided in the first place. Company name was wrong, department entry was missing, city was misspelled. I had luck that the technical support sent me a mail where I was able to correct the bad entries and I finally got the certificate that I wanted. Took 6 weeks overall.

Always remember: You get what you've paid for

[mouser]

but the process to get the certificate issued later on (done by sectigo.com) was a real nightmare

yes, same here.  sectigo was a nightmare.