Code Signing Certs - what do you do?

Don't use a cert - don't plan to (our users are intelligent)
11%
5
Verisign
23%
11
Thawte
11%
5
Comodo.net
30%
14
Got one super-cheap from somewhere else (and it works)
26%
12
Got one super-cheap from somewhere else (and it DOESN'T work)
No votes
0
 
Total votes: 47
rwatson
Posts: 17
Joined: Fri Nov 10, 2006 11:34 pm
Location: Oregon

OT: Where to get Code Signing Certificate?

This isn't a common problem of AI, but more of a common problem for deployment. Given the excellent feedback everyone seems to get in here, I figured this would be appropriate place to post this question.

Where do you get your code signing certs?

Verisign feels that their cert is worth $500/year (officially $499 or $471-ish/year if you buy 3 years up front). Granted if you go to Microsoft and download some stuff the first year or two will be cheaper, but that's only the first year.

Thawte has a significant "sale" of $200/year (renewing at $160/year). Cute, but why is their's cheaper? (Just for info, it appears that AI is signed with a Thawte cert).

Comodo.net has them for $100/year ($90/year if you buy 2 years). Now, what is this about?

I know you could say I'm getting what I pay for, but - really? I mean is the certificate from Verisign really 5x better then the one from Comodo? Do any of these cheap Code signing places work (I mean it's all about a trust chain and if you aren't in it then your cert ain't worth a dime).

Help!

I think I'll add a poll here.
ves2006
Posts: 11
Joined: Tue Jan 09, 2007 2:16 pm

Hi,
you're right, it's all about the trust chain. If you obtain code signing certificate from well known (accepted) public certification authority like Verisign, Globalsign, Thawte, their certificate chain is distributed with the most popular browsers (and OSs), so the users will trust your signing certificate by default. But if you buy one from unknown certification authority, you'll face the problem of distributing the CA's certificate chain along with your certificate, which is obviously unacceptable in the case of code signing certificates.
In my opinion Thawte is a good choice (I think that they're owned by Verisign).
If you can afford it the best choice no doubt is Verisign, because they're the most honored name in this field.

Regards,
Vladislav Evgeniev
brian
Posts: 39
Joined: Tue Nov 29, 2005 5:30 pm
Location: California, USA

I've had both Thawte and Comodo for digital signing and I like Thawte much better. Not that there's any difference in the actual certificate but the signing authority certificat is cleaner with Thawte. My Comodo SA cert has a funky name (UTN-User_Trust - or something like that) that just too wierd. Thawte also has pretty good instructions, I think better than Verisign. We do use Comodo for our web certificates which has proven great.

I'd avoid Verisign light the plague. They're more expensive in EVERYTHING (domain registration, etc) and you don't get any bigger bang for your buck.
mumbles76
Posts: 29
Joined: Mon Nov 16, 2015 7:29 pm

Re: OT: Where to get Code Signing Certificate?

One extra thing to consider is if you are deploying to systems without internet connection. Some of the 1st-tier certificate providers (Verisign, Thawte) will have their root CA certificates in windows by default. Without having to run windows update to get updated Root CA certs.

We used a 3rd-tier provider (I cannot disclose the name) and they validated up the chain to some rather obscure root certificates that had to be deployed to machines manually. We luckily found a download here: http://download.windowsupdate.com/msdow ... otsupd.exe but it would have been better to have had a cert which had validation by default, instead of downloading and installing the updated root certs.

Just my .02
redzion
Posts: 58
Joined: Sun Sep 07, 2014 3:38 pm
Contact: Website Facebook Skype Twitter YouTube

Re: OT: Where to get Code Signing Certificate?

http://www.ksoftware.net/

Best support. Trust me... I use their service for several years... Once I make mistake with certificate data and they repaired and issued me new certificate with correct data for free...

Must say... I recommend them..

They sell COMODO signing certificate.
jasoncd
Posts: 49
Joined: Thu Jan 29, 2009 4:48 pm

Re: OT: Where to get Code Signing Certificate?

We only just started using ksoftware. Cheap and works great.
shery01
Posts: 1
Joined: Tue May 16, 2017 3:45 pm

Re: OT: Where to get Code Signing Certificate?

erisign feels that their cert is worth $500/year (officially $499 or $471-ish/year if you buy 3 years up front). Granted if you go to Microsoft and download some stuff the first year or two will be cheaper, but that's only the first year.
vitalbrands
sanjayb
Posts: 1
Joined: Tue Jul 31, 2018 9:21 am

Re: OT: Where to get Code Signing Certificate?

Comodo is the best choice that protects your brand and assures your worldwide customer base that the software they are downloading is authentic.
Features of Comodo Code Signing Certificate-

- Digitally sign 32-bit or 64-bit Portable Executable
(.exe, .ocx, .dll or other)or .cab files
- Create a trusted sales outlet
Wherever they download from, your customers can be sure they are receiving the genuine software
- Ensure authenticity
Assures users that they know the publisher of the software
- Ensure integrity
Verifies that code has not been tampered with since publication
- Widely supported
Compatible with Microsoft Authenticode, Adobe Air, Java, Microsoft Office, Apple, Mozilla, Silverlight, Windows 8, Windows 7 and Windows XP
Discover more here
https://comodosslstore.com/code-signing
phpinterview1991
Posts: 1
Joined: Fri Nov 23, 2018 12:47 pm
Location: India
Contact: Website

Re: OT: Where to get Code Signing Certificate?

Check the below-given link may be it will help you.
viewtopic.php?t=30439
:) :)
burnersk
Posts: 43
Joined: Mon Mar 25, 2019 12:26 pm

Re: OT: Where to get Code Signing Certificate?

I use code signing certificates from Certum, a Polish trusted certification authority.

Certums' code signing certs are usually starting from 25€ (Open Source) via 129€ (Standard) to 359€ (EV, e.g. for Windows kernel mode drivers).

The identity validation is reliable, and not impossible with e.g. Comodo. For example Comodo, there is no legal way to get identity validated in Germany, the notary performing Comodos' validation requirement are actually breaking the law (a notary told me). Comodo required to receive the proof via email or fax only, in Germany notary only allowed to use physical paper with a physical seal on the physical paper, which Comodo excludes.
Catalin
Posts: 7513
Joined: Wed Jun 13, 2018 7:49 am

Re: OT: Where to get Code Signing Certificate?

Hello,

Thank you for your suggestion.

I am sure this will be of help for further users.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
lignumsoft
Posts: 8
Joined: Fri Dec 18, 2015 10:19 am

Re: OT: Where to get Code Signing Certificate?

Did anyboy use certificates from Certum EV, a Polish trusted certification authority and singing it in Advanced installer 17. It is suppoted and worked ?

I am on decision
- Certum EV - https://en.sklep.certum.pl/data-safety/ ... ining.html
or
- Setigo EV Code Signing Certificate

Which will be work with any problems with Advanced Installer 17
lignumsoft
Posts: 8
Joined: Fri Dec 18, 2015 10:19 am

Re: OT: Where to get Code Signing Certificate?

Any info ? Anybody ?
Catalin
Posts: 7513
Joined: Wed Jun 13, 2018 7:49 am

Re: OT: Where to get Code Signing Certificate?

Hello,

Please see above (burnersk's answer):
I use code signing certificates from Certum, a Polish trusted certification authority.

Certums' code signing certs are usually starting from 25€ (Open Source) via 129€ (Standard) to 359€ (EV, e.g. for Windows kernel mode drivers).

The identity validation is reliable, and not impossible with e.g. Comodo. For example Comodo, there is no legal way to get identity validated in Germany, the notary performing Comodos' validation requirement are actually breaking the law (a notary told me). Comodo required to receive the proof via email or fax only, in Germany notary only allowed to use physical paper with a physical seal on the physical paper, which Comodo excludes.
Hope this helps!

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
a.guelle
Posts: 98
Joined: Tue May 19, 2015 2:23 pm

Re: OT: Where to get Code Signing Certificate?

Hi everyone,

we bought our EV certificate from Entrust via the reseller LeaderTelecom B.V. (www.LeaderSSL.com).
Technically the certificate seems to work well so far.

The reason to invest a little bit more comes into play as soon as you need help from the support.

In our case I locked the eToken with too many attempts to use a wrong password. This issue can happen fast if you try to automated code signing. Normally you have an administator password for this case, but not when you order at www.LeaderSSL.com. Then you receive your eToken initialized with your private key via mail and without an administrator pasword.

We were not allowed to talk to Entrust directly but we had to use the support of our vendor www.LeaderSSL.com who did not do anything else than forwarding our E-Mails to Entrust and their answer back to us. At the end Entrust needed 22 days and two Webex sessions with three support engineers on my server to reset our certificate. Luckily I now have an administrator password for the eToken.

So the costs for the certificate have a relation to the service quality and can result in 22 days delivery stop for your software.

Hope this helps in your decision,

Angelo

Return to “Building Installers”