topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Friday December 6, 2024, 2:16 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Code signing certificate?  (Read 10907 times)

highend01

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 188
    • View Profile
    • Donate to Member
Code signing certificate?
« on: October 16, 2015, 05:30 AM »
Hi,

can anyone recommend a particular code signing certificate authority (there are a lot of them...)?

I probably have to sign .exe files in the future (if the current commercial project is going to be implemented). Prices vary a lot and they are per year not a one time sale *sigh*.

Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,939
    • View Profile
    • Donate to Member
Re: Code signing certificate?
« Reply #1 on: October 16, 2015, 07:46 AM »
Most certificate vendors sell a certificate that valid for a year. After that year has passed, you need to pay up again. How much you need to pay varies, depending the nature of the use. Personal use is not that expensive, commercial use however...

Now I do not know if a certificate with the sole purpose of signing code is valid for 1 year only. It is a rather short period as software can be in use for longer intervals and yearly renewal becomes quite a headache for every user making use of the software.

StartSSL is a company that offers free and paid for certificates, there are others that do the same. Better check these out first before you commit to any vendor.

Jibz

  • Developer
  • Joined in 2005
  • ***
  • Posts: 1,187
    • View Profile
    • Donate to Member
Re: Code signing certificate?
« Reply #2 on: October 16, 2015, 08:33 AM »
I've looked at the ones from K Software in the past, but not had enough reason (or money) to get one. They resell Comodo certificates.

As I understood it, it is important to get a certificate that includes access to a time-stamping service, because then your signatures will be valid even if you stop paying yearly.

I don't think they offer EV certificates, but I doubt you'd need one anyway.

Ath

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 3,629
    • View Profile
    • Donate to Member
Re: Code signing certificate?
« Reply #3 on: October 16, 2015, 09:11 AM »
Now I do not know if a certificate with the sole purpose of signing code is valid for 1 year only. It is a rather short period as software can be in use for longer intervals and yearly renewal becomes quite a headache for every user making use of the software.
When using a time-stamp server during the actual signing process, the executable is signed 'indefinitely', only if that part is left out the end of the certificate also expires that exe (it behaves as if it isn't signed any longer). Using the /t <timeserver-url> option on signtool seems mandatory, IMHO. This implies that internet-access is mandatory during the signing process :tellme:. AFAICS, most time-stamp servers are freely accessible to anyone.

JavaJones

  • Review 2.0 Designer
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 2,739
    • View Profile
    • Donate to Member
Re: Code signing certificate?
« Reply #4 on: October 18, 2015, 03:40 PM »
We (Planetside Software LLC) have one from K Software. They seemed to have the best price on a Comodo cert. The process is a little annoying to get any cert, but having dealt with StartSSL before for an SSL cert, I felt it was *less* annoying to deal with K Software. They hand you off to Comodo for verification anyway. And ultimately I don't think there's a way around much of the identity verification hassle. That's sort of the point I guess. ;)

Anyway, I would not say this is a super strong recommendation for K Software, but I can say that it worked fine and the price was right.

- Oshyan

highend01

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 188
    • View Profile
    • Donate to Member
Re: Code signing certificate?
« Reply #5 on: October 19, 2015, 03:23 AM »
Thanks for all the comments and suggestions!

K Software seems to be really cheap in comparison to all the other vendors I've looked up. If the contract get's signed I try to get a certificate from them :)

Regards,
Highend

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,913
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Code signing certificate?
« Reply #6 on: January 18, 2022, 07:14 PM »
Just ordered a new code signing certificate.  I had to leave K Software, they did not respond at all to emails.  The entire code signing process feels like it was designed to inflict maximum frustration.

x16wda

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 888
  • what am I doing in this handbasket?
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Code signing certificate?
« Reply #7 on: January 18, 2022, 08:49 PM »
We've used RapidSSL (= Digicert) certs for years now for corporate web sites, they've been generally inexpensive and the process (bought through Servertastic as a reseller) is pretty straightforward. Never had a need for code signing, but their certs are $425us or $625us for a one year cert, discount if you get multiple years. How does that compare, out of curiosity?

RapidSSL/Digicert code signing certs
vi vi vi - editor of the beast

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,913
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Code signing certificate?
« Reply #8 on: January 18, 2022, 09:41 PM »
https://comodosslsto...com/codesigning.aspx

$70-$85 per year code signing certificate -- prices have come down in last few years.  I could not afford to spend hundreds of dollars for the luxury of it.

highend01

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 188
    • View Profile
    • Donate to Member
Re: Code signing certificate?
« Reply #9 on: January 19, 2022, 03:05 AM »
I've ordered a new 3 year Comodo code signing certificate via https://codesigncert.com/ on the black friday deal for 149 $. Ordering was easy but the process to get the certificate issued later on (done by sectigo.com) was a real nightmare. Had to open a ticket and on each new mail (waiting time: 2-3 up to 7 days) I had to deal with a different support person who (ofc) didn't read the previous conversation, ignoring the documents I had attached, ...). In the end they issued the certificate but not with the data that I had provided in the first place. Company name was wrong, department entry was missing, city was misspelled. I had luck that the technical support sent me a mail where I was able to correct the bad entries and I finally got the certificate that I wanted. Took 6 weeks overall.

Always remember: You get what you've paid for :down:

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,913
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Code signing certificate?
« Reply #10 on: January 19, 2022, 03:08 AM »
but the process to get the certificate issued later on (done by sectigo.com) was a real nightmare
yes, same here.  sectigo was a nightmare.