What is a good (trustworthy but inexpensive) place to get a code signing certificate? I am looking into signing a setup so it does not show the yellow UAC dialog with "unknown publisher"..
I use Comodo through KSign. http://codesigning.ksoftware.net/ and I am very happy. I am a member of the ASP and so is the owner of KSign. It requires a Business License or DBA if you do not want it for personal use. Works great with Inno Setup as well.
Comodo and KSign. I have to say it was a pain in the a*$e proving that my company was actually my company. But I think it adds a touch of professionalism which is noticed by users (maybe even just at the subconscious level)
I recommend https://www.startssl.com. I followed this guide http://blog.assarbad.net/20110513/startssl-code-signing-certificate in order to get it. I received verification letter by post (it took about 2 weeks to get this whole thing done), but I think $59 for 2 years is the best price you can get. Before that I used certificate from Tucows, but that one is more expensive.
I'll add my voice to KSign - The only stumbling block (as previously alluded to) was in my case verifying a Google Voice phone - for which I needed to get listed in a phone registry. It just added a little extra leg work but that would likely happen with any of the certs issuers.
My last re-issue went flawlessly even though I had allowed it to lapse for several months.
I have the same question, can anybody outside of the US share some experience on 'proving you are yourself' as an individual when applying a certificate? The last time I had to cancel my order because I did not know how to proceed, the Comodo support is only helpful on sending me boilerplate documents.
I'm also looking for that and outside US - the cheapest I found so far (I'm in Brazil) is GoDaddy but still expensive at U$ 200 for une year or U$ 160 for 2 years. those mentioned - Comodo, Tucows and KSign - work outside US?
Hi guys, I own K Software and would be happy to help anyone here get a code signing certificate. I'll beat any pricing you find for a comparable product and help you through the whole process.
Comodo issues certs all over the world, though the individual process has changed pretty drastically in recent years (and I think Comodo is only one of two CAs that will even do them now). I'm happy to explain the process to anyone in detail, just drop me an email or give me a call. support@ksoftware.net or (+1)859-514-0754.
To summarize -- you have to fill out an affidavit and get it notarized or signed by a CPA/Attorney. That part of the process is easier in some countries than others.. By far the easiest validation process is a company validation.
Just went through the startsll.com personal Class 2 identity validation! The cost is $59 per year, but the *best* part is that, for an individual, the validation process is much easier then what I experienced with Comodo few years ago - what I needed to do is just uploading two of your ID documents, a picture of mine holding my ID card, a picture my debit card and transfer 0.1 to a bank account provided by startCOM. Tried signed a program of mine. Tried signed an EXE under Win7, initial tests show that the digital signature is recognizable under both Win7 and XP.
Unfortunately all of your signatures will expire with your certificate with a cert from StartSSL. Timestamping isn't supported.. Code Signing standards were ratified this year, so all CAs will have to start playing by the same rules very soon.
Mitchell Vincent But the startcomtool.exe has a Timestamp button and it worked for me, am I wrong on this? And can you be specific on the other two issues you mentioned? Do you have any personal clients from China that get's passed the validation checking recently? Thanks.
Hi Edwin -- the trouble will come in when your certificate expires. Any copies of signed files in your customer's hands will have their signature invalidated. Essentially timestamping is ignored when you sign with their certs.
"StartCom's class 2 certificates have the Lifetime Signing OID set. Because of this bit, the signature of signed code will become invalid after the certificate expires, even when it's timestamped."
With the new Code Signing Baseline Requirements recently approved by Microsoft, I don't know how they'll continue to issue certs like they have in the past. My experience with customers that come from StartSSL say that they went through virtually no real validation process.
As far as clients from China go - yes, but very few. From what I've been able to gather most CAs have local companies set up in China to issue certificates as there is significant trouble verifying business registration and personal ID documents from outside China.
Mitchell Vincent Thanks for the stackoverflow.com link! I read through the answer from where you take excerpt, and I noticed a comment added Jan 31, 2016: Update on StartCom: The code certificates *now don't have Lifetime Signing OID set*. They are now as good as every other code signing cert. For organization validations, there is even kernel code signing included. – Josef
We buy our Comodo code signing certificate through Tucows. It was by far the cheapest option we could find - $195 for 3 years. You need to signup for a Tucows account first. https://author.tucows.com/index.php?action=auth&redirect=certs.php
ReplyDeleteI use Comodo through KSign. http://codesigning.ksoftware.net/ and I am very happy. I am a member of the ASP and so is the owner of KSign. It requires a Business License or DBA if you do not want it for personal use. Works great with Inno Setup as well.
ReplyDeleteMichael Riley +1 for KSign. Using it for several years now without problems.
ReplyDeleteGoDaddy are £118 - K software next time maybe - by the looks of it, they guarantee cheapest :-)
ReplyDeleteComodo and KSign. I have to say it was a pain in the a*$e proving that my company was actually my company. But I think it adds a touch of professionalism which is noticed by users (maybe even just at the subconscious level)
ReplyDeleteI recommend https://www.startssl.com. I followed this guide http://blog.assarbad.net/20110513/startssl-code-signing-certificate in order to get it. I received verification letter by post (it took about 2 weeks to get this whole thing done), but I think $59 for 2 years is the best price you can get. Before that I used certificate from Tucows, but that one is more expensive.
ReplyDeleteI'll add my voice to KSign - The only stumbling block (as previously alluded to) was in my case verifying a Google Voice phone - for which I needed to get listed in a phone registry. It just added a little extra leg work but that would likely happen with any of the certs issuers.
ReplyDeleteMy last re-issue went flawlessly even though I had allowed it to lapse for several months.
I have the same question, can anybody outside of the US share some experience on 'proving you are yourself' as an individual when applying a certificate? The last time I had to cancel my order because I did not know how to proceed, the Comodo support is only helpful on sending me boilerplate documents.
ReplyDeleteI'm also looking for that and outside US - the cheapest I found so far (I'm in Brazil) is GoDaddy but still expensive at U$ 200 for une year or U$ 160 for 2 years. those mentioned - Comodo, Tucows and KSign - work outside US?
ReplyDeleteHi guys, I own K Software and would be happy to help anyone here get a code signing certificate. I'll beat any pricing you find for a comparable product and help you through the whole process.
ReplyDeleteDrop me a line!
We also use KSign. The validation calls are made from India but they will call during German business hours.
ReplyDeleteComodo issues certs all over the world, though the individual process has changed pretty drastically in recent years (and I think Comodo is only one of two CAs that will even do them now). I'm happy to explain the process to anyone in detail, just drop me an email or give me a call. support@ksoftware.net or
ReplyDelete(+1)859-514-0754.
To summarize -- you have to fill out an affidavit and get it notarized or signed by a CPA/Attorney. That part of the process is easier in some countries than others.. By far the easiest validation process is a company validation.
i get mine from ksoftware - Comodo, working like a charm :)
ReplyDeleteMitchell Vincent Will contact you when I have the time to handle this again.
ReplyDeleteJust went through the startsll.com personal Class 2 identity validation! The cost is $59 per year, but the *best* part is that, for an individual, the validation process is much easier then what I experienced with Comodo few years ago - what I needed to do is just uploading two of your ID documents, a picture of mine holding my ID card, a picture my debit card and transfer 0.1 to a bank account provided by startCOM. Tried signed a program of mine. Tried signed an EXE under Win7, initial tests show that the digital signature is recognizable under both Win7 and XP.
ReplyDeleteUnfortunately all of your signatures will expire with your certificate with a cert from StartSSL. Timestamping isn't supported.. Code Signing standards were ratified this year, so all CAs will have to start playing by the same rules very soon.
ReplyDeleteMitchell Vincent But the startcomtool.exe has a Timestamp button and it worked for me, am I wrong on this? And can you be specific on the other two issues you mentioned? Do you have any personal clients from China that get's passed the validation checking recently? Thanks.
ReplyDeleteHi Edwin -- the trouble will come in when your certificate expires. Any copies of signed files in your customer's hands will have their signature invalidated. Essentially timestamping is ignored when you sign with their certs.
ReplyDelete"StartCom's class 2 certificates have the Lifetime Signing OID set. Because of this bit, the signature of signed code will become invalid after the certificate expires, even when it's timestamped."
http://stackoverflow.com/questions/1177552/code-signing-certificate-for-open-source-projects
With the new Code Signing Baseline Requirements recently approved by Microsoft, I don't know how they'll continue to issue certs like they have in the past. My experience with customers that come from StartSSL say that they went through virtually no real validation process.
As far as clients from China go - yes, but very few. From what I've been able to gather most CAs have local companies set up in China to issue certificates as there is significant trouble verifying business registration and personal ID documents from outside China.
Mitchell Vincent Thanks for the stackoverflow.com link! I read through the answer from where you take excerpt, and I noticed a comment added Jan 31, 2016: Update on StartCom: The code certificates *now don't have Lifetime Signing OID set*. They are now as good as every other code signing cert. For organization validations, there is even kernel code signing included. – Josef
ReplyDelete