K-Software

[Fritzew 51]

I have purchased a new Sign-certificate from K-Software 5 weeks ago....
they have billed my card but no answer from support or sales afterward.
 

Does anybody know something?
Do i need a lawyer or just whine?

[Angus Robertson 526]

K-Software support is almost non-existent, totally automated, probably how they are able to offer code signing certificates vastly cheaper than anyone else. 

 

I bought a three year certificate in January, it all worked, they resell Sectigo, you should get an email from certs@ksoftware.net with a link that starts the process, which is fun since it requires Internet Explorer that has now been discontinued.  Eventually Sectigo will contact you to confirm your personal identity using your passport and the certificate will be issued, that is why I paid $188 for three years ($500 from Sectigo) to put off doing it all again. 

 

Good luck.

 

Angus

 

[Mark- 26]

I switched to SSL.com years ago, for code signing certificates.  Verification process was OK. Good prices.

[Rollo62 502]

 

22 hours ago, Fritzew said:

Does anybody know something?
Do i need a lawyer or just whine?

I had to whine some years ago, when I could not get back payment due to some typo in a DUNS number, the money was lost and I was quite upset.

 

Nevertheless I've read too many success stories and I've tried it again a few months ago for a different DUNS,  also that was an experience of its own as usual.
 

I received emails from K-Software and Sectigo in the following order:

 - Your Code Signing Certificate Order                                             from K Software - 22.02.2022 16:16

 - Completed : Your Code Signing Certificate Order                        from K Software - 22.02.2022 17:15

 - Case #123456789 - Created for Submission initial documents fo verification :: ref:_       from Support & Validation - 22.02.2022 18:21   ( Sectigo )

 - Action Required for your Order 123456789                                 from Sectigo Validation Team - 25.02.2022 13:31

 - Action Required for your Order 123456789                                 from Sectigo Validation Team - 28.02.2022 09:39

 - Case Number: 12345678 and CaseId: 50.....   [ ref:_00... ]             from Support & Validation - 02.03.2022 18:54

 - Case Number: 12345678 and CaseId: 50.....   [ ref:_00... ]             from Support & Validation - 02.03.2022 19:04

 - How was your recent Sectigo Technical Support experience?     from Support NoReply - 02.03.2022 19:04                    ( <= I didn't told them the truth here 🙂 )

 - ORDER #123456789 - Your Code Signing Certificate is ready!    from Sectigo Certification Authority - 02.03.2022 20:14

 - Case Number: 12345678 and CaseId: 50....   [ ref:_00.... ]             from Support & Validation - 02.03.2022 20:15

 - ORDER #123456789 - Your Code Signing Certificate is ready!    from Sectigo Certification Authority - 02.03.2022 20:51

 

I hope that help you to identify the right EMail.

What I found is that it can be problematic to use different emails in the process, since I have alias emails that will not be used when answering a mail or sending a request.

Best of all to use the same email 1:1 over the whole process.

But as you can see I also got it with usinf different emails ( registered and alias ) from the same domain, finally.

 

Maybe you can search for the header and email to find yours.

EMail adresses used:  

=> K Software <certs@ksoftware.net>

=> Sectigo Validation Team <OV_Validation@sectigo.com>        // Seems to be used for customer cases, when you launched cases or questions to Sectigo

=> Support & Validation <support.validation@sectigo.com>      // Seems to be used for the automated validation process, which stucks and hold until you do something

                                                                                                        // I received a special site where to complete my data, in which I could upload files too. Anyway, no really status info from there.

=> Support NoReply <noreplysupport@sectigo.com>

=> "Sectigo Certification Authority" < noreply@sectigo.com >

 

 

 

 

 

 

 

 

 

 

Edited July 26, 2022 by Rollo62

[Angus Robertson 526]

Did Sectigo also ask you for a selfie with your passport?

 

On a general note, worth mentioning that buying Code Signing certificates will become more expensive and difficult from this autumn when software private keys are banned, you'll need to buy your certificate on a physical dongle probably adding $100 or more to the price, plus shipping and customs hassle for those outside the country where the certificate is sold.  This was the reason I bought a three year certificate earlier this year. 

 

Angus

 

[Vincent Parrett 657]

7 hours ago, Angus Robertson said:

you'll need to buy your certificate on a physical dongle probably adding $100 or more to the price, plus shipping and customs hassle for those outside the country where the certificate is sold.

This is going to be a nightmare for us. Our CI servers are in a data center in another city (3hr drive) in a shared cage - so there is absolutely no way I can leave a dongle plugged into a server that other companies might have access to. Then there is the issue of sharing the dongle amongst multiple vm's - any of our CI agent vm's can do code signing at the moment - there is also the hassle involved in automating signing with the EV certificates

 

We're currently investigating how this will impact us and our customers.

[Vincent Parrett 657]

9 hours ago, Rollo62 said:

I had to whine some years ago, when I could not get back payment due to some typo in a DUNS number, the money was lost and I was quite upset.

I had the same issue, we closed our office and went full remote - the address with our DUNS number was still the old office/phone - so I wasn't able to verify via phone call - getting the DUNS details updated outside the US was a nightmare - we eventually got our new certficate a day or so before the old one expired. I won't leave it so late next time.  The whole process is very unsatisfactory to say the least - they really need to find a (secure) way to streamline the process. Renewing should not be as hard as getting an entirely new certificate.

[Rollo62 502]

Again the renewal odysee with K-Software and Sectico ( its worse than Apple, I never thought I can say that 🙂  ).

 

Still I hope I will get re-verified, but on the site they promised that I shall "just order", the renewal of an existing certification would be detected automatically, with a rebate.

I would bet that they forget about this, at least from my phone calls to them,  and in the end can be happy to get through anyway, rebate or not.

What they proposed was that renewals will be easier, but I would  say this is the whole procedure as usual, from a first application, it is by far the worst processes and user interface I've ever seen.

 

Moreover, they require to use Internet Explorer only, since IE11 is the only one with such magic certification capabilities.

Unfortunately the IE11 is more or less gone in my latest Win10 updates and redirected to Edge.

In Edge I can open it as "Internet Explorer" mode, with a very crappy page design and odd visual outcome.

Nevertheless, if this will work as expected finally, I'm happy.

 

Does anyone know if the Edge - Internet Explorer mode works well with K-Software / Sectico certificates ?

All these explainations look very much different to my Edge version.

This allows a page to switch to IE11 mode and back, is that sufficient enough, or do I have to reset the whole Edge internals for certificate generation ?

On their website I cannot find much current information, seems same page information as years ago.

 

 

 

Edited March 3, 2023 by Rollo62

[Angus Robertson 526]

I renewed with K-Software a year ago and don't seem to have noted which URL created the private key, but it probably worked with Firefox which is my standard browser.  There are only a couple of sites I need to use Edge to access. 

 

Angus

 

[Patrick PREMARTIN 50]

I confirm : last year Microsoft Edge couldn't access to certificates feature in Windows IE had for years. I don't know if it was fixed, but Firefox was the browser to use for the all process on software/Sectigo/Comodo website : for asking the certificate or renew, paying and then exporting it.

 

If you used an other browser, contact the support to regenerate it on Firefox.

 

For me, last year, the export URL was https://secure.sectigo.com/products/CollectCodeSigningCert?collectionCode=XXXXXX with the "collection code" received by email.

Help page about brothers to use : https://sectigo.com/knowledge-base/detail/Which-browser-can-I-use-to-signup-for-a-Code-Signing-certificate-1527076085459/kA01N000000zFK9

[Rollo62 502]

Thanks, that helps a lot.

They say IE11 and Safari works, at least Safari should be fine.

 

But tehy also claim like this

Quote

Note: Firefox version 68 and earlier can be used for this purpose. Firefox has stopped keygen support from version 69 [ released on 3-Sep-2019 ]

I usally use Firefox, but this note and everywhere else on their page they note that only IE11 ( and now Safari) seems to work.

 

Thats why I tries to use Edge in IE11 mode also for application, which was not presenting the captcha to get on the next page.

I wondered why that happened, because Edge in IE11 should be able to generate a simple number-captcha ( not even an image ).

I tried to clarify with them in a phone call, where they told my to use Chrome instead.

So it seems I just have to try and check how far I get with Firefox, Edge (in IE11 mode) or Safari or Chome.

 

 

 

[Patrick PREMARTIN 50]

Simple Microsoft logic how-to :

- You must have a CSC to sign your programs and distribute them on our operating systems.

- We don't provide anything to get CSC on our operating systems. Use a Mac !

[mjustin 19]

On 3/4/2023 at 11:20 AM, Rollo62 said:

They say IE11 and Safari works, at least Safari should be fine.

Next week I will go through the Sectigo CSC request again, it worked well last year. Not sure which browser - IE or Edge - I used last time.

The reseller gives step-by-step instructions for Edge configuration are detailed and include many screenshots.

They also offer the option to send a CSR, instead of using a browser. Maybe this is an option for those where the IE / Edge is not working as expected.

I don't have experiences with K-Software, as I use a different reseller (PSW).

Edited March 5, 2023 by mjustin

[Rollo62 502]

Yes, you mean this configuration, right ?.

https://support.sectigo.com/PS_KnowledgeDetailPage?Id=kA03l000000HOFi

 

I think that completely changes Edge to IE11 mode, if I understand that right.

 

Alternatively I saw that option, to convert only a single page to IE11 mode, which would be more handy.

 

Anyway I'm still waiting for approval and I will check how it works when it arrives.

 

K-Software is only a reseller, and after that the whole processing is passed to Sectigo.

Nevertheless, I'm not sure how and how to handle a renew, which should be at less cost.
Strangely I have to re-order at K-Software, but a possible rebate can only processed by Sectigo, if they find out I only renew an existing account.

I cannot find anything useful about renew process on their site:

https://support.ksoftware.net/support/search/solutions?term=order

 

BTW: Most of their info is more than 10 years old.

 

Maybe for this time its already too late, but I hope next time I will learn how to smoothly pass all their obstacles best.

If anybody has link to a real good and current instruction for the whole K-Software / Sectigo process in the web, would be great to share that, to be able to avoid all pitfalls in the future.

 

Edited March 6, 2023 by Rollo62

[Patrick PREMARTIN 50]

the renew process is explained at https://www.ksoftware.net/code-signing-certificates : just click "renewing" in orange in the first part

[Vincent Parrett 657]

When it comes to certificates, there really is no such thing as a renewal process - you are effective buying a new one each time. I would love to think that once you have bought one from a vendor before, the renewal process (the validation part) would be a little smoother but that has not been my experience in the last 20 yrs. 

 

The change to hardware only based keys is fast approaching. Since I blogged about his last year the date was extended to 1 June 2023 - a lot of the vendors had already stopped selling software keys, but with the extension they opened up again. Our standard certificate expires in Oct - I'm half tempted to renew for 3yrs before June 1 just to kick the can down the road a for a while.

[Vandrovnik 202]

What about https://signmycode.com/offers/code-signing-certificates ?

If I now buy code signing certificate for 5 years, can I really use it during next 5 years without hardware device?

[Angus Robertson 526]

Not seen five year code signing certificates before, my Sectigo certificate does not expire for another two years and there is nothing to stop me using ir during that time.  Once signed, it is not possible to know how it was done, unless Windows keeps a database of intermediates and dates or something. 

 

SignMyCode does appear to offer prices very similar or cheaper than K-Software for Sectigo,, but never heard of them before, hope it is not a scam. 

 

I'd avoid the even cheaper Certera code signing certificate unless you find out who actually issues it. 

 

Angus

[Vandrovnik 202]

39 minutes ago, Angus Robertson said:

SignMyCode does appear to offer prices very similar or cheaper than K-Software for Sectigo,, but never heard of them before, hope it is not a scam. 
 

Well, it looks suspicious - even on Sectigo's shope I have not seen 5-years code signing certificate. I wonder if someone already tried them 🙂

[Patrick PREMARTIN 50]

1 hour ago, Vandrovnik said:

What about https://signmycode.com/offers/code-signing-certificates ?

If I now buy code signing certificate for 5 years, can I really use it during next 5 years without hardware device?

The certificate is available as a private key you can use on every windows computer you want. The "hardware/browser" thing is only to sign the request, get you private/public CSC and add a password on it.

With the PFX file and the password you do what you want until CSC expiration date.

 

By signing a program, the signature is available since the certificate expiration, but you can timestamp it for "life" validation of the signature.

 

So yes, a 5 years certificate can be used during 5 years (except if you revoke it if it's stollen or compromised).

Exe/Msix files signed/timestamped are recognized by Windows Smartscreen depending of how you signed them.

[Patrick PREMARTIN 50]

1 minute ago, Vandrovnik said:

Well, it looks suspicious - even on Sectigo's shope I have not seen 5-years code signing certificate. I wonder if someone already tried them 🙂

in this domain, prudence is needed

Comodo aka Sectigo, Thawte and some others are recognized by Microsoft, Symantec is not anymore (after loss of their keys)

even if it has a cost, it's important to not choose "the lower price" we can found on the net. 

even with a renew, each certificate is "new" for Windows tools. So 1 year is less interesting than 3 years.

[Vandrovnik 202]

52 minutes ago, Angus Robertson said:

SignMyCode does appear to offer prices very similar or cheaper than K-Software for Sectigo,, but never heard of them before, hope it is not a scam. 

 

From communication in their chat:

 

Hello, I have found a 5 years code signing certificate in your offer. I just wonder if it is true - even Sectigo itself does not offer 5 years certificate...?

 

Grace
Hello, Karel
A warm welcome from our Chat Support Team.
Firsthand, thank you for visiting our website and for your concern here.
Sure, we do offer 5-year code signing certificates.

 

Well, I wonder I can I check that your offer is not just a scam...

 

Grace
Kindly also be informed here, in the 5-Year bundle, your certificate will be initially issued for 3 years for Security reasons.
You would be notified prior for the reissue/regenerating the certificate to your registered email.

 

But in next 3 years, a hardware device will be necessary for code signing certificates, so that you cannot just reissue new one.

 

Rob
Karel, That will depends on once the Token becomes mandatory for OV order as well. But yes Sectigo is allowing to place the order for 5 years. SO after 3 years reissue will be still there but instead of PFX a token will be sent out, But that process is yet to define so I also cannot comment on that for now
Like it suppose to be mandatory from last Nov 2022 but its still not done and new date was June 2023.

 

OK, thank you.

 

[Vincent Parrett 657]

7 minutes ago, Vandrovnik said:

But that process is yet to define so I also cannot comment on that for now
Like it suppose to be mandatory from last Nov 2022 but its still not done and new date was June 2023.

Tokens are not free - so vendors will pass on the costs of the token (probably with a nice margin built in) - so in 3yrs time that 5yr cert you paid for will end up costing again, unless they charge you up front for a token now.  

 

If you really want to, you can read the info here : https://cabforum.org/wp-content/uploads/Baseline-Requirements-for-the-Issuance-and-Management-of-Code-Signing.v3.2.pdf

 

Not an easy document to read though.

 

[Nigel Thomas 28]

17 hours ago, Rollo62 said:

Nevertheless, I'm not sure how and how to handle a renew, which should be at less cost.

I "renewed" my code-signing certificate with K-Software a little (one month) earlier than it was due (I know from experience what a time-consuming hassle it can be to get verified each time by Sectigo) by simply purchasing a new certificate at what ever price their website was offering at the time. Two weeks later I received an email from K-Software to say my original code-signing certifcate was expiring and I should renew, containing a discount code. I think it was only 10%, and by then it was too late anyway.

[Rollo62 502]

On 3/6/2023 at 7:54 AM, Patrick PREMARTIN said:

the renew process is explained at https://www.ksoftware.net/code-signing-certificates : just click "renewing" in orange in the first part

Yes, thats what I meant.

Quote

There is no special renewal process if you've purchased a certificate in the past. Place a new order using the same company information and the validation process should go much faster than your first order.

10 hours ago, Nigel Thomas said:

I "renewed" my code-signing certificate with K-Software a little (one month) earlier than it was due (I know from experience what a time-consuming hassle it can be to get verified each time by Sectigo) by simply purchasing a new certificate at what ever price their website was offering at the time. Two weeks later I received an email from K-Software to say my original code-signing certifcate was expiring and I should renew, containing a discount code. I think it was only 10%, and by then it was too late anyway.

Yes, I saw a similar message, but I cannot remember any code, thats why I'm still unsure about it.
There was no specific entry where to apply that "discount code" anyhow.

Finally, I'm happy to get finished all this messy process, no matter if discount or not.

But I personally think that tis is some kind of "cheating" and selling in a grey legal zone, which I shall not expect from a trust provider.

Maybe you can call it maximize profit by business process obfuscation.

In the 21th century and especially from a central trust CA, I would expect a much more fluent and state-of-the-art procedure and business operation, not requirening >10yr old outdated tools, same as Sectigo is requiring all personal stuff from us.

Edited March 7, 2023 by Rollo62