Code signing (Microsoft Authenticode)

Question

I have a program which is used by a large number of people who are not always super computer savvy. I want to make sure that rather than having my executable say it is from an unknown author that it says it was signed by me.

As far as I know this can be done with Microsoft Authenticode. I understand I need a certificate to do this and was looking for one at a reasonable price. I stumbled upon the page Microsoft Authenticode Certificates.

It looks like GlobalSign has everything I need. What is the experience with certificates from them or is there a better company? Are there any good tutorials for someone doing this for the first time?

Answer 1

Comodo is a good starting point to find the cheapest code signing certificate, but one receive the best price from a reseller.

I just now verified the prices from https://author.tucows.com/. They are:

• Comodo Code Signing Certificate - 1 year: US$75
• Comodo Code Signing Certificate - 2 year: US$140
• Comodo Code Signing Certificate - 3 year: US$195

Additional condition are

• Most cost effective fully validated and full supported SSL certificates available
• As trusted as Verisign and Thawte, yet a fraction of the price
• 99% browser ubiquity
• Industry standard 128 bit
• Validation processes as strong as Verisign and far stronger than GeoTrust
• 30 day money back guarantee
• 30 day free replacement and reissue policy
• Varying levels of warranty for specific site needs
• Free SecuritySpace security audit
• Free TrustLogo (worth $119) with every InstantSSL Pro and PremiumSSL certificate

The only trick to receive the price: you have to register for FREE on author.tucows.com.

One more remark. Independent of the price question I want to add one important information to be sure that you understand correctly why you need the time-stamping. If you sign a file using a code signing certificate you can use for free time-stamping from any time-stamping server like timestamp.verisign.com (see /T parameter of SignTool.exe utility). The practical advantage of time-stamping are following: if you use a code signing certificate which is legal till the end of 2010 for example, the file signature will be stay OK after the end of 2010. Without time-stamping you have to resign the file with the new certificate. The time-stamping server just confirm the date of signing. Because your certificate was OK at the date you will have no problems later. So if you need a certificate only to sell a software one time you can get a certificate for the minimal period: one year. You can read more about time-stamping in SSL Certificate Authority and Digital IDs and Trusted timestamping.

Regarding another subquestion of your question: After you will have a certificate I recommend you just use SignTool.exe utility. It is simple, for FREE and easy in use. You can find examples of the usage of SignTool.exe in Using SignTool to Sign a File and Assembly Signing Example or just start SignTool.exe sign -?.

Answer 2

I used Thawte for years, and now I use Comodo (the cheapest, US$179.95). When you purchase your certificate, don't forget to save your private key. You need the tutorial Code Signing for Developers - An Authenticode How-To.

Answer 3

I'm using a certificate from Certum for my projects. The prices are reasonable, their support is fast and actually quite good, compared to some other companies.

And they provide the certificates for free if you use it for an open source project. But you have to ask for it, they don't advertise that on their website (or I just haven't found it).

Answer 4

Certificate wise we've completely switched to StartSSL.com for all our SSL and code signing needs, because their (to the best of my knowledge) still unique approach to validation and certificates allows for considerably lower prices (~50 USD for 2 years, unlimited certificates) and much increased flexibility: see my answer on Pro Webmasters for some pros and cons regarding their approach in general and SSL certificates in particular.

For quite some time now they do offer code signing certificates for use with Authenticode as well, albeit still labeled as beta - we are using these successfully for ClickOnce deployed applications at several customer sites without any problems. The one thing that definitely seems to be beta quality still is their time stamping server though, which is not responsive at all times, but simply replacing it with one of another vendor worked flawless so far. While their documentation SSL wise is okay, the one for code signing is definitely very weak still (close to non existing), consequently we had to dig out most information from the forums or generic advise elsewhere.

If pricing and flexibility with certificates are your major concerns I think you won't regret to give their offerings a try; if on the other hand thorough documentation and an established process and customer base for code signing in particular are more important to you, this comparably small and distinct vendor won't fill your needs (I've personally never been happy with the respective offerings of larger and/or more expensive vendors either though).

---

Update:

Just realized that the related question linked by Kate Gregory already features an answer recommending StartSSL as well, so you might cross check the mentioned topics within this thread indeed.

Answer 5

My organization has used Verisign and Comodo (we use the former now since the Windows Error Reporting service wouldn't accept a Comodo certificate - something to consider). There's not too much to it - you can use SignTool.exe that is part of the .NET SDK (there may be other tools, but this one is easily available, especially if you have Visual Studio).

We have a script that runs the following (the %_...% variables are set within the script, %1 is the file you're signing)

signtool.exe sign /f %_PFXFILE% /p %_PASSWORD% /v /t http://timestamp.verisign.com/scripts/timstamp.dll /d %_DESCRIPTION% /du %_URL% %1