What cert are you using for code-singing on Windows these days?

gorangrooves

Cert-obtaining and code-singing on Windows was a fairly straightforward process.

However, things have changed. If you thought Apple was a pain in the neck...read on.

A cert authority like Certigo, for example, charges pretty ridiculous fees to issue certificates these days. As an alternative, I opted for ssl.com, which is much cheaper. They, however, as do others, now require some damn hardware key (YubiKey) to store certs! Can you believe it? And that tiny USB stick they specified cost me over $100.

The worst part? Nearly a month in, and I still haven't been able to sign anything with it because the issued cert isn't properly compatible with the YubiKey. I am running in circles with their support, yet I have not gotten this working. Of course, they have the cloud signing option for $1/ signing! Ridiculous.

What are you guys doing with your code signing on Windows these days, to avoid the stupid Microsoft popup (unknown publisher)?

David Healey

@gorangrooves If you're a company in the US, Canada, Europe, or the UK, look into Azure signing: https://melatonin.dev/blog/code-signing-on-windows-with-azure-trusted-signing/

That article states it's only available in the US, but according to this thread it's now available in the locations I mentioned.

I'm using a cert from SignMyCode, I bought a few years in advance to save money but once it expires I'll be looking to use Azure.

I have an EV cert, 3 years cost me $834.97 including about $100 for the hardware token. The token I bought is not reusable so each time I renew I have to buy another $100 token! I asked their support at the time about a YubiKey, which they also sell, and they told me it doesn't work very well - no idea why they sell it when it doesn't work...

gorangrooves

@David-Healey Thanks!

Yeah, the price you paid is quite high, and the fact that you can't reuse the hardware token is another layer of this cert mafia bs. All of this is a rip-off. They are getting money for nothing.

I am going to check the Azure signing. That looks more promising.

gorangrooves

@David-Healey Looking through that Azure post, it also looks convoluted and overly complicated. It blows my mind that, in this day and age, we can get complex videos created by AI just by typing a simple text prompt, yet we have to spend hours, days, or weeks trying to obtain a stupid cert only to get a less-annoying Microsoft pop-up. It is absurd.

Christoph Hart

Yeah, I've tried to log into my Azure account a year after evaluating the certificate (which worked back then) and now my account is deleted with absolutely no way of restoring it, so if you end up using it make sure to login there regularly and click some random buttons in their backend lol.

Honestly I would just go "don't negotiate with terrorists" and live with this popup - if people complain you can point them to the vast online resources that explain the scammy nature of this entire concept.

HISEnberg

@Christoph-Hart @gorangrooves I had a real fun time with Azure as well before opting to pay the cartel at signmycode. Azure charged me for months (4-5) while I waited to have my account authenticated. I followed the link David shared (which is really great imo).

Azures customer support is nonexistent. My case got stuck in limbo, I suspect it may be due to the fact that my documents are all in French but I have no idea honestly.

If you have time to wait and saving money is a priority, then maybe Azure is a good option. I wouldn’t hold my breath. I kind of agree with Christoph about just not signing the plugin, it’s not really a big deal at the end of the day.

dannytaurus

@Christoph-Hart said:

Honestly I would just go "don't negotiate with terrorists" and live with this popup.

That's exactly what I'm going to do. I think by this point, Windows users are completely used to skipping the warning screen when installing stuff.

Mac and Windows systems are kind of opposite.

Mac is cheap and easy to implement, but almost impossible to go ahead without it.
Windows is expensive and difficult to implement, but extremely easy to go ahead without it.