I've been selling my software Isadora (https://troikatronix.com) for 17 years, and I would like to start code signing the app and installer.
I've been turned down by three code signing certificate vendors because I'm a Sole Proprietor in Germany where the concept of DBA doesn't exist. Since there is no corporation or organization, they won't issue me a certificate.
Has anyone here succeeded in purchasing a code signing certificate as a independent developer? (Extra points if you live in Germany)
Yes, if you register yourself in Dun & Bradstreet. Your full name, physical address and phone number should be registered there and a CA can issue you a Standard Code Signing Certificate. But if you want a EV Code signing certificate, its not going to be easy.
I am also looking into this but I'm here in the US. I'm currently a sole proprietor and if you search for my DBA company name in Dunn and Bradstreet, it comes up with my personal name, not my company name. As such, Comodo wants to issue a cert with my name, not my business. They suggested I get a legal opinion letter from either an accountant or attorney, which I have yet to do. Here is the link for Comodo. Perhaps you can go through this route.
https://support.comodo.com/index.php?/Knowledgebase/Article/View/1231/0/sample-legal-opinion-letters-for-ev-certificates
I'm from Poland and recently changed from an LLC to a sole proprietorship. While buying an EV cert for an LLC is extremely easy, getting one for a sole proprietorship is extremely difficult. DigiCert told me one can obtain an EV certificate as sole proprietorship only if he/she registered under a trade name. So, if you registered under your real name, you won't be able to get an EV cert.
Related
I am working for a remote client (They're in US and we're in Canada) and we are developing a Windows client. We are going to have them purchase an EV certificate so we can digitally sign the app.
We've done this in the past with non-EV certificated but from what I've read, EV certificates keys come on a physical USB device. I contacted ComodoSSL to see if we can get more than one as I see there being a big risk (And cost) for shipping the key back and forth. They said that can only issue one.
I will be the only one using the key to sign the app but I don't feel comfortable with the client not having a backup.
I'm sure I'm not the only one to have run into this situation and was looking for some feedback as to how others handle this without purchasing an HSM?
I have a Digicert SafeNet USB token (EV code signing certificate), that I use with digicertutil.exe each time I need to sign a .exe file.
Problem: I don't want to have to bring this sensitive USB token with me all the time. But still I'd like to be able to codesign a .exe even when the hardware token is not with me (I prefer to let the USB token in a secure place, once for all, and not carry it with me).
Is there a way with digicertutil.exe or another tool, to save the certificate into a file, such that I can codesign future .exe without the hardware token?
Or is there a way to allow "Don't ask for the hardware token in the next 15 days, but just the password"?
I've never used a code-signing certificate, and have only an elementary understanding of certificates in general, but I did some searching online, and found the following resources:
This website uses something called "OpenToken". It appears to do exactly what you want. It was posted in December 2018, though. I don't know whether any changes have been made to the USBs to render this code useless.
This superuser answer also seems to do what you want.
It's also possible that Digicert will duplicate it for you.
All DigiCert certificates come with unlimited free duplicate issues.
Note that any attempts to duplicate the USB may result in the USB getting reset, as this Quora answer mentions.
Also, note that duplicating a certificate USB may be a very, very, very bad idea.
Edit:
This Information Security Stack Exchange notes that USB certificates can just be copied, in which case, maybe you don't need to go to all the trouble of using third-party software to duplicate your certificate.
In 2014, I bought a class two code signing certificate from StartSSL which I used to digitally sign my binaries. This certificate has just expired and I actually am in the process of trying to get a new one. However, in an unrelated incident, I ran one of my signed setup programs in a VM and was somewhat ... annoyed ... when Windows brought up the "Unverified Publisher" variant of the UAC dialog.
When I view the digital signature properties I see this:
Of course the certificate has expired, but why is the file (that was signed within the validity period) suddenly unverified? I haven't seen this happen with other software, for example if I look at an old signed copy of Office 2003 setup, that doesn't complain about an invalid signature and that validaty period expired a decade ago.
Why is this? Frankly I'm now wondering what the the point of buying the certificate in the first place was and seriously considering cancelling the in-process replacement. Seems kind of pointless when they invalidate themselves. Or is this the different between class 2 and 3? (Class 3 is the version I'm trying to get hold of now)
This is apparently a by-design limitation on some code-signing certificates, as described in the first footnote to Microsoft's blog post, Everything you need to know about Authenticode Code Signing:
Not all publisher certificates are enabled to permit timestamping to provide indefinite lifetime. If the publisher’s signing certificate contains the lifetime signer OID (OID_KP_LIFETIME_SIGNING 1.3.6.1.4.1.311.10.3.13), the signature becomes invalid when the publisher’s signing certificate expires, even if the signature is timestamped. This is to free a Certificate Authority from the burden of maintaining Revocation lists (CRL, OCSP) in perpetuity.
You may wish to check whether the replacement certificate will have the same limitation, and perhaps consider an alternative vendor.
i am interested in buying a Microsoft Code Signing Certificate for a kernel mode driver.
My first question is : are Verisign or Globalsign Certificates mandatory ?
They are expensive and i have found another provider called Digicert with only 178$ the first year.
Here is an old question of stackoverflow :
Kernel mode code signing
And here is the link to digicert page :
http://www.digicert.com/code-signing/driver-signing-in-windows-using-signtool.htm
My second question is how long will the users be able to run the application.
If the certificate expires does it mean that the users will not be able to run the application or only that i cannot compile and sign again another executable but that the application will run ?
Thank you
Alex
DigiCert certificates can absolutely be used for kernel mode signing - VeriSign & GlobalSign aren't mandatory, but they may have been the only ones supported at the time of the linked post. DigiCert officially announced kernel mode signing capabilities in February (http://www.digicert.com/news/2012-02-28-kernel-mode-code-signing.htm).
For your second question - you won't be able to sign new trusted applications after the certificate expires, but users can continue running the application if it was timestamped when it was signed.
DigiCert's instructions on timestamping can be found at http://www.digicert.com/code-signing/signcode-signtool-command-line.htm.
In full disclosure, I'm the VP of Marketing at DigiCert. Saw this post come up and thought I could help :-). If you have any other questions, feel free to reach out to our support team 801-896-7973.
For my Windows-based application, I would like to use ClickOnce as the deployment technology. My application will be distributed via the Internet.
In the article ClickOnce and Authenticode, I read that:
For ClickOnce applications, you must have an Authenticode certificate
that is valid for code signing. You can obtain a certificate for code
signing in one of three ways:
Purchase one from a certificate vendor.
Receive one from a group in your organization responsible for creating
digital certificates.
Generate your own certificate with MakeCert.exe, which is included
with the Windows Software Development Kit (SDK).
In my case, number 2 is not applicable.
As I read a few rows later:
By default, ClickOnce applications signed with self-certs and deployed
over the Internet cannot utilize Trusted Application Deployment.
(Emphasis mine.)
I cannot understand the meaning of this by default. Is the option #3 possible or not in my case?
And then, to understand all the possibilities, what does the #1 imply ? ("Purchase one from a certificate vendor") What kind of certificate should I buy? Which certificate authority can be recommended? Depending on what I should choose? How much does a certificate cost?
It must be a "Microsoft Authenticode Certificate". It allows us to sign all kinds of Windows executables and code, including .exe, .cab, .dll, .ocx, and .xpi files.
It is not mandatory to sign an application, but if we do it our users won’t see a warning message stating that the author of the software is unknown.
Microsoft Authenticode Certificates need to be issued by a trusted certificate authority. Unfortunately, the prices are quite expensive. More information and some examples
are on page Microsoft Authenticode Certificates.
UPDATE I purchased the certificate through KSoftware, which is a Comodo retailer. The price is quite good compared to alternatives: $95/year. The process is faster than I expected: I applied in the morning and in the evening my certificate was already available. (For those interested, I followed this step-by-step guide.)
See my answer to Stack Overflow question How to sign a ClickOnce application.
I would definitely suggest getting a proper code-signing certificate - your application install screen will look much nicer in this case.
StartCom CA is closed since Jan. 1st, 2018 I got my code-signing certificate from http://startssl.com - and it was $100 or so in total (and you get wild-card domain certificate for your website as well as a bonus).
It's much cheaper than going with VeriSign or TrustWave.