John Robbins' Blog

Code Signing – It’s Cheaper and Easier than You Thought

One of the things I've always wanted to do, but never got around to, is to figuring out how to sign my code. Like most developers, I never really worried about code signing until Vista came along. Maybe it's just because I'm completely anal retentive, but I always felt a little guilty when my applications or installations that need administrator privileges show the dreaded UAC Cancel/Allow dialog:

To me, that just looks a bit unprofessional. I don't want to be known as "Unidentified Publisher." The main reason small shops or independent developers don't sign their applications is because the cost of a code signing certificate, sometimes called an ID, has always been very expensive. Checking VeriSign right now, they want $499 USD for a one year certificate and $1,293 USD for a three year certificate. For that much money you can get pretty nice laptop. Thus began my quest to see if I could get a code signing certificate for a reasonable price.

In this blog entry I'll show where I got a reasonably priced certificate and how to get your binaries and installs signed correctly. As I was reading how to make everything worked, there was no one place that showed all the parts from buying a certificate, to getting it on your machine, to getting you code signed in the real world. Hopefully this will help you out if you want to or are required to code sign.

Searching for code signing certificates turns up numerous companies that will sell you a certificate with prices ranging from $179 USD to $499 USD per year. They all offer cheaper options if you buy three year certificates, but they still cost more than a single developer probably wants to pay. Fortunately, the day I thought about getting a code signing certificate, Omar Shahine mentioned that TUCOWS, (I'm so old I remember the original "The Ultimate Collection of Winsock Software" web site!), is reselling Comodo digital certificates at $80 USD per year at their author specific web site. Even better is the three year price of $195 USD. That was price I could justify spending with the Robbins household CFO, AKA my wife.

After you purchase the certificate, you have to prove who you are. That's the whole reason it's called a "trusted certificate" in the first place. If you want the certificate in your name alone, you'll need to fax them a copy of your driver's license that shows the address you specified in the sign up pages. If you want a company name on the certificate you'll need to fax Comodo copies of your company's articles of organization and a business tax license. As I wanted my certificate to say "John Robbins/Wintellect" I faxed three documents and Comodo happily issued a certificate.

I had some trouble with registration process at Comodo. Make sure you add https://secure.comodo.net to the list of trusted sites in Internet Explorer so they can properly get you registered and install their trusted root certificate on your computer. You'll have to use the machine you registered with Comodo to retrieve you certificate. One thing that Comodo does not make clear is that they expect you to register at http://support.comodo.com to ensure you really sent in the request and interact with them if you need to ask questions. Finally, make sure to set any spam filters you are using to allow mail from comodo.com through so when you get your certificate issued, you'll actually get the mail. [Edit: 1/17, I want to make clear that the certificate from Comodo is trusted on all computers. You only need to install Comodo's certificate on the machine you are using to buy your certificate.]

When you get the email giving you the download address, you'll click on the link and download your certificate into the certificate cache on the machine. Since you'll want the certificate in file form to make signing easier, you need to get it out of the certificate store. On a Vista computer, the first step is to start the Certificate Manager snap-in, by running "certmgr.msc." The certificate downloaded from Comodo is in the Personal\Certificates section and the issuer is UTN-UserFirst-Object.

Right click on the certificate and select All Tasks, Export… That will bring up the Certificate Export Wizard. The first decision you'll have to make is if you want to export the private key information with the certificate. In nearly all cases, you'll need to choose "Yes, export the private key." The second decision is what data you want included in the Personal Information Exchange (.PFX) file you're exporting. What I chose to do was the following:

This allows you to have a complete certificate in the .PFX file. I chose to leave the private key in the Certificate Manager so I could export the key in multiple ways, which I'll discuss why in a bit. After clicking the Next button, you'll have to provide a password for the certificate. As I'm using Vista, that's required. A few things I read on the web said that with XP you could export a .PFX file with no password, which seemed quite dangerous to me. It goes without saying that you'll want to be careful with the password and actual .PFX file.

Once you've got the .PFX file on disk, it's time to sign something and that's where SIGNTOOL.EXE comes into play. Visual Studio 2008 Team Editions includes the latest Platform SDK so all you need to do is start a Visual Studio 2008 Command Prompt to get the path environment variable initialized. All that does is run the <Visual Studio Installation Directory>\VC\vcvarsall.bat batch file. If you do not have a Team Edition of Visual Studio, you can download the Vista Platform SDK here.

In the command prompt, type the following command to sign all the files you want to sign: (all one line)

signtool sign /f YourFile.pfx /p <password>
/t http://timestamp.comodoca.com/authenticode <files>

If you're signing a .MSI file, also add the /d command line option to specify the description of your install program so the user will see that instead of the temporary name Windows Installer actually uses for the installation. Once you've signed your binary, you'll look as professional as you the big guys:

If you are curious what DbgChooser is, see my January 2000 Bugslayer column in Microsoft System's Journal.

There are obviously more command line options to SIGNTOOL.EXE you can read about in the documentation. Once you're signing files, you probably want to verify a file is signed properly. Fortunately, SIGNTOOL.EXE has the verify option you can use to check.

signtool verify /pa <files>

Manually signing your binaries is certainly not going to scale so you'll want to automate the process. For signing .NET assemblies I found an article that talks about how you can use a .PFX file in place of the strong name key (.SNK) file most of us use. As the article says, you'll want to make sure to export the .PFX file without any other certificates by ensure you do not check "Include all certificates in the certificate path if possible." Following all the steps in the article, I copied the exported key over to a new machine, and added the .PFX file. Visual Studio prompted me with the Import Key File dialog asking for the .PFX file password. Typing in the password and clicking OK appeared to work. The problems started when I tried to compile the application. I got the Import Key File dialog again asking for the password, but entering the correct password just got me a message box titled "Error importing key" with the message "Object already exists." Looking through the Certificate Manager, I couldn't find a copy of my certificate anywhere. Wondering if this was an issue because I was running Visual Studio as a regular user, I elevated Visual Studio to have administrator rights and still encountered the same error.

As I started reading about others having similar problems and quickly falling into the bottomless pit of acronyms like OPENSSL, SHA1, PEM, SPN, PVK, and PCKS12, I admit that I gave up. I just want to get my binaries signed, not have to become a super certificate ninja. Since I knew SIGNTOOL.EXE worked, I just needed to wrap it up in an MSBUILD. Looking at the MSBuild documentation, I found the perfectly named SignFile that's part of MSBuild. Sadly, it only works on Portable Executable (PE) files and won't sign your .MSI files. Equipped with the Exec task in MSBuild, you can pretty much get anything wrapped up quickly:

<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
    <
Target Name="PrivateKeySignTask">
      <
Error Condition="'$(PrivateKeySignFile)' == '' "
         Text="PrivateKeySignFile property not set for PrivateKeySignTask"/>
      <
Error Condition="'$(PrivateKeyPassword)' == ''"
         Text="PrivateKeyPassword property not set for PrivateKeySignTask"/>
      <
Error Condition="'$(PrivateKeyTimestampURL)' == ''"
      Text="PrivateKeyTimestampURL property not set for PrivateKeySignTask"/>

      <
Exec Command="signtool.exe sign /f $(PrivateKeySignFile)
/p $(PrivateKeyPassword) /t $(PrivateKeyTimestampURL)
$(PrivateKeySignAdditionalOptions)
@(InputPrivateKeySignFiles, ' ')
"/>
    </
Target>        
</
Project>

Since writing MSBuild tasks derived from ToolTask, it'd take about five minutes to make SIGNTOOL.EXE a little easier to use on a larger project.

Now with the reasonably priced digital certificates through TUCOWS, you should take a hard look at signing your binaries and installations. It's not required, but it sure looks better on Vista if you do.

Update May 15, 2008: Microsoft lost the link to my column so I changed the Debugger Chooser link to download the code for that issue of MSJ.

On Dec 20 2007 4:20 PMBy jrobbins Code SigningWith 60 Comments

Comments (60)

  1. You're not that old. Although, I guess by Internet years having been around since 1993 makes Tucows "old" which may make people who remember both the site, and what the acronym stands for "old" as well. Glad you found what you were after and thanks for the excellent tutorial.

    James from Tucows

  2. Kevin,

    Good question. I'd send a support request to the folks at Comodo (https://support.comodo.com/). They should be able to get something worked out for you.

    Hope it helps!
    -John

  3. John,
    the link "http://www.microsoft.com/msj/0100/bugslayer/bugslayer0100.aspx" is broken.

  4. It doesn't matter how cheap and easy code signing is, I want to boycott it on principle. Not because of the price, although even 80$ a year is much for a single autogenerated number.

    The code signing scheme itself is useless. Anyone can request or share a public a certificate. So mal- and spyware still can destroy your computer, but now 'approved and certified' by Verisign/Microsoft.

    The only thing it's good for is annoying end users and (independent) developers.

  5. BillGoates, you just don't get it. Why do cars have license plates and police have badges? These don't stop people from speeding thru school zones or impersonating cops. In fact, nothing actually prevents a real cop from going berserk at any moment.

    What they do, however, is act as deterrents which form part of a larger security process. A car without plates will draw suspicion; a car with plates which appears suspicious can be checked to see if the plates were stolen. From insurance ID cards to voter registration cards, forms of official identification exist to provide "reasonable" assurance that someone is who you expect them to be, no more and no less.

    That's not "useless" because it's a far cry from total anonymity. Why do you suppose that for 99.999% of all spam, the true sender is obscured? It's a simple fact that malicious parties don't like to be identifiable. Sure, there will always be suicide bombers who don't mind letting you know their name, right before they blow you up, but how many suicide bombers exploded today? On the other hand, how many hot checks were written today? Is it totally "useless" for Wal-Mart to ask for ID?

    Code signing tells you that you are executing code from someone whose identity has been checked. More importantly, it tells you that the code has not been corrupted since it was signed, neither by virus infection nor by faulty file transfer. Change a single byte in a signed file and it immediately renders the signature broken.

    Non-malicious software could be buggy and "destroy your computer" the same as malware, but even if you don't trust a signature to represent the author's identity upon initial receipt of some code, once you have verified for yourself that the code is safe, the signature tells you later that the code hasn't been tampered with.

    10 years ago, the industry was skeptical of code signing. Today, code signing is widely used in Java, Linux, and other non-Microsoft environments. Apple's latest Mac OS X (Leopard) fully supports code signing and delivers virtually all of its components as signed by Apple. Certificate issuers from Thawte to VeriSign have repeatedly demonstrated prompt and responsible revokation of certificates obtained for fraudulent purposes. From Safari to Firefox and Opera (all shipped signed), the entire industry has embraced code signing -- not as a total solution to anything, but as part of the solution to many things.

    If you're a small developer (which implies you're working with a relatively small user population), you can always self-sign for $0. The catch is that your users must install your certificate authority in their trusted store, a one-time step. Presumably they would do this if they trust you, and presumably they would only trust you if they are satifisfied that they can identify you. The $80 saves them a little hassle by having Comodo do a reasonable check of your identity and issue a certificate from an authority which is pre-trusted by the default installation of common operating systems.

    Sure, this system hasn't stopped people from forming malicious companies which were actually and legally named "Click Yes to Continue" but how long do you think they got away with it? About as long as it would take to notice a car without plates or a cop without a badge.

  6. John Robbins attracted my attention a couple of months ago with a series of posts on WiX. More recently I noticed a nice article discussing code signing on the cheap ( and easy ). It's a good read...

  7. Hosebeast,

    THANK YOU! I was trying to figure out how best to respond to BillGoates, but you did a fantastic job. Thanks a million for the great response!

    -J.

  8. It seems to me that the system under which certificates are issued is fundamentally broken.

    As noted, I can digitally sign something for $0, and in so doing verify that it has not been tampered with. The cost of the certificate must then represent the cost of associating my identity with the certificate. There is no ongoing cost to this - once my identity is associated, it is done. So why the exorbitant cost?

  9. Well I just tried to get a code signing cert in my name (I don't have a company) from Comodo. The message I got back in said basically what you said here:

    "If the order has been applied for in your own personal name or the order is not for use by a commercial entity:
    Copy of your drivers license or passport"

    But after sending a my copy of my drivers license I get back an email that says:

    "Code sign cert would need to be based on a company and not for personal used. Please send us information based on a company that you work / own so we can further process validation."

    So I guess it is refund time as they have already charged my card.

  10. Gerry,

    Did you try talking to Comodo? Omar Shahine discussed getting a certificate using just his name.

    Steve Campbell,

    While you can issue you're own cert, that means others will have to install your certificate in order for it to be deemed valid by the OS. Like Hosebeast said earlier, purchasing the cert is just a hurdle that says someone has checked on you. Think of the cert the same has having a drivers license/passport to get on a plane in the US. As why a Verisign cert is so much more expensive than a Comodo cert, I have no idea. By the way, I like you blog! Totally subscribed!

    -John.

  11. For information on the PFX "Object already exists" error see this Microsoft Feedback item and the accompanying workaround...

    https://connect.microsoft.com/VisualStudio/feedback/ViewFeedback.aspx?FeedbackID=321492

    http://blogs.msdn.com/andrekl/archive/2008/01/08/strong-name-signing-in-visual-studio-2005-requires-keyspec-2-at-signature.aspx

  12. After purchasing a Comodo code signing certificate from tucows, I discovered that the certificate does not support signing kernel mode drivers in Vista, such as a .SYS file. I called Comodos technical support line and they confirmed this. :(

  13. Additional info that took me some time and emails to find out:
    After ordering with Tucows, you have to:

    1) Log back into the Author Resource Center at https://author.tucows.com/
    2) On the left hand navigation under the title "Resources" select "Code Signing Certificates"
    3) Select the link for the code signing certificate that you purchased under the "Retrieve a previously purchased Code Signing Certificate" heading.
    4) The link will take you to the Certificate Authority site (secure.comodo.net). Follow the prompts to fill in any required information.

    Comodo could not find my order until I had done this ;-)

  14. I'm always bothered by anything that requires me to leave a password in plaintext, particularly in a build environment. In my blog, I discuss the solution that I found to this problem:
    http://qualapps.blogspot.com/search?q=signcode

  15. John: as 'Shrike' mentioned (well, implied) in December, the January 2000 'Bugslayer' article is no longer on the MS website. Is it archived anywhere else, please?

  16. All,

    Looks like Microsoft lost the links to the column itself. However, if you download the whole issue code, Debugger Chooser in there: http://download.microsoft.com/download/0/6/7/0678184e-905e-4783-9511-d4dca1f492b4/MSJJan00.exe

    - John Robbins.

  17. Thanks for the article. I have one question though. Do the authorities re-verify you each year? I can see that it can cost them to verify if you are really who you say you are, but just maintaining a few kB on their servers should be very easy and hence the high recurring fees have no justification.

    BTW if you buy a 1 year certificate, does it mean you cannot sign anything after it expires or that you are still able to sign it "in the past"?

  18. Vlasta,

    I bought a 3-year cert so that means they only need to recheck everything when you renew. If you buy a one year cert, you have to be checked every year.

    I'm not sure what happens if you try to sign with an expired cert. I'm just going to keep renewing my cert so that doesn't happen. :)

    - John Robbins

  19. Wanted to thank you for an excellent article - your step-by-step guide made the whole process really straight forward and saved lots of time, not to mention the price at Tucows. The Msbuild stuff to was an extremely useful starting point. Thanks for sharing.

  20. Thank you for a great article.

    Understanding the importance of this, we have been signing our software with code signing certificates from the beginning. You can read our version of explaining what a Code Signing Certificate is at:

    http://www.softwarecandy.com/shop/software-that-is-reliable

    By now, we are very experienced with this process -- and still find your article very useful -- even to us.

  21. Some prices from today:

    https://secure.ksoftware.net/code_signing.html

    1 year ($99)
    2 years ($198)
    3 years ($297)
    4 years ($396)
    5 years ($495)


    http://www.comodo.com/business-security/digital-certificates/code-signing.php

    Starting at $166.95/year (max 3 years)


    http://www.sslshopper.com/cheap-code-signing-certificates.html
    (includes Trustwave's Code Signing GlobalSign's ObjectSign Code Signing Certificate GoDaddy's Code Signing Certificate VeriSign's Code Signing Certificate):-

    Price For 1 Year $329 $229 $199 $499 respectively


    https://ssl.trustwave.com/cart-checkout.php

    Total: $579.00 for 2 years


    Tucows: no idea - their prices are hidden behind their login system, and it seems after 4 or 5 years of inactivity - they've locked my account :-(

  22. Chris,

    Thanks a million for the research. Looks like KSoftware is the way to go for small companies or individuals.

    My certificate will be expiring in a year so will write about renewal costs and contracts at that time.

    - John Robbins

  23. Finally got into my tucows account (their "lost password" system was trying to send emails from a non-existent domain... so needless to say, my mail server was rejecting it...)

    Comodo Code Signing Certificate - 1 yr.: $75
    Comodo Code Signing Certificate - 2 yr.: $140
    Comodo Code Signing Certificate - 3 yr.: $195

    https://author.tucows.com/certs.php

  24. Isn't it scary that a company that sells digital certificates has a checkout process with compromised security?

    Case in question: tucows code signing certificates, in the page meant for entering your credit card number and other billing information:

    https://author.tucows.com/checkout.php

    They said they will fix the problem "in the next few weeks". It's not early enough for us, however, so we will have to go with other, more expensive, alternatives.

    Security should not be taken lightly. After all, this is the main reason for code-signing our software.

  25. Finally got my Comdo code-signing cert (just the $75 1yr to start with). The verification took several weeks - MAN those guys are thorough - it was exactly as intense as the verification I had to go through for my EV SSL Cert from another company!

    I'll post back here later after I've signed some of my work, so anyone interested can see how I did it, and look at the end result if they want.

  26. Thanks for the article. I recently bought a certificate from KSoft (1 yr $99). I read through your article and the referenced article about signing .NET assemblies and experienced the "Object already exists" issue you described (I'm using VS2008). So since I can't compile and sign the files in VS, it sounds to me like I need to: a) build the files I want to sign; b) manually sign them using signtool; c) build the installer; d) manually sign the resulting msi file using the signtool with the /d switch. Do you need to sign the msi file or is signing the exes and dlls enough?

  27. Tucows does not have "compromised security". It's simply an ad that does not have the "https" address format. Just respond to the message box that you want secure content only, and you'll get exactly that -- secure content, meaning no ad. There's nothing insecure about their checkout process. Even my bank (Wachovia) oopses on that from time to time, usually by including a graphic with "http" instead of "https". It's no big deal.

  28. RobS,

    Sign the MSI as well.

    Chris,

    Thanks for the reports on your cert and the clarification on the HTTP vs HTTPS problem.

    - John Robbins

  29. John,Thanks so much for this post. I never would have found that tucows product. This will help a lot . Couldn't afford the $300 bucks but I can swing $75Big help

  30. Thank you guys for the awesome post and thread!!! I see ksoftware prices went down slightly: 1 year - $99.00 2 years - $178.00 - Save 10%! 3 years - $252.00 - Save 15%! 4 years - $316.00 - Save 20%! 5 years - $371.00 - Save 25%

  31. Chris - you are saying it took several weeks. Just 5 minutes ago I bought a 1-year cert through Tucows-Comodo. I have some questions for you, since you have been through it. What will happen next? What does the *thorough check* consist of? How will I know when the certificate is ready? I assume Comodo will send me an e-mail with next steps - is that correct? So far I haven't been asked for a drivers license or anything. I did include my company DUNS number on the initial application.Cheers,-=Cameron

  32. Your Certificate Export Wizard dialog has the PFX option selected for format. My same dialog has this option grey and unavailable. I don't remember anywhere in the process where I ever had a PVK file to start with. Where do these private keys come from?TIA(Win 7)

  33. John, As always... Thanks very much for your informative blog... One question though ... Can you clarify the comments regarding exporting the certificate to the .pfx file. Initially you said "In nearly all cases, you'll need to choose "Yes, export the private key." " but subsequently you said "I chose to leave the private key in the Certificate Manager so I could export the key in multiple ways, which I'll discuss why in a bit. "I've looked back over the article and maybe I'm still missing it, but I dont' see an explanation. Can you elaborate on this part ? Thank you very much.

  34. Hi, I am glad I have found this page!... thanks alot I think it is exactly what I need.

    I have one question though.

    I have designed a Flash interface that will be run from a dvd rom on macs and PC's. The reason I need the certificate is so that the .exe file can be opened without having the “The Publisher could not be verified. Are you sure you want to run this” message pop up.

    I use a mac and am wondering if I can add the certificate to the .exe file using my mac or whether I need to do it using windows or a PC? as I can not see a 'certificates' tab to do this on a mac.

    Any help is much appreciated!

    Thanks, Mark

  35. Joe,

    Oops! Sorry about that. Basically, by leaving the certificate in the Certificate Manager, tools like PowerShell can access them without requiring the .PFX file on disk. That safer and more secure in many situations.

    Mark,

    You'll have to sign the EXE on a Windows machine.

    - John Robbins

  36. Pete the programmer

    So you people that have code signed installers, have you actually noticed any major or minor increase in software sales or installs? Would love to know.

  37. I wish I had found this blog a week ago, I have been trying to work all this out for myself. I bought a certificate off a company called StartSSL.com and they said it would be good for code signing. When I follow the instructions above I only get as far as exporting the certificate using certmgr (I am on Windows 7) and I see the Personal Information Exchange option is greyed out. If I choose the export to .cer options, when I run signtool I get the error "No certificates were found that met all the given criteria". Can anyone tell me what the problem is? Did I buy a bum certificate or is it something I am doing wrong?

  38. This is a follow up to my post above. The team at StartSSL were very helpful in resolving the issues I was having. I would recommend them as another cheap code signing alternative.

  39. Zaph,

    Thanks a million for the followup. It's great to hear the good support story!

    - John Robbins

  40. To second Zaph, I am also in contact with StartSSL (or StartCom). What I like about this company is the fact that you don't pay for the certificate. Instead you pay for the validation process. This makes more sense than what any other certification authority does.
    The process of generating a certificate is really automated, so why do all other publishers want money for each certificate they create? :)
    At StartCom you pay 50 USD for the validation of your identity and then you can generate how many certificates you want (within a given time frame, 1 or 2 years,... don't know right now). of course there are other options as well (up to the green identification bar in browsers, that cost more).

  41. "I see the Personal Information Exchange option is greyed out. "
    in fact you can use the .p7b certificate - just rename to .pfx
    - I have done this so I know it works
    BUT it took me several calls and lots of internet searches
    comodo techie could not help much - BUT he did say .p7b is .pfx
    (Good ole Microsoft!)

  42. These instructions are still valid in 2013 with Windows 8. A few things to note.

    Tucows is essentially a reseller of certificate services from Comodo. Buying from Tucows is way cheaper than going through the Comodo site directly. The sign-up, purchase, and validation experience had a few hiccups.

    I'll spare the long details, but it took two days to get through Comodo's validation process. I filed a support ticket on Comodo's site to speed things up after a day went by with no confirmation of my fax. Their support staff was responsive and we eventually got it all worked out. But these message exchanges could have been avoided if they had more of the validation process online. But after the final validation step on the phone was completed, my cert was issued.

    Signtool works as mentioned above in the article. One weirdness. After my first attempt to sign an EXE, upload to a website, download it back, and execute it - I still got an "untrusted program" dialog. And on Windows 8, this is the full screen "blockade" dialog. But after a few hours that problem disappeared and didn't repro on any other computers. Perhaps there is some latency between issuing the certificate and it being valid with an online service. I'm not sure. But the cert now works. Hooray.


Leave a Comment

Archives

Tags