ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Other Software > Developer's Corner

Code signing certificate?

(1/3) > >>

highend01:
Hi,

can anyone recommend a particular code signing certificate authority (there are a lot of them...)?

I probably have to sign .exe files in the future (if the current commercial project is going to be implemented). Prices vary a lot and they are per year not a one time sale *sigh*.

Shades:
Most certificate vendors sell a certificate that valid for a year. After that year has passed, you need to pay up again. How much you need to pay varies, depending the nature of the use. Personal use is not that expensive, commercial use however...

Now I do not know if a certificate with the sole purpose of signing code is valid for 1 year only. It is a rather short period as software can be in use for longer intervals and yearly renewal becomes quite a headache for every user making use of the software.

StartSSL is a company that offers free and paid for certificates, there are others that do the same. Better check these out first before you commit to any vendor.

Jibz:
I've looked at the ones from K Software in the past, but not had enough reason (or money) to get one. They resell Comodo certificates.

As I understood it, it is important to get a certificate that includes access to a time-stamping service, because then your signatures will be valid even if you stop paying yearly.

I don't think they offer EV certificates, but I doubt you'd need one anyway.

Ath:
Now I do not know if a certificate with the sole purpose of signing code is valid for 1 year only. It is a rather short period as software can be in use for longer intervals and yearly renewal becomes quite a headache for every user making use of the software.
-Shades (October 16, 2015, 07:46 AM)
--- End quote ---
When using a time-stamp server during the actual signing process, the executable is signed 'indefinitely', only if that part is left out the end of the certificate also expires that exe (it behaves as if it isn't signed any longer). Using the /t <timeserver-url> option on signtool seems mandatory, IMHO. This implies that internet-access is mandatory during the signing process :tellme:. AFAICS, most time-stamp servers are freely accessible to anyone.

JavaJones:
We (Planetside Software LLC) have one from K Software. They seemed to have the best price on a Comodo cert. The process is a little annoying to get any cert, but having dealt with StartSSL before for an SSL cert, I felt it was *less* annoying to deal with K Software. They hand you off to Comodo for verification anyway. And ultimately I don't think there's a way around much of the identity verification hassle. That's sort of the point I guess. ;)

Anyway, I would not say this is a super strong recommendation for K Software, but I can say that it worked fine and the price was right.

- Oshyan

Navigation

[0] Message Index

[#] Next page

Go to full version