Code Signing – It’s Cheaper and Easier than You Thought

60 Comments December 20, 2007

One of the things I've always wanted to do, but never got around to, is to figuring out how to sign my code. Like most developers, I never really worried about code signing until Vista came along. Maybe it's just because I'm completely anal retentive, but I always felt a little guilty when my applications or installations that need administrator privileges show the dreaded UAC Cancel/Allow dialog:

To me, that just looks a bit unprofessional. I don't want to be known as "Unidentified Publisher." The main reason small shops or independent developers don't sign their applications is because the cost of a code signing certificate, sometimes called an ID, has always been very expensive. Checking VeriSign right now, they want $499 USD for a one year certificate and $1,293 USD for a three year certificate. For that much money you can get pretty nice laptop. Thus began my quest to see if I could get a code signing certificate for a reasonable price.

In this blog entry I'll show where I got a reasonably priced certificate and how to get your binaries and installs signed correctly. As I was reading how to make everything worked, there was no one place that showed all the parts from buying a certificate, to getting it on your machine, to getting you code signed in the real world. Hopefully this will help you out if you want to or are required to code sign.

Searching for code signing certificates turns up numerous companies that will sell you a certificate with prices ranging from $179 USD to $499 USD per year. They all offer cheaper options if you buy three year certificates, but they still cost more than a single developer probably wants to pay. Fortunately, the day I thought about getting a code signing certificate, Omar Shahine mentioned that TUCOWS, (I'm so old I remember the original "The Ultimate Collection of Winsock Software" web site!), is reselling Comodo digital certificates at $80 USD per year at their author specific web site. Even better is the three year price of $195 USD. That was price I could justify spending with the Robbins household CFO, AKA my wife.

After you purchase the certificate, you have to prove who you are. That's the whole reason it's called a "trusted certificate" in the first place. If you want the certificate in your name alone, you'll need to fax them a copy of your driver's license that shows the address you specified in the sign up pages. If you want a company name on the certificate you'll need to fax Comodo copies of your company's articles of organization and a business tax license. As I wanted my certificate to say "John Robbins/Wintellect" I faxed three documents and Comodo happily issued a certificate.

I had some trouble with registration process at Comodo. Make sure you add https://secure.comodo.net to the list of trusted sites in Internet Explorer so they can properly get you registered and install their trusted root certificate on your computer. You'll have to use the machine you registered with Comodo to retrieve you certificate. One thing that Comodo does not make clear is that they expect you to register at http://support.comodo.com to ensure you really sent in the request and interact with them if you need to ask questions. Finally, make sure to set any spam filters you are using to allow mail from comodo.com through so when you get your certificate issued, you'll actually get the mail. [Edit: 1/17, I want to make clear that the certificate from Comodo is trusted on all computers. You only need to install Comodo's certificate on the machine you are using to buy your certificate.]

When you get the email giving you the download address, you'll click on the link and download your certificate into the certificate cache on the machine. Since you'll want the certificate in file form to make signing easier, you need to get it out of the certificate store. On a Vista computer, the first step is to start the Certificate Manager snap-in, by running "certmgr.msc." The certificate downloaded from Comodo is in the Personal\Certificates section and the issuer is UTN-UserFirst-Object.

Right click on the certificate and select All Tasks, Export… That will bring up the Certificate Export Wizard. The first decision you'll have to make is if you want to export the private key information with the certificate. In nearly all cases, you'll need to choose "Yes, export the private key." The second decision is what data you want included in the Personal Information Exchange (.PFX) file you're exporting. What I chose to do was the following:

This allows you to have a complete certificate in the .PFX file. I chose to leave the private key in the Certificate Manager so I could export the key in multiple ways, which I'll discuss why in a bit. After clicking the Next button, you'll have to provide a password for the certificate. As I'm using Vista, that's required. A few things I read on the web said that with XP you could export a .PFX file with no password, which seemed quite dangerous to me. It goes without saying that you'll want to be careful with the password and actual .PFX file.

Once you've got the .PFX file on disk, it's time to sign something and that's where SIGNTOOL.EXE comes into play. Visual Studio 2008 Team Editions includes the latest Platform SDK so all you need to do is start a Visual Studio 2008 Command Prompt to get the path environment variable initialized. All that does is run the <Visual Studio Installation Directory>\VC\vcvarsall.bat batch file. If you do not have a Team Edition of Visual Studio, you can download the Vista Platform SDK here.

In the command prompt, type the following command to sign all the files you want to sign: (all one line)

signtool sign /f YourFile.pfx /p <password>
/t http://timestamp.comodoca.com/authenticode <files>

If you're signing a .MSI file, also add the /d command line option to specify the description of your install program so the user will see that instead of the temporary name Windows Installer actually uses for the installation. Once you've signed your binary, you'll look as professional as you the big guys:

If you are curious what DbgChooser is, see my January 2000 Bugslayer column in Microsoft System's Journal.

There are obviously more command line options to SIGNTOOL.EXE you can read about in the documentation. Once you're signing files, you probably want to verify a file is signed properly. Fortunately, SIGNTOOL.EXE has the verify option you can use to check.

signtool verify /pa <files>

Manually signing your binaries is certainly not going to scale so you'll want to automate the process. For signing .NET assemblies I found an article that talks about how you can use a .PFX file in place of the strong name key (.SNK) file most of us use. As the article says, you'll want to make sure to export the .PFX file without any other certificates by ensure you do not check "Include all certificates in the certificate path if possible." Following all the steps in the article, I copied the exported key over to a new machine, and added the .PFX file. Visual Studio prompted me with the Import Key File dialog asking for the .PFX file password. Typing in the password and clicking OK appeared to work. The problems started when I tried to compile the application. I got the Import Key File dialog again asking for the password, but entering the correct password just got me a message box titled "Error importing key" with the message "Object already exists." Looking through the Certificate Manager, I couldn't find a copy of my certificate anywhere. Wondering if this was an issue because I was running Visual Studio as a regular user, I elevated Visual Studio to have administrator rights and still encountered the same error.

As I started reading about others having similar problems and quickly falling into the bottomless pit of acronyms like OPENSSL, SHA1, PEM, SPN, PVK, and PCKS12, I admit that I gave up. I just want to get my binaries signed, not have to become a super certificate ninja. Since I knew SIGNTOOL.EXE worked, I just needed to wrap it up in an MSBUILD. Looking at the MSBuild documentation, I found the perfectly named SignFile that's part of MSBuild. Sadly, it only works on Portable Executable (PE) files and won't sign your .MSI files. Equipped with the Exec task in MSBuild, you can pretty much get anything wrapped up quickly:

<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
    <
Target Name="PrivateKeySignTask">
      <
Error Condition="'$(PrivateKeySignFile)' == '' "
         Text="PrivateKeySignFile property not set for PrivateKeySignTask"/>
      <
Error Condition="'$(PrivateKeyPassword)' == ''"
         Text="PrivateKeyPassword property not set for PrivateKeySignTask"/>
      <
Error Condition="'$(PrivateKeyTimestampURL)' == ''"
      Text="PrivateKeyTimestampURL property not set for PrivateKeySignTask"/>

      <
Exec Command="signtool.exe sign /f $(PrivateKeySignFile)
/p $(PrivateKeyPassword) /t $(PrivateKeyTimestampURL)
$(PrivateKeySignAdditionalOptions)
@(InputPrivateKeySignFiles, ' ')
"/>
    </
Target>        
</
Project>

Since writing MSBuild tasks derived from ToolTask, it'd take about five minutes to make SIGNTOOL.EXE a little easier to use on a larger project.

Now with the reasonably priced digital certificates through TUCOWS, you should take a hard look at signing your binaries and installations. It's not required, but it sure looks better on Vista if you do.

Update May 15, 2008: Microsoft lost the link to my column so I changed the Debugger Chooser link to download the code for that issue of MSJ.


60 Comments

  • Gravatar Image
    Daniel Moth December 21, 2007 8:29 AM

    Code signing

  • Gravatar Image
    James Koole December 21, 2007 9:26 AM

    You're not that old. Although, I guess by Internet years having been around since 1993 makes Tucows "old" which may make people who remember both the site, and what the acronym stands for "old" as well. Glad you found what you were after and thanks for the excellent tutorial.

    James from Tucows

  • Gravatar Image
    Jason Haley December 21, 2007 12:06 PM

  • Gravatar Image
    Kevin Daly December 21, 2007 6:01 PM

    I don't have a driver's license - how do they feel about passports?

  • Gravatar Image
    jrobbins December 22, 2007 4:43 PM

    Kevin,

    Good question. I'd send a support request to the folks at Comodo (https://support.comodo.com/). They should be able to get something worked out for you.

    Hope it helps!
    -John

  • Gravatar Image
    Harold December 22, 2007 11:54 PM

    Should you sign all your .dlls? Or just your main .exe?

  • Gravatar Image
    jrobbins December 23, 2007 3:15 AM

    Harold,

    It can't hurt to verify all your PE files.

    -John.

  • Gravatar Image
    Shrike December 24, 2007 12:00 PM

    John,
    the link "http://www.microsoft.com/msj/0100/bugslayer/bugslayer0100.aspx" is broken.

  • Gravatar Image
    BillGoates December 24, 2007 8:54 PM

    It doesn't matter how cheap and easy code signing is, I want to boycott it on principle. Not because of the price, although even 80$ a year is much for a single autogenerated number.

    The code signing scheme itself is useless. Anyone can request or share a public a certificate. So mal- and spyware still can destroy your computer, but now 'approved and certified' by Verisign/Microsoft.

    The only thing it's good for is annoying end users and (independent) developers.

  • Gravatar Image
    Hosebeast December 27, 2007 4:06 PM

    BillGoates, you just don't get it. Why do cars have license plates and police have badges? These don't stop people from speeding thru school zones or impersonating cops. In fact, nothing actually prevents a real cop from going berserk at any moment.

    What they do, however, is act as deterrents which form part of a larger security process. A car without plates will draw suspicion; a car with plates which appears suspicious can be checked to see if the plates were stolen. From insurance ID cards to voter registration cards, forms of official identification exist to provide "reasonable" assurance that someone is who you expect them to be, no more and no less.

    That's not "useless" because it's a far cry from total anonymity. Why do you suppose that for 99.999% of all spam, the true sender is obscured? It's a simple fact that malicious parties don't like to be identifiable. Sure, there will always be suicide bombers who don't mind letting you know their name, right before they blow you up, but how many suicide bombers exploded today? On the other hand, how many hot checks were written today? Is it totally "useless" for Wal-Mart to ask for ID?

    Code signing tells you that you are executing code from someone whose identity has been checked. More importantly, it tells you that the code has not been corrupted since it was signed, neither by virus infection nor by faulty file transfer. Change a single byte in a signed file and it immediately renders the signature broken.

    Non-malicious software could be buggy and "destroy your computer" the same as malware, but even if you don't trust a signature to represent the author's identity upon initial receipt of some code, once you have verified for yourself that the code is safe, the signature tells you later that the code hasn't been tampered with.

    10 years ago, the industry was skeptical of code signing. Today, code signing is widely used in Java, Linux, and other non-Microsoft environments. Apple's latest Mac OS X (Leopard) fully supports code signing and delivers virtually all of its components as signed by Apple. Certificate issuers from Thawte to VeriSign have repeatedly demonstrated prompt and responsible revokation of certificates obtained for fraudulent purposes. From Safari to Firefox and Opera (all shipped signed), the entire industry has embraced code signing -- not as a total solution to anything, but as part of the solution to many things.

    If you're a small developer (which implies you're working with a relatively small user population), you can always self-sign for $0. The catch is that your users must install your certificate authority in their trusted store, a one-time step. Presumably they would do this if they trust you, and presumably they would only trust you if they are satifisfied that they can identify you. The $80 saves them a little hassle by having Comodo do a reasonable check of your identity and issue a certificate from an authority which is pre-trusted by the default installation of common operating systems.

    Sure, this system hasn't stopped people from forming malicious companies which were actually and legally named "Click Yes to Continue" but how long do you think they got away with it? About as long as it would take to notice a car without plates or a cop without a badge.

  • Gravatar Image
    Christopher Painter December 28, 2007 8:03 AM

    John Robbins attracted my attention a couple of months ago with a series of posts on WiX. More recently I noticed a nice article discussing code signing on the cheap ( and easy ). It's a good read...

  • Gravatar Image
    jrobbins December 28, 2007 12:26 PM

    Hosebeast,

    THANK YOU! I was trying to figure out how best to respond to BillGoates, but you did a fantastic job. Thanks a million for the great response!

    -J.

  • Gravatar Image
    Console.Write(this.Opinion) January 2, 2008 4:52 PM

    Resumo da semana - 02/01/2007

  • Gravatar Image
    Steve Campbell January 2, 2008 6:07 PM

    It seems to me that the system under which certificates are issued is fundamentally broken.

    As noted, I can digitally sign something for $0, and in so doing verify that it has not been tampered with. The cost of the certificate must then represent the cost of associating my identity with the certificate. There is no ongoing cost to this - once my identity is associated, it is done. So why the exorbitant cost?

  • Gravatar Image
    Gerry January 3, 2008 9:39 AM

    Well I just tried to get a code signing cert in my name (I don't have a company) from Comodo. The message I got back in said basically what you said here:

    "If the order has been applied for in your own personal name or the order is not for use by a commercial entity:
    Copy of your drivers license or passport"

    But after sending a my copy of my drivers license I get back an email that says:

    "Code sign cert would need to be based on a company and not for personal used. Please send us information based on a company that you work / own so we can further process validation."

    So I guess it is refund time as they have already charged my card.

  • Gravatar Image
    jrobbins January 3, 2008 11:32 PM

    Gerry,

    Did you try talking to Comodo? Omar Shahine discussed getting a certificate using just his name.

    Steve Campbell,

    While you can issue you're own cert, that means others will have to install your certificate in order for it to be deemed valid by the OS. Like Hosebeast said earlier, purchasing the cert is just a hurdle that says someone has checked on you. Think of the cert the same has having a drivers license/passport to get on a plane in the US. As why a Verisign cert is so much more expensive than a Comodo cert, I have no idea. By the way, I like you blog! Totally subscribed!

    -John.

  • Gravatar Image
    Security Briefs January 17, 2008 11:23 AM

  • Gravatar Image
    Security Briefs January 17, 2008 2:27 PM

  • Gravatar Image
    Security Briefs January 17, 2008 2:27 PM

  • Gravatar Image
    Security Briefs January 17, 2008 2:27 PM

  • Gravatar Image
    Ben Ark March 14, 2008 1:37 PM

    For information on the PFX "Object already exists" error see this Microsoft Feedback item and the accompanying workaround...

    https://connect.microsoft.com/VisualStudio/feedback/ViewFeedback.aspx?FeedbackID=321492

    http://blogs.msdn.com/andrekl/archive/2008/01/08/strong-name-signing-in-visual-studio-2005-requires-keyspec-2-at-signature.aspx

  • Gravatar Image
    Michael March 14, 2008 1:47 PM

    After purchasing a Comodo code signing certificate from tucows, I discovered that the certificate does not support signing kernel mode drivers in Vista, such as a .SYS file. I called Comodos technical support line and they confirmed this. :(

  • Gravatar Image
    Jan Doggen March 25, 2008 5:37 AM

    Additional info that took me some time and emails to find out:
    After ordering with Tucows, you have to:

    1) Log back into the Author Resource Center at https://author.tucows.com/
    2) On the left hand navigation under the title "Resources" select "Code Signing Certificates"
    3) Select the link for the code signing certificate that you purchased under the "Retrieve a previously purchased Code Signing Certificate" heading.
    4) The link will take you to the Certificate Authority site (secure.comodo.net). Follow the prompts to fill in any required information.

    Comodo could not find my order until I had done this ;-)

  • Gravatar Image
    Jim Beveridge May 8, 2008 3:26 PM

    I'm always bothered by anything that requires me to leave a password in plaintext, particularly in a build environment. In my blog, I discuss the solution that I found to this problem:
    http://qualapps.blogspot.com/search?q=signcode

  • Gravatar Image
    Wilson Fowlie May 15, 2008 11:02 AM

    John: as 'Shrike' mentioned (well, implied) in December, the January 2000 'Bugslayer' article is no longer on the MS website. Is it archived anywhere else, please?

  • Gravatar Image
    jrobbins May 15, 2008 2:23 PM

    All,

    Looks like Microsoft lost the links to the column itself. However, if you download the whole issue code, Debugger Chooser in there: http://download.microsoft.com/download/0/6/7/0678184e-905e-4783-9511-d4dca1f492b4/MSJJan00.exe

    - John Robbins.

  • Gravatar Image
    Vlasta October 20, 2008 6:45 AM

    Thanks for the article. I have one question though. Do the authorities re-verify you each year? I can see that it can cost them to verify if you are really who you say you are, but just maintaining a few kB on their servers should be very easy and hence the high recurring fees have no justification.

    BTW if you buy a 1 year certificate, does it mean you cannot sign anything after it expires or that you are still able to sign it "in the past"?

  • Gravatar Image
    jrobbins October 20, 2008 12:15 PM

    Vlasta,

    I bought a 3-year cert so that means they only need to recheck everything when you renew. If you buy a one year cert, you have to be checked every year.

    I'm not sure what happens if you try to sign with an expired cert. I'm just going to keep renewing my cert so that doesn't happen. :)

    - John Robbins

  • Gravatar Image
    James August 19, 2009 9:34 PM

    Sadly, Comodo has joined the ranks of others. Their 1yr price is now $160.

  • Gravatar Image
    Richard August 20, 2009 10:58 AM

    Wanted to thank you for an excellent article - your step-by-step guide made the whole process really straight forward and saved lots of time, not to mention the price at Tucows. The Msbuild stuff to was an extremely useful starting point. Thanks for sharing.

  • Gravatar Image
    softwarecandy October 21, 2009 12:01 PM

    Thank you for a great article.

    Understanding the importance of this, we have been signing our software with code signing certificates from the beginning. You can read our version of explaining what a Code Signing Certificate is at:

    http://www.softwarecandy.com/shop/software-that-is-reliable

    By now, we are very experienced with this process -- and still find your article very useful -- even to us.

  • Gravatar Image
    Chris November 2, 2009 6:27 AM

    Some prices from today:

    https://secure.ksoftware.net/code_signing.html

    1 year ($99)
    2 years ($198)
    3 years ($297)
    4 years ($396)
    5 years ($495)


    http://www.comodo.com/business-security/digital-certificates/code-signing.php

    Starting at $166.95/year (max 3 years)


    http://www.sslshopper.com/cheap-code-signing-certificates.html
    (includes Trustwave's Code Signing GlobalSign's ObjectSign Code Signing Certificate GoDaddy's Code Signing Certificate VeriSign's Code Signing Certificate):-

    Price For 1 Year $329 $229 $199 $499 respectively


    https://ssl.trustwave.com/cart-checkout.php

    Total: $579.00 for 2 years


    Tucows: no idea - their prices are hidden behind their login system, and it seems after 4 or 5 years of inactivity - they've locked my account :-(

  • Gravatar Image
    jrobbins November 2, 2009 11:44 AM

    Chris,

    Thanks a million for the research. Looks like KSoftware is the way to go for small companies or individuals.

    My certificate will be expiring in a year so will write about renewal costs and contracts at that time.

    - John Robbins

  • Gravatar Image
    Chris November 2, 2009 12:34 PM

    Finally got into my tucows account (their "lost password" system was trying to send emails from a non-existent domain... so needless to say, my mail server was rejecting it...)

    Comodo Code Signing Certificate - 1 yr.: $75
    Comodo Code Signing Certificate - 2 yr.: $140
    Comodo Code Signing Certificate - 3 yr.: $195

    https://author.tucows.com/certs.php

  • Gravatar Image
    softwarecandy November 4, 2009 12:53 PM

    Isn't it scary that a company that sells digital certificates has a checkout process with compromised security?

    Case in question: tucows code signing certificates, in the page meant for entering your credit card number and other billing information:

    https://author.tucows.com/checkout.php

    They said they will fix the problem "in the next few weeks". It's not early enough for us, however, so we will have to go with other, more expensive, alternatives.

    Security should not be taken lightly. After all, this is the main reason for code-signing our software.

  • Gravatar Image
    Giammarco Schisani December 26, 2009 4:38 PM

    Thanks all for sharing, since 2007! I will also need to get a certificate, and might go for Comodo.

  • Gravatar Image
    Chris December 29, 2009 8:03 PM

    Finally got my Comdo code-signing cert (just the $75 1yr to start with). The verification took several weeks - MAN those guys are thorough - it was exactly as intense as the verification I had to go through for my EV SSL Cert from another company!

    I'll post back here later after I've signed some of my work, so anyone interested can see how I did it, and look at the end result if they want.

  • Gravatar Image
    RobS January 27, 2010 2:42 AM

    Thanks for the article. I recently bought a certificate from KSoft (1 yr $99). I read through your article and the referenced article about signing .NET assemblies and experienced the "Object already exists" issue you described (I'm using VS2008). So since I can't compile and sign the files in VS, it sounds to me like I need to: a) build the files I want to sign; b) manually sign them using signtool; c) build the installer; d) manually sign the resulting msi file using the signtool with the /d switch. Do you need to sign the msi file or is signing the exes and dlls enough?

  • Gravatar Image
    Chris February 8, 2010 11:59 AM

    Tucows does not have "compromised security". It's simply an ad that does not have the "https" address format. Just respond to the message box that you want secure content only, and you'll get exactly that -- secure content, meaning no ad. There's nothing insecure about their checkout process. Even my bank (Wachovia) oopses on that from time to time, usually by including a graphic with "http" instead of "https". It's no big deal.

  • Gravatar Image
    jrobbins March 11, 2010 12:01 AM

    RobS,

    Sign the MSI as well.

    Chris,

    Thanks for the reports on your cert and the clarification on the HTTP vs HTTPS problem.

    - John Robbins

  • Gravatar Image
    John Robbins' Blog March 28, 2010 10:42 PM

    In the past I've written about code signing and how it's not as expensive or hard to do. Today I was

  • Gravatar Image
    Phil April 21, 2010 9:19 PM

    John,Thanks so much for this post. I never would have found that tucows product. This will help a lot . Couldn't afford the $300 bucks but I can swing $75Big help

  • Gravatar Image
    Tester August 14, 2010 5:24 PM

    Thank you guys for the awesome post and thread!!! I see ksoftware prices went down slightly: 1 year - $99.00 2 years - $178.00 - Save 10%! 3 years - $252.00 - Save 15%! 4 years - $316.00 - Save 20%! 5 years - $371.00 - Save 25%

  • Gravatar Image
    Cameron August 29, 2010 3:07 PM

    Chris - you are saying it took several weeks. Just 5 minutes ago I bought a 1-year cert through Tucows-Comodo. I have some questions for you, since you have been through it. What will happen next? What does the *thorough check* consist of? How will I know when the certificate is ready? I assume Comodo will send me an e-mail with next steps - is that correct? So far I haven't been asked for a drivers license or anything. I did include my company DUNS number on the initial application.Cheers,-=Cameron

  • Gravatar Image
    Skip Sailors September 15, 2010 12:53 PM

    Your Certificate Export Wizard dialog has the PFX option selected for format. My same dialog has this option grey and unavailable. I don't remember anywhere in the process where I ever had a PVK file to start with. Where do these private keys come from?TIA(Win 7)

  • Gravatar Image
    Joe Dean September 15, 2010 9:05 PM

    John, As always... Thanks very much for your informative blog... One question though ... Can you clarify the comments regarding exporting the certificate to the .pfx file. Initially you said "In nearly all cases, you'll need to choose "Yes, export the private key." " but subsequently you said "I chose to leave the private key in the Certificate Manager so I could export the key in multiple ways, which I'll discuss why in a bit. "I've looked back over the article and maybe I'm still missing it, but I dont' see an explanation. Can you elaborate on this part ? Thank you very much.

  • Gravatar Image
    Mark Coogan November 16, 2010 5:13 PM

    Hi, I am glad I have found this page!... thanks alot I think it is exactly what I need.

    I have one question though.

    I have designed a Flash interface that will be run from a dvd rom on macs and PC's. The reason I need the certificate is so that the .exe file can be opened without having the “The Publisher could not be verified. Are you sure you want to run this” message pop up.

    I use a mac and am wondering if I can add the certificate to the .exe file using my mac or whether I need to do it using windows or a PC? as I can not see a 'certificates' tab to do this on a mac.

    Any help is much appreciated!

    Thanks, Mark

  • Gravatar Image
    jrobbins November 17, 2010 2:05 PM

    Joe,

    Oops! Sorry about that. Basically, by leaving the certificate in the Certificate Manager, tools like PowerShell can access them without requiring the .PFX file on disk. That safer and more secure in many situations.

    Mark,

    You'll have to sign the EXE on a Windows machine.

    - John Robbins

  • Gravatar Image
    John Robbins' Blog November 17, 2010 6:52 PM

    A little short of three years ago, I wrote a blog entry, " Code Signing – It's Cheaper and Easier than

  • Gravatar Image
    How to Organize Your Purse | Organization Purse November 24, 2010 8:59 PM

    PingBack from http://organizationpurse.com/purse-wallet/how-to-organize-your-purse

  • Gravatar Image
    Alex February 4, 2011 9:37 AM

    A couple of years later and this still helped a lot. Thanks for the info.

  • Gravatar Image
    Blog J.Schweiss March 12, 2011 4:22 PM

    Code Signing

  • Gravatar Image
    Pete the programmer July 8, 2011 11:40 AM

    So you people that have code signed installers, have you actually noticed any major or minor increase in software sales or installs? Would love to know.

  • Gravatar Image
    Zaph July 14, 2011 2:17 PM

    I wish I had found this blog a week ago, I have been trying to work all this out for myself. I bought a certificate off a company called StartSSL.com and they said it would be good for code signing. When I follow the instructions above I only get as far as exporting the certificate using certmgr (I am on Windows 7) and I see the Personal Information Exchange option is greyed out. If I choose the export to .cer options, when I run signtool I get the error "No certificates were found that met all the given criteria". Can anyone tell me what the problem is? Did I buy a bum certificate or is it something I am doing wrong?

  • Gravatar Image
    Zaph July 15, 2011 3:15 AM

    This is a follow up to my post above. The team at StartSSL were very helpful in resolving the issues I was having. I would recommend them as another cheap code signing alternative.

  • Gravatar Image
    jrobbins July 15, 2011 11:43 AM

    Zaph,

    Thanks a million for the followup. It's great to hear the good support story!

    - John Robbins

  • Gravatar Image
    Christian July 19, 2011 6:56 AM

    To second Zaph, I am also in contact with StartSSL (or StartCom). What I like about this company is the fact that you don't pay for the certificate. Instead you pay for the validation process. This makes more sense than what any other certification authority does.
    The process of generating a certificate is really automated, so why do all other publishers want money for each certificate they create? :)
    At StartCom you pay 50 USD for the validation of your identity and then you can generate how many certificates you want (within a given time frame, 1 or 2 years,... don't know right now). of course there are other options as well (up to the green identification bar in browsers, that cost more).

  • Gravatar Image
    Mitchell October 4, 2011 2:30 PM

    The coupon code CPN25 on K Software's order page drops prices down 25%.

  • Gravatar Image
    klrkt October 21, 2011 10:55 AM

    "I see the Personal Information Exchange option is greyed out. "
    in fact you can use the .p7b certificate - just rename to .pfx
    - I have done this so I know it works
    BUT it took me several calls and lots of internet searches
    comodo techie could not help much - BUT he did say .p7b is .pfx
    (Good ole Microsoft!)

  • Gravatar Image
    jselbie October 23, 2013 9:52 PM

    These instructions are still valid in 2013 with Windows 8. A few things to note.

    Tucows is essentially a reseller of certificate services from Comodo. Buying from Tucows is way cheaper than going through the Comodo site directly. The sign-up, purchase, and validation experience had a few hiccups.

    I'll spare the long details, but it took two days to get through Comodo's validation process. I filed a support ticket on Comodo's site to speed things up after a day went by with no confirmation of my fax. Their support staff was responsive and we eventually got it all worked out. But these message exchanges could have been avoided if they had more of the validation process online. But after the final validation step on the phone was completed, my cert was issued.

    Signtool works as mentioned above in the article. One weirdness. After my first attempt to sign an EXE, upload to a website, download it back, and execute it - I still got an "untrusted program" dialog. And on Windows 8, this is the full screen "blockade" dialog. But after a few hours that problem disappeared and didn't repro on any other computers. Perhaps there is some latency between issuing the certificate and it being valid with an online service. I'm not sure. But the cert now works. Hooray.


Have a Comment?

Archives

Blogs