Jump to content
James Steel

New Code Signing Certificate Recommendations

Recommended Posts

Does anyone have recommendations for a reliable resource for code signing certificates? We have been buying our code signing certificates from the same company for around ten years and their service seems to have taken a turn for the worse. We did not stay current on the new requirements for OV and EV certificates, so we have been blindsided by the recent changes. Ideally we would like to order a three-year EV certificate and possibly order an HSM separately while the issuer does their verification process. Having the HSM on hand might save us a couple of days in the overall process. Thanks in advance for any help with this!

Share this post


Link to post
16 hours ago, David Heffernan said:

I got an EV cert from globalsign recently and it only took a couple of days from start to finish. 

Hi David, Thanks for posting this very encouraging information about your experience. What method did you choose for delivery? What documentation was required for your EV cert? Thanks!

Share this post


Link to post

They shipped a USB token which arrived next day. And for EV they just called me to confirm some details I provided on my order. Didn't seem very enhanced at all. 

Share this post


Link to post
5 hours ago, David Heffernan said:

They shipped a USB token which arrived next day. And for EV they just called me to confirm some details I provided on my order. Didn't seem very enhanced at all. 

Hi David, We decided to go with GlobalSign as well and the vetting process went very quickly, done in just a few hours.  Have you found that the EV cert from GlobalSign has eliminated issues with the Windows application installation process (Windows Defender SmartScreen, etc.) as one would expect? We also looked into AWS HSM as an elegant alternative to the hardware token. The service is listed as $1.45 per hour, per instance. No savings with that option!

Share this post


Link to post
55 minutes ago, James Steel said:

We also looked into AWS HSM as an elegant alternative to the hardware token. The service is listed as $1.45 per hour, per instance. No savings with that option!

Cloud HSM seems like a convenient solution. Seems expensive though. 

Share this post


Link to post
10 minutes ago, David Heffernan said:

Cloud HSM seems like a convenient solution. Seems expensive though. 

We are going to look into Google Cloud HSM for the future.  It appears to have the expected almost free to very low cost one comes to expect with most Google services.

Share this post


Link to post
6 hours ago, James Steel said:

We are going to look into Google Cloud HSM for the future.  It appears to have the expected almost free to very low cost one comes to expect with most Google services.

Expect it to be discontinued at short notice when Google get bored of it

  • Thanks 2
  • Haha 3

Share this post


Link to post
8 hours ago, David Heffernan said:

Expect it to be discontinued at short notice when Google get bored of it

That would put an abrupt end to one's code signing!

Share this post


Link to post

Just getting back to purchasing a new certificate - finding it very difficult to determine which usb tokens the CA's are providing with the certificates. If anyone has purchased recently, can you post from which site and token kind you got? 

 

Also, do not recommend this site - they have substantially ripped off my blog post from Oct 2022  with no attribution at all - I was actually browsing their site looking to buy when I came across the blog post and immediately recognised my work - at least one image was directly taken from my post (byte for byte idendical).

Anyway back to the tokens - I do see a lot more references to CA's using Yubikeys now than I did last year - but have still yet to find a resource on automating code signing using one. Hence my concern about which phyical token kind they are issuing. 

 

 

 

Share this post


Link to post

Sectigo and any Sectigo resellers supply YubiKey's
Digicert supply Safenet tokens


No reply from the other CA's I have contacted so far. 


FYI - Safenet good (can automate), YubiKey bad (password prompts cannot be avoided). 

  • Like 2
  • Thanks 4

Share this post


Link to post
30 minutes ago, Scott said:

I just received a Sectigo EV Dongle in July and it was Safenet.

Who did you purchase through. I contacted a bunch of sellers and they all said it's yubikey for sectigo certs.

Share this post


Link to post
3 hours ago, Scott said:

I just received a Sectigo EV Dongle in July and it was Safenet.

Thanks god, I still have usual certificate for 2+ years, but looking into the dark future to come :classic_sad:

 

What I found it this article, maybe it helps, but I couldn't check it, because I have no SafeNet yet.

https://medium.com/@joshualipson/ev-code-certificates-automated-builds-for-windows-6100fb8e8be6

Perhaps, somebody has experiences or comments with that solution?

 

Personally, I find it particularly silly to enforce a world-class security system that is so super-secure that the developer has to hack it himself, probably using insecure and dubious third-party tools.

Isn't that in stark contrast to the original goal?

  • Like 1

Share this post


Link to post
18 minutes ago, Rollo62 said:

Personally, I find it particularly silly to enforce a world-class security system that is so super-secure that the developer has to hack it himself, probably using insecure and dubious third-party tools.

Isn't that in stark contrast to the original goal?

It's certainly at odds with the notion that we should automate things so they work correctly every time. I for one am not going to sit there typing a pin and pushing a button for every file that I sign. If I cannot automate, then I will either not sign at all, or sign with a self signed certificate and provide the public key on my website for customers to install (to avoid the invalid certificate error). 

Of course microsoft, who has a big hand in this push to hardware storage of certificates, just happens to own a whole bunch of HSM's (azure key vault) and it working on a code signing service for azure - which they would like us all to use eventually - for a fee.  

  • Like 2

Share this post


Link to post

Looking at the Digicert site, they offer:  

 

My own qualified hardware token - use the Code Signing certificate provisioning application to install your Code Signing certificate on your token.  'Qualified' might be a weasel word...

 

Also: DigiCert KeyLocker cloud HSM (USD $90.00 / year).  Seems there are more options around.

 

Angus

 

Share this post


Link to post
4 hours ago, Angus Robertson said:

'Qualified' might be a weasel word...

In the original RFC it was proposed that qualification of a device had to be done by an independant qualified person - but I am seeing CA's list which devices they will support. Unfortunatley that changes over time so the token I have is no longer usable. 

 

4 hours ago, Angus Robertson said:

Also: DigiCert KeyLocker cloud HSM (USD $90.00 / year).  Seems there are more options around.

Looks interesting, although Digicert's are the most expensive certificates you can buy, eye watering prices for small business to absorb. 

Share this post


Link to post

A little research showed Digicert was only supporting Safenet dongles. 

 

But at least the concept of allowing the end user to load the certificate into the dongle rather than shipping it removes that major obstacles for users outside major countries. 

 

Also surprised to find K-Software has updated it's web site for the first time in years, thought it was moribund, ignoring emails, etc.   But prices massively higher,  $313 for one year.  I paid $188 for three years which is now $657 for the same thing, some massive profiteering going on here.

 

 

Angus

 

Share this post


Link to post

I have received so much conflicting infomation from the CA's (much like their terrible websites) - 

 

codesigningstore.com (sslstore.com) sent this in response to my enquiry

 

Quote
Our token team will send the latest token which is SafeNet eToken 5110+ FIPS. 
if you have any existing token then it should be as the below 
For Sectigo, you must have one of the following devices:
    Yubikey 5 FIPS
    LUNA Network Attached HSM, version 7+
For DigiCert, your HSM must meet the FIPS 140-2 level 2 standard at minimum.

So if they send me a Safenet token, all good, but if I buy a sectigo cert and want to renew using the same token in 3 yrs time - I cannot? 

 

I'm seeing similar vague/ambiguous responses from other sellers.

 

I have asked for clarification, but none so far.

 

Share this post


Link to post

I bought a YubiKey 5 NFC recently to test, not spent much time with it yet, the documentation and tools are clear as mud, not managed to install an SSL certificate on it yet...

 

Angus

 

Share this post


Link to post

I also bought a yubikey to test with self signed certificates - but haven't found a way to automate signing without the password prompt (bought it just to research this). 

Share this post


Link to post
On 8/21/2023 at 7:17 AM, Rollo62 said:

What I found it this article, maybe it helps, but I couldn't check it, because I have no SafeNet yet.

https://medium.com/@joshualipson/ev-code-certificates-automated-builds-for-windows-6100fb8e8be6

Perhaps, somebody has experiences or comments with that solution?

This is precisely what I am doing. My Python build code to perform signing starts like this:

 

def Sign(filename, sdk=None):
    # see https://medium.com/@joshualipson/ev-code-certificates-automated-builds-for-windows-6100fb8e8be6

 

Edited by David Heffernan

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×