Code signing certificate recommendation

Here I found the cheapest price: codesigncert[dot]com[slash]comodocodesigning . But I can’t recommend it since I haven’t used it.

I also remember reading online that retailers tend to give cheaper prices.

As per the tech behind code signing it doesn’t matter if you buy the certificate from authority 1 or authority 2. That is why I would go with the cheapest I can find.

If only Microsoft were like Apple and issued code signing certificates as a part of their developer program, the world would’ve been a better place.

1 Like

+1 for KSign. We use them as well.

I use ksign. I recommend buying a certificate with the maximum possible duration, as it can be a real pain each time to acquire, no matter who the provider is.

4 Likes

Another vote for KSoftware. As @SteveMcLeod says, get a longer duration one to reduce the hassle of yearly renewals.

Another vote for both KSign. Btw. they’re Comodo reseller, so Comodo is doing verification part and delivers certificate. I also recommend purchasing max available duration. However, if money is tight, renewal process is a bit less demanding than first purchase. At least in my case they found company record in some DUNS database, and all that I had to is answer some automatic call.

I’ll go against the grain and say you should shell out the extra cash an buy an EV code-signing cert/dongle. Yes, it will cost more in the short term but you have the added benefit of automatically being trusted by Microsoft’s smart screen.

We use Digicert’s EV cert and we’re happy with it: https://www.digicert.com/code-signing/ev-code-signing/

More information about that here:

If being trusted by smart screen isn’t important to you, then yeah, go with whatever is cheapest.

1 Like

Re: EV vs OV.

Wyatt is for EV, and it makes sense… but also costs a lot more. For a software with no revenue yet the difference is important.

Folks, in your experience - how quickly OV is getting trusted by Smart Screen?

It took a couple of weeks for me.

2 Likes

Is there any chance the Google crackdown on Symantec as a root CA is also going to affect desktop signing? Most recent article I found explaining this was The Register on Feb 7th 2018

It’s unlikely. It would require Microsoft to revoke Symantec from the trusted CA’s in their Authenticode system. So, it’s not up to Google at all. And Microsoft has make no announcement suggesting that would happen. Also, EV Code-signing certs (which are different than EV SSL certs) require a second factor of authentication (usually a dongle). Meaning EV certs cannot be spoofed or stolen (or mis-issued) without that second factor.

How does it work for the builds? Do you have to insert the dongle every time you prepare the installation package?

Yep. Or just leave it in. In our setup, we have a dev-server machine with the dongle plugged in it that builds and signs the “release” builds as just another step in the process. This way our developers (who have permission to make release builds) can run the builds on that dev-server without needing access to the dongle itself.

I recommend/use Comodo.

Having said that, please note that getting rid of the “warning” message will not get be as easy as you think.
In fact, I’m going through the same process myself - even though you sign your app, Windows Defender on Win10 will still consider it “bad”, and by default will warn users not to install it.

You will need to use something like Desktop Bridge, and then add your app to the Windows Store - I’m in the process or learning how to do it. Doesn’t seem like a very complicated process, but still - it will set you back a few days.

To get you started:


https://docs.microsoft.com/en-us/windows/uwp/porting/desktop-to-uwp-root

P.S. When signing your app with the certificate, I recommend you sign all you .EXEs, and then sign the setup kit.

Right, that’s Microsoft Smart Screen. Hence my advice to ditch old style code-signing certificates and jump to something that solves the whole problem (EV code-signing certs).

Ouch, got it, thanks!
Now I’m curious: if I make an app, sign it with non-EV certificate, use Desktop Bridge to publish it on Microsoft Store, would that still show the SmartScreen warning?
I did a bit of search on google, and so far I’m not sure what the answer would be.

@SteveMcLeod Is that time-dependent or number-of-downloads dependent?

Hard for me to tell, I’m afraid, because I’ve only been through this process twice.

Alright, I’ve bought an OV cert from KSign.

They redirected me to a company called SECTIGO which supposed to verify my business info.

Your order is awaiting for physical address and phone number verification.

This company suggested getting an accreditation at BBB or similar organization. OK, can do. However, the membership in BBB is $500+/yr. That’s more than the cert itself.

Before I drop this half-grand for membership I truly do not need, maybe there are less expensive ways to confirm the business info?

Any hints?

P.S. To be more specific, the business is in Canada.

Don’t know about Canada and Sectigo, but I verified address by providing Visa Business card listing, and public company registration and tax records. Serbia, 4-5 years ago. When I extended certificate few months ago, business was already in DUNS database and that was enough. Don’t know how it ended up in DUNS, maybe they scrape public records.

1 Like

Thanks for the idea. I’ll check with Sectigo if they’re OK with notarized papers from bank.

I was hoping I’m already in DUNS, given that government of Canada shares those records with interested businesses, but DUNS search UI just searches forever - no way to tell if it found me or not. Gonna try later again.