It’s time for us to renew our code signing cert for Windows Authenticode, and it appears that pricing varies wildly between the few vendors I’ve checked. I don’t mind paying for a cert, but when one company offers to sell one for around $500 / year, but another offers what appears to be the same for around $75/year… it’s hard to figure out where I should purchase. Is the cert really the same from the cheaper vendors?
Where do you prefer to purchase your Windows code signing certs?
I was going to ask Kimball if the cheap one was Ksoftware. I’ve used them for several client’s projects (client obtains the certificate) and never had an issue. Their free Ksign utility works great also.
I think the low-cost option I was looking at a few days back was from a Comodo reseller: https://comodosslstore.com/codesigning.aspx I had not heard about Ksoftware yet.
Yeah, I do have some unfortunate experience in this area. I’ve used the certificate through kSoftware, though they’re just a reseller for Sectigo and they have deprecated their kSign utility. You’ll need (or want) to use the official signtool provided by Microsoft to do the signing.
The “unfortunate” part comes from my experience with Sectigo. For a little background, I’m a sole proprietor, so I’m “doing business as” my company. I have my company formally registered with the town, state, and federal governments. I have paperwork to prove it. Sectigo did not want to issue the certificate because a third party company, Duns & Bradstreet, did not have the same info. Nor could I correct it because their information was already wrong and I couldn’t prove my identity. After a couple weeks of arguing with Sectigo, I said “fine, just give me the certificate for my own name instead of my company.” A few minutes later, I have the certificate… and it has my company name.
Fast forward a year and it’s time to renew, so the entire process has to start over again from scratch. There’s no renewals, you just buy a new certificate. They don’t give a damn what happened at the last purchase. This time around my company name matched D&B, but the phone number did not. Despite Sectigo verifying the phone number themselves, they raised a fit when D&B’s listed phone number was not correct. Eventually I was able to make the case to Sectigo that they already verified the phone number, and D&B was able to verify the name, that it should satisfy verification requirements. Took a few days, but I got the certificate.
For the next year, I think I have everything squared away, but the process is awful.
Interesting. I do use the official signtool from MS in my build process, so I just need a valid signing cert from a trusted source. The validation through Sectigo sounds painful… but we’re a registered corp through the state, not a sole proprietor. Maybe the process will be smoother as a result.
I honestly don’t recall where we bought our existing signing cert (I think it was 3 years ago), but I’ve never had any problems with the purchase/business validation portion of the process.
Where is this documented? I can’t find anything, and still use kSign without issue.
My mistake. From https://support.ksoftware.net/support/solutions/articles/17170-how-do-i-use-ksign-to-digitally-sign-files-
kSignCMD is the one they don’t produce anymore. That’s all I remembered because command line signing is the only thing I use.