• Advertisement
Sign in to follow this  

Code signing certificates

Recommended Posts

Any recommendations on where to obtain a code signing certificate meeting the following requirements:

  • No more than $100 / year.
  • It needs to be for an individual, not a company. I'm based in the UK, if that matters.
  • No ridiculous verification processes. e.g. As an independent developer, I don't have a landline and I don't want to offer phone support. When I looked into using Comodo last year, they were requiring me to get a landline and advertise it both in an online directory and in the certificate itself.

Last year I ended up going with StartCom, but that certificate is now expiring and unfortunately, they don't seem to be considered very reputable these days.

Getting a certificate seems to have become a ridiculously expensive and complicated process for legitimate small developers. Ironically, if I was some dodgy malware producer, I could buy a stolen certificate for a fraction of the expense and effort...

Share this post


Link to post
Share on other sites
Advertisement

You don't need a certificate. Just post a hashed checksum with your source tarball and make your public key available.  It comes to the same thing as a cert but without the expensive middle-men.

Share this post


Link to post
Share on other sites

You don't need a certificate. Just post a hashed checksum with your source tarball and make your public key available. It comes to the same thing as a cert but without the expensive middle-men.

That's only the same thing if your audience is technical linux users. For non-technical Windows users, the goal of signing is to make as many protectionware "are you sure you want to run an exe?" dialogues go away as possible.

There's also big security differences. In theory with signing, the chain of trust goes you, your OS distributor (which includes your ISP if you downloaded your OS), then the certificate authorities, then the software author. With the ad hoc method, the chain goes you, your ISP, the software authors web-hoster, the software author. In cases where you don't trust your internet connection and you use physically delivered OS images, then the first is secure while the second isn't.

Share this post


Link to post
Share on other sites

I work in the CA industry and can tell you now you will struggle to find a Code Signing Certificate at that price. Due to new regulations all CA's are required to put the certificate and keys in a hardware token such as a USB which has driven the cost up for many. I recommend GlobalSign as they are the best for vetting and you will get your certificate quickly and efficiently (assuming you have given them all the correct information) alongside great support if you need it...(which is very likely with code signing!)

Share this post


Link to post
Share on other sites

Natasha, thanks for the recommendation, but GlobalSign is probably out of my budget and it doesn't look like they offer certificates for individuals in any case.

Sadly, it's looking like Windows is no longer viable for small time developers.  Mobile is my main market now, but I started on Windows and have kept a small but loyal fanbase for nearly 20 years.

Microsoft really seems to be doing their best to discourage independent developers with all the over-the-top security warnings, and I'm not even convinced it's done anything for safety.  Half the users are scared to authorize anything, and the rest just blindly click through every warning regardless.

Share this post


Link to post
Share on other sites

It doesn't stop being viable, it just means you get a warning when you run the installer.

There is an invisible file attribute flagging the file as downloaded from the Internet or untrusted network. It is fine for that to be on your program's installer, people are used to warnings when installing.  The installer will deploy files, and those won't be marked as untrusted. No signature required for them.

Share this post


Link to post
Share on other sites

I have tried publishing without a coding certificate in the past, but many of my users aren't especially tech literate. I don't object to Microsoft giving a warning that the program's author can't be verified, but the language used is so overly alarming that many mistake it for a statement that they're installing a virus. Believe me, I've had the emails...

I've never understood why Microsoft can't just allow coding certificates to be linked to the developer's website instead of their business/personal name. It would make verification a doddle, remove the need for certification companies and be virtually cost free.

Share this post


Link to post
Share on other sites

Sadly, it's looking like Windows is no longer viable for small time developers.  Mobile is my main market now, but I started on Windows and have kept a small but loyal fanbase for nearly 20 years.

Microsoft really seems to be doing their best to discourage independent developers with all the over-the-top security warnings, and I'm not even convinced it's done anything for safety. 

Largely it has done nothing for security as far as the end user is concerned.  It has done zero from a developer's standpoint that I have seen.  I am gradually trying to move my code to linux, but that has its own problems, like piss poor webcam support for anything other than literally viewing the webcam.  I need full PTZ and real time decoding to RGB buffers.  but that is such a small niche market they disregard it.

Share this post


Link to post
Share on other sites

move my code to linux, but that has its own problems, like piss poor webcam support for anything other than literally viewing the webcam. I need full PTZ and real time decoding to RGB buffers. but that is such a small niche market they disregard it.
The good thing about Linux is that people build everything. Have you considered looking into robotics software? Those devices typically use some video device and do real-time analysis of the images.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

  • Advertisement