New Code Signing Certificate Recommendations

[James Steel 0]

Does anyone have recommendations for a reliable resource for code signing certificates? We have been buying our code signing certificates from the same company for around ten years and their service seems to have taken a turn for the worse. We did not stay current on the new requirements for OV and EV certificates, so we have been blindsided by the recent changes. Ideally we would like to order a three-year EV certificate and possibly order an HSM separately while the issuer does their verification process. Having the HSM on hand might save us a couple of days in the overall process. Thanks in advance for any help with this!

[David Heffernan 2300]

I got an EV cert from globalsign recently and it only took a couple of days from start to finish. 

[Vincent Parrett 657]

I can't offer advice on where to buy from, but I am also about to go through this process again in the next few months, so interested to hear people's experiences.

 

FWIW, I blogged about code signing with hardware based certificates last year - https://www.finalbuilder.com/resources/blogs/code-signing-with-usb-tokens

 

 

[James Steel 0]

16 hours ago, David Heffernan said:

I got an EV cert from globalsign recently and it only took a couple of days from start to finish. 

Hi David, Thanks for posting this very encouraging information about your experience. What method did you choose for delivery? What documentation was required for your EV cert? Thanks!

[David Heffernan 2300]

They shipped a USB token which arrived next day. And for EV they just called me to confirm some details I provided on my order. Didn't seem very enhanced at all. 

[James Steel 0]

5 hours ago, David Heffernan said:

They shipped a USB token which arrived next day. And for EV they just called me to confirm some details I provided on my order. Didn't seem very enhanced at all. 

Hi David, We decided to go with GlobalSign as well and the vetting process went very quickly, done in just a few hours.  Have you found that the EV cert from GlobalSign has eliminated issues with the Windows application installation process (Windows Defender SmartScreen, etc.) as one would expect? We also looked into AWS HSM as an elegant alternative to the hardware token. The service is listed as $1.45 per hour, per instance. No savings with that option!

[David Heffernan 2300]

55 minutes ago, James Steel said:

We also looked into AWS HSM as an elegant alternative to the hardware token. The service is listed as $1.45 per hour, per instance. No savings with that option!

Cloud HSM seems like a convenient solution. Seems expensive though. 

[James Steel 0]

10 minutes ago, David Heffernan said:

Cloud HSM seems like a convenient solution. Seems expensive though. 

We are going to look into Google Cloud HSM for the future.  It appears to have the expected almost free to very low cost one comes to expect with most Google services.

[David Heffernan 2300]

6 hours ago, James Steel said:

We are going to look into Google Cloud HSM for the future.  It appears to have the expected almost free to very low cost one comes to expect with most Google services.

Expect it to be discontinued at short notice when Google get bored of it

[James Steel 0]

8 hours ago, David Heffernan said:

Expect it to be discontinued at short notice when Google get bored of it

That would put an abrupt end to one's code signing!

[Vincent Parrett 657]

Just getting back to purchasing a new certificate - finding it very difficult to determine which usb tokens the CA's are providing with the certificates. If anyone has purchased recently, can you post from which site and token kind you got? 

 

Also, do not recommend this site - they have substantially ripped off my blog post from Oct 2022  with no attribution at all - I was actually browsing their site looking to buy when I came across the blog post and immediately recognised my work - at least one image was directly taken from my post (byte for byte idendical).

Anyway back to the tokens - I do see a lot more references to CA's using Yubikeys now than I did last year - but have still yet to find a resource on automating code signing using one. Hence my concern about which phyical token kind they are issuing. 

 

 

 

[Vincent Parrett 657]

Sectigo and any Sectigo resellers supply YubiKey's
Digicert supply Safenet tokens

No reply from the other CA's I have contacted so far. 

FYI - Safenet good (can automate), YubiKey bad (password prompts cannot be avoided). 

[Scott 4]

I just received a Sectigo EV Dongle in July and it was Safenet.

[Vincent Parrett 657]

30 minutes ago, Scott said:

I just received a Sectigo EV Dongle in July and it was Safenet.

Who did you purchase through. I contacted a bunch of sellers and they all said it's yubikey for sectigo certs.

[Rollo62 502]

3 hours ago, Scott said:

I just received a Sectigo EV Dongle in July and it was Safenet.

Thanks god, I still have usual certificate for 2+ years, but looking into the dark future to come

 

What I found it this article, maybe it helps, but I couldn't check it, because I have no SafeNet yet.

https://medium.com/@joshualipson/ev-code-certificates-automated-builds-for-windows-6100fb8e8be6

Perhaps, somebody has experiences or comments with that solution?

 

Personally, I find it particularly silly to enforce a world-class security system that is so super-secure that the developer has to hack it himself, probably using insecure and dubious third-party tools.

Isn't that in stark contrast to the original goal?

[Vincent Parrett 657]

16 minutes ago, Rollo62 said:

Perhaps, somebody has experiences or comments with that solution?

I can confirm it works, if you have a safenet token. So far I have not found out how to do this with a yubikey token.

https://www.finalbuilder.com/resources/blogs/code-signing-with-usb-tokens

 

[Vincent Parrett 657]

18 minutes ago, Rollo62 said:

Personally, I find it particularly silly to enforce a world-class security system that is so super-secure that the developer has to hack it himself, probably using insecure and dubious third-party tools.

Isn't that in stark contrast to the original goal?

It's certainly at odds with the notion that we should automate things so they work correctly every time. I for one am not going to sit there typing a pin and pushing a button for every file that I sign. If I cannot automate, then I will either not sign at all, or sign with a self signed certificate and provide the public key on my website for customers to install (to avoid the invalid certificate error). 

Of course microsoft, who has a big hand in this push to hardware storage of certificates, just happens to own a whole bunch of HSM's (azure key vault) and it working on a code signing service for azure - which they would like us all to use eventually - for a fee.  

[Angus Robertson 526]

Looking at the Digicert site, they offer:  

 

My own qualified hardware token - use the Code Signing certificate provisioning application to install your Code Signing certificate on your token.  'Qualified' might be a weasel word...

 

Also: DigiCert KeyLocker cloud HSM (USD $90.00 / year).  Seems there are more options around.

 

Angus

 

[Vincent Parrett 657]

4 hours ago, Angus Robertson said:

'Qualified' might be a weasel word...

In the original RFC it was proposed that qualification of a device had to be done by an independant qualified person - but I am seeing CA's list which devices they will support. Unfortunatley that changes over time so the token I have is no longer usable. 

 

4 hours ago, Angus Robertson said:

Also: DigiCert KeyLocker cloud HSM (USD $90.00 / year).  Seems there are more options around.

Looks interesting, although Digicert's are the most expensive certificates you can buy, eye watering prices for small business to absorb. 

[Angus Robertson 526]

A little research showed Digicert was only supporting Safenet dongles. 

 

But at least the concept of allowing the end user to load the certificate into the dongle rather than shipping it removes that major obstacles for users outside major countries. 

 

Also surprised to find K-Software has updated it's web site for the first time in years, thought it was moribund, ignoring emails, etc.   But prices massively higher,  $313 for one year.  I paid $188 for three years which is now $657 for the same thing, some massive profiteering going on here.

 

 

Angus

 

[Vincent Parrett 657]

I have received so much conflicting infomation from the CA's (much like their terrible websites) - 

 

codesigningstore.com (sslstore.com) sent this in response to my enquiry

 

Quote

Our token team will send the latest token which is SafeNet eToken 5110+ FIPS. 

if you have any existing token then it should be as the below 

For Sectigo, you must have one of the following devices:
•    Yubikey 5 FIPS
•    LUNA Network Attached HSM, version 7+

For DigiCert, your HSM must meet the FIPS 140-2 level 2 standard at minimum.

So if they send me a Safenet token, all good, but if I buy a sectigo cert and want to renew using the same token in 3 yrs time - I cannot? 

 

I'm seeing similar vague/ambiguous responses from other sellers.

 

I have asked for clarification, but none so far.

 

[Angus Robertson 526]

I bought a YubiKey 5 NFC recently to test, not spent much time with it yet, the documentation and tools are clear as mud, not managed to install an SSL certificate on it yet...

 

Angus

 

[Vincent Parrett 657]

I also bought a yubikey to test with self signed certificates - but haven't found a way to automate signing without the password prompt (bought it just to research this). 

[Scott 4]

On 8/21/2023 at 12:48 PM, Vincent Parrett said:

Who did you purchase through.

funnily enough it was signmycode.com but looks like Sectigo have a sale on at the moment https://sectigostore.com/code-signing/sectigo-ev-code-signing-certificate which may bring prices close enough for direct.

[David Heffernan 2300]

On 8/21/2023 at 7:17 AM, Rollo62 said:

What I found it this article, maybe it helps, but I couldn't check it, because I have no SafeNet yet.

https://medium.com/@joshualipson/ev-code-certificates-automated-builds-for-windows-6100fb8e8be6

Perhaps, somebody has experiences or comments with that solution?

This is precisely what I am doing. My Python build code to perform signing starts like this:

 

def Sign(filename, sdk=None):
    # see https://medium.com/@joshualipson/ev-code-certificates-automated-builds-for-windows-6100fb8e8be6

 

Edited August 23, 2023 by David Heffernan