Jump to content
James Steel

New Code Signing Certificate Recommendations

Recommended Posts

I ended up purchasing an 3yr OV certificate (EV seems like a waste to me) from GoGetSSL.com which was substantially cheaper (USD$730 including $120 shipping - better come wrapped in a vault!) than anywhere else - turns out they are owned by digicert and once you order you they create an account for you on Digicert and the request process is done on the digicert site. 

 

 

Share this post


Link to post

Received my new OV token from Digicert today - it is a SafeNet 5110+ FIPS token (thankfully) and I am able to automate signing with it 😅

I spent some time messing with a self signed certificate on a yubikey token over the last week, but cannot for the life of me figure out how to get it to sign without prompting for a password. This was just an experiment with the yubikey (which I already had for other purposes). 

  • Like 2

Share this post


Link to post
Quote

FYI - Safenet good (can automate), YubiKey bad (password prompts cannot be avoided). 

I'm suprised to see this sentiment. My impressions go into the opposite direction. Stackoverflow posts about SafeNet tokens range from auto-typing the password into the GUI via AutoIt to undocumented parameters gained from reverse engineering the driver. Coupled with proprietary software not directly available from the vendor. All in all this sounds terrible.

 

On the other hand the YubiKey libraries are open-source and automated signing via PKCS#11/PIV is easy. I've recently implemented this via Windows' SignerSignEx3 -> Callback to sign the computed hash -> Sign via OpenSSL + PKCS#11 provider + PKCS#11 YubiKey library and the pin can be provided as a provider option. I did this with OpenSSL primarily so that I could move the actual signing (as opposed to Authenticode hash computation) to a different machine running Linux.

 

One disadvantage of the YubiKey is that it doesn't support RSA keys with >2048 bits; not enough for code signing anymore so you have to use ECDSA. There are certain signature schemes that don't support ECDSA (like NuGet).

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×