Digicert smctl expenses

[matelich]

Following on from viewtopic.php?p=133164&sid=e1ed95e1ff22 ... 9d#p133164

Seems like lots of people buy the DigiCert cloud signing product without reading the fine print, which is ~$1000/yr which only gets you 1000 signatures. Additional blocks of 1000 signatures are ~$270. For a single packaging of one installer, I used 31 signatures. We have 3 flavors of installers that we (used to) build nightly, with a main one on demand with each commit.

I'm not sure if there's anything you can do here, I don't see any support for batching multiple files to save on signatures, but I figured its worth a shot to ask. I think our nightly builds might have to become unsigned...

[matelich]

The batching request in the cited post would not help, according to their chat bot

Each binary or artifact signed consumes one signature unit, and signing multiple files in a batch does not reduce the signature unit cost.

[Catalin]

Hello,

I'm not sure if there's anything you can do here

I'm afraid you are correct here.

Unfortunately, there isn't something we can do on our end to decrease the number of signed files.

In order for everything to work as expected, you would have to have all files signed from your package + the package itself.

The solution here would be exactly what you said, to have the test packages unsigned and only sign the ones that will be released.

Thank you for your understanding!

Best regards,
Catalin

[Bogdan]

You might want to try other cloud certificate/signing providers, Azure Trusted Signing seems to include 5000 signatures per month in their basic tier.

https://azure.microsoft.com/en-us/prici ... d-signing/

It is not recommend to skip signing binaries from your package because most antivirus solutions today consider the digital signature a partial trust sign. You might also encounter issues with Smart App Control or SmartScreen.