James Steel 0 Posted June 26, 2023 Does anyone have recommendations for a reliable resource for code signing certificates? We have been buying our code signing certificates from the same company for around ten years and their service seems to have taken a turn for the worse. We did not stay current on the new requirements for OV and EV certificates, so we have been blindsided by the recent changes. Ideally we would like to order a three-year EV certificate and possibly order an HSM separately while the issuer does their verification process. Having the HSM on hand might save us a couple of days in the overall process. Thanks in advance for any help with this! Share this post Link to post
David Heffernan 2349 Posted June 26, 2023 I got an EV cert from globalsign recently and it only took a couple of days from start to finish. 1 Share this post Link to post
Vincent Parrett 758 Posted June 26, 2023 I can't offer advice on where to buy from, but I am also about to go through this process again in the next few months, so interested to hear people's experiences. FWIW, I blogged about code signing with hardware based certificates last year - https://www.finalbuilder.com/resources/blogs/code-signing-with-usb-tokens 2 Share this post Link to post
James Steel 0 Posted June 27, 2023 16 hours ago, David Heffernan said: I got an EV cert from globalsign recently and it only took a couple of days from start to finish. Hi David, Thanks for posting this very encouraging information about your experience. What method did you choose for delivery? What documentation was required for your EV cert? Thanks! Share this post Link to post
David Heffernan 2349 Posted June 27, 2023 They shipped a USB token which arrived next day. And for EV they just called me to confirm some details I provided on my order. Didn't seem very enhanced at all. Share this post Link to post
James Steel 0 Posted June 27, 2023 5 hours ago, David Heffernan said: They shipped a USB token which arrived next day. And for EV they just called me to confirm some details I provided on my order. Didn't seem very enhanced at all. Hi David, We decided to go with GlobalSign as well and the vetting process went very quickly, done in just a few hours. Have you found that the EV cert from GlobalSign has eliminated issues with the Windows application installation process (Windows Defender SmartScreen, etc.) as one would expect? We also looked into AWS HSM as an elegant alternative to the hardware token. The service is listed as $1.45 per hour, per instance. No savings with that option! Share this post Link to post
David Heffernan 2349 Posted June 27, 2023 55 minutes ago, James Steel said: We also looked into AWS HSM as an elegant alternative to the hardware token. The service is listed as $1.45 per hour, per instance. No savings with that option! Cloud HSM seems like a convenient solution. Seems expensive though. Share this post Link to post
James Steel 0 Posted June 27, 2023 10 minutes ago, David Heffernan said: Cloud HSM seems like a convenient solution. Seems expensive though. We are going to look into Google Cloud HSM for the future. It appears to have the expected almost free to very low cost one comes to expect with most Google services. Share this post Link to post
David Heffernan 2349 Posted June 28, 2023 6 hours ago, James Steel said: We are going to look into Google Cloud HSM for the future. It appears to have the expected almost free to very low cost one comes to expect with most Google services. Expect it to be discontinued at short notice when Google get bored of it 2 3 Share this post Link to post
James Steel 0 Posted June 28, 2023 8 hours ago, David Heffernan said: Expect it to be discontinued at short notice when Google get bored of it That would put an abrupt end to one's code signing! Share this post Link to post
Vincent Parrett 758 Posted August 14, 2023 Just getting back to purchasing a new certificate - finding it very difficult to determine which usb tokens the CA's are providing with the certificates. If anyone has purchased recently, can you post from which site and token kind you got? Also, do not recommend this site - they have substantially ripped off my blog post from Oct 2022 with no attribution at all - I was actually browsing their site looking to buy when I came across the blog post and immediately recognised my work - at least one image was directly taken from my post (byte for byte idendical). Anyway back to the tokens - I do see a lot more references to CA's using Yubikeys now than I did last year - but have still yet to find a resource on automating code signing using one. Hence my concern about which phyical token kind they are issuing. Share this post Link to post
Vincent Parrett 758 Posted August 15, 2023 Sectigo and any Sectigo resellers supply YubiKey's Digicert supply Safenet tokens No reply from the other CA's I have contacted so far. FYI - Safenet good (can automate), YubiKey bad (password prompts cannot be avoided). 2 4 Share this post Link to post
Scott 4 Posted August 21, 2023 I just received a Sectigo EV Dongle in July and it was Safenet. Share this post Link to post
Vincent Parrett 758 Posted August 21, 2023 30 minutes ago, Scott said: I just received a Sectigo EV Dongle in July and it was Safenet. Who did you purchase through. I contacted a bunch of sellers and they all said it's yubikey for sectigo certs. Share this post Link to post
Rollo62 538 Posted August 21, 2023 3 hours ago, Scott said: I just received a Sectigo EV Dongle in July and it was Safenet. Thanks god, I still have usual certificate for 2+ years, but looking into the dark future to come What I found it this article, maybe it helps, but I couldn't check it, because I have no SafeNet yet. https://medium.com/@joshualipson/ev-code-certificates-automated-builds-for-windows-6100fb8e8be6 Perhaps, somebody has experiences or comments with that solution? Personally, I find it particularly silly to enforce a world-class security system that is so super-secure that the developer has to hack it himself, probably using insecure and dubious third-party tools. Isn't that in stark contrast to the original goal? 1 Share this post Link to post
Vincent Parrett 758 Posted August 21, 2023 16 minutes ago, Rollo62 said: Perhaps, somebody has experiences or comments with that solution? I can confirm it works, if you have a safenet token. So far I have not found out how to do this with a yubikey token. https://www.finalbuilder.com/resources/blogs/code-signing-with-usb-tokens Share this post Link to post
Vincent Parrett 758 Posted August 21, 2023 18 minutes ago, Rollo62 said: Personally, I find it particularly silly to enforce a world-class security system that is so super-secure that the developer has to hack it himself, probably using insecure and dubious third-party tools. Isn't that in stark contrast to the original goal? It's certainly at odds with the notion that we should automate things so they work correctly every time. I for one am not going to sit there typing a pin and pushing a button for every file that I sign. If I cannot automate, then I will either not sign at all, or sign with a self signed certificate and provide the public key on my website for customers to install (to avoid the invalid certificate error). Of course microsoft, who has a big hand in this push to hardware storage of certificates, just happens to own a whole bunch of HSM's (azure key vault) and it working on a code signing service for azure - which they would like us all to use eventually - for a fee. 2 Share this post Link to post
Angus Robertson 574 Posted August 21, 2023 Looking at the Digicert site, they offer: My own qualified hardware token - use the Code Signing certificate provisioning application to install your Code Signing certificate on your token. 'Qualified' might be a weasel word... Also: DigiCert KeyLocker cloud HSM (USD $90.00 / year). Seems there are more options around. Angus Share this post Link to post
Vincent Parrett 758 Posted August 21, 2023 4 hours ago, Angus Robertson said: 'Qualified' might be a weasel word... In the original RFC it was proposed that qualification of a device had to be done by an independant qualified person - but I am seeing CA's list which devices they will support. Unfortunatley that changes over time so the token I have is no longer usable. 4 hours ago, Angus Robertson said: Also: DigiCert KeyLocker cloud HSM (USD $90.00 / year). Seems there are more options around. Looks interesting, although Digicert's are the most expensive certificates you can buy, eye watering prices for small business to absorb. Share this post Link to post
Angus Robertson 574 Posted August 22, 2023 A little research showed Digicert was only supporting Safenet dongles. But at least the concept of allowing the end user to load the certificate into the dongle rather than shipping it removes that major obstacles for users outside major countries. Also surprised to find K-Software has updated it's web site for the first time in years, thought it was moribund, ignoring emails, etc. But prices massively higher, $313 for one year. I paid $188 for three years which is now $657 for the same thing, some massive profiteering going on here. Angus Share this post Link to post
Vincent Parrett 758 Posted August 22, 2023 I have received so much conflicting infomation from the CA's (much like their terrible websites) - codesigningstore.com (sslstore.com) sent this in response to my enquiry Quote Our token team will send the latest token which is SafeNet eToken 5110+ FIPS. if you have any existing token then it should be as the below For Sectigo, you must have one of the following devices: • Yubikey 5 FIPS • LUNA Network Attached HSM, version 7+ For DigiCert, your HSM must meet the FIPS 140-2 level 2 standard at minimum. So if they send me a Safenet token, all good, but if I buy a sectigo cert and want to renew using the same token in 3 yrs time - I cannot? I'm seeing similar vague/ambiguous responses from other sellers. I have asked for clarification, but none so far. Share this post Link to post
Angus Robertson 574 Posted August 22, 2023 I bought a YubiKey 5 NFC recently to test, not spent much time with it yet, the documentation and tools are clear as mud, not managed to install an SSL certificate on it yet... Angus Share this post Link to post
Vincent Parrett 758 Posted August 22, 2023 I also bought a yubikey to test with self signed certificates - but haven't found a way to automate signing without the password prompt (bought it just to research this). Share this post Link to post
Scott 4 Posted August 23, 2023 On 8/21/2023 at 12:48 PM, Vincent Parrett said: Who did you purchase through. funnily enough it was signmycode.com but looks like Sectigo have a sale on at the moment https://sectigostore.com/code-signing/sectigo-ev-code-signing-certificate which may bring prices close enough for direct. Share this post Link to post
David Heffernan 2349 Posted August 23, 2023 (edited) On 8/21/2023 at 7:17 AM, Rollo62 said: What I found it this article, maybe it helps, but I couldn't check it, because I have no SafeNet yet. https://medium.com/@joshualipson/ev-code-certificates-automated-builds-for-windows-6100fb8e8be6 Perhaps, somebody has experiences or comments with that solution? This is precisely what I am doing. My Python build code to perform signing starts like this: def Sign(filename, sdk=None): # see https://medium.com/@joshualipson/ev-code-certificates-automated-builds-for-windows-6100fb8e8be6 Edited August 23, 2023 by David Heffernan Share this post Link to post