RaelB 4 Posted 17 hours ago Hi, Looking at www.ksoftware.net, the prices have gone up by about 3x since a few years ago. Any idea why they've become so expensive? Any cheaper options? Share this post Link to post
Angus Robertson 576 Posted 17 hours ago The price increase is down to code signing certificates needing to be shipped on USB dongles instead of as files. Angus Share this post Link to post
RaelB 4 Posted 16 hours ago I am referring to OV code signing certificates. I just received an email from ksoftware indicating that the process would be as before, i.e., the key is received/generated via a browser, "Sectigo will issue the new certificate directly to you via email, don't forget to collect on the same PC/Browser that you used in Step 1, then you can export to a PFX/P12 file..." Share this post Link to post
Angus Robertson 576 Posted 15 hours ago I suspect that is a fault in K-Software's automated systems, not been updated since tokens became mandatory. The web site does say 'Secure token available' which means is not really optional. My three year K-Sotfware certificate expires next month, so just about to go through the same process. Angus Share this post Link to post
stijnsanders 36 Posted 15 hours ago I haven't done code signing before, can you use any certificate for it? Would one of these people work? https://www.gandi.net/en/security 1 Share this post Link to post
Rollo62 538 Posted 15 hours ago 1 minute ago, stijnsanders said: I haven't done code signing before, can you use any certificate for it? Would one of these people work? https://www.gandi.net/en/security I would say no, this seems to be SSL ceretificates, which are free from LetsEncrypt, but no proper CodeSigning certificates, IMHO. Please proove me wrong Share this post Link to post
RaelB 4 Posted 15 hours ago 10 minutes ago, Angus Robertson said: I suspect that is a fault in K-Software's automated systems, not been updated since tokens became mandatory. The web site does say 'Secure token available' which means is not really optional. Yeah, it looks like you're right. I sent ksoftware an email a few days ago, asking about the price increase, and so far I haven't received a reply. I've now looked at https://codesigningstore.com and they state there clearly that delivery is via USB token. Wow this is a big change. I imagine downloading unsigned software is going to become more common from smaller vendors... @stijnsanders No, SSL certificates are very different, and alot cheaper or even available for free. Share this post Link to post
Anders Melander 1812 Posted 15 hours ago AFAIK you can use any certificate (at least that used to be the case[*] - maybe a bug in signtool) but only code signing certificates will be validated as such so there's not much point in trying to use something else. What would be the point? *) Back in the day, when Denmark introduced digital IDs, every citizen got issued a certificate. So naturally I used my personal certificate to sign all my software 🙂 I think that the new certificates are still just files. They just need to be on a secure token in order to be usable. AFAIK once you have a token with a certificate on it you can copy it to other tokens. That's what we are planning on doing anyway; We just received an EV certificate on a token and two extra blank tokens yesterday. One is used by the build server (via Signotaur - works great!), one will go in the safe for backup, and one will be shipped to me for R&D (my client is in another country), and in the darkness bind them. Share this post Link to post
Anders Melander 1812 Posted 15 hours ago I can see that at both ssl.com and signmycode.com you can buy a code signing certificate without a token. I don't know how they then deliver it. As far as I can tell codesigningstore.com also offer that option but J.F.C they're expensive! $566 for a 1 year EV certificate without a token. The same costs $299 at signmycode or $349 at ssl.com. Btw, don't believe their claim of 1-5 days to issue an EV certificate. It takes at least double that - and a clonable DNA sample from your firstborn. 1 Share this post Link to post
Angus Robertson 576 Posted 13 hours ago Sure you can copy a certificate from a token, the certificate is also in every program you sign. But the token keeps the certificate private key secure so it can not be copied, shared or stolen, which means you can only sign code with the token, which actually handles the sign operation, the private key never leaves the token. There are ways to remotely sign code using the cloud or remote servers, suggest reading https://www.finalbuilder.com/resources/blogs/code-signing-with-usb-tokens Microsoft also has a remote signing solution https://learn.microsoft.com/en-gb/azure/trusted-signing/ Angus 1 Share this post Link to post
Anders Melander 1812 Posted 12 hours ago 50 minutes ago, Angus Robertson said: But the token keeps the certificate private key secure so it can not be copied, shared or stolen, which means you can only sign code with the token, which actually handles the sign operation, the private key never leaves the token. And yet you can apparently copy the certificate onto another token. I don't know how it's done yet, as I haven't tried it, but according to the certificate providers it is possible. 47 minutes ago, Angus Robertson said: Microsoft also has a remote signing solution So do most of the certificate providers but they're all subscription based and they're not cheap. Share this post Link to post
Joseph MItzen 252 Posted 4 hours ago 11 hours ago, Rollo62 said: I would say no, this seems to be SSL ceretificates, which are free from LetsEncrypt, but no proper CodeSigning certificates, IMHO. Please proove me wrong Aren't they all just random bunches of alphanumeric characters? Share this post Link to post
![Delphi-PRAXiS [en]](https://en.delphipraxis.net/uploads/monthly_2018_12/logo.png.be76d93fcd709295cb24de51900e5888.png){kind=logo}
