What cert are you using for code-singing on Windows these days?
-
Cert-obtaining and code-singing on Windows was a fairly straightforward process.
However, things have changed. If you thought Apple was a pain in the neck...read on.
A cert authority like Certigo, for example, charges pretty ridiculous fees to issue certificates these days. As an alternative, I opted for ssl.com, which is much cheaper. They, however, as do others, now require some damn hardware key (YubiKey) to store certs! Can you believe it? And that tiny USB stick they specified cost me over $100.
The worst part? Nearly a month in, and I still haven't been able to sign anything with it because the issued cert isn't properly compatible with the YubiKey. I am running in circles with their support, yet I have not gotten this working. Of course, they have the cloud signing option for $1/ signing! Ridiculous.
What are you guys doing with your code signing on Windows these days, to avoid the stupid Microsoft popup (unknown publisher)?
Goran Rista
https://gorangrooves.comHandy Drums and Handy Grooves
https://library.gorangrooves.com -
@gorangrooves If you're a company in the US, Canada, Europe, or the UK, look into Azure signing: https://melatonin.dev/blog/code-signing-on-windows-with-azure-trusted-signing/
That article states it's only available in the US, but according to this thread it's now available in the locations I mentioned.
I'm using a cert from SignMyCode, I bought a few years in advance to save money but once it expires I'll be looking to use Azure.
I have an EV cert, 3 years cost me $834.97 including about $100 for the hardware token. The token I bought is not reusable so each time I renew I have to buy another $100 token! I asked their support at the time about a YubiKey, which they also sell, and they told me it doesn't work very well - no idea why they sell it when it doesn't work...
Free HISE Bootcamp Full Course for beginners.
YouTube Channel - Public HISE tutorials
My Patreon - HISE tutorials -
@David-Healey Thanks!
Yeah, the price you paid is quite high, and the fact that you can't reuse the hardware token is another layer of this cert mafia bs. All of this is a rip-off. They are getting money for nothing.
I am going to check the Azure signing. That looks more promising.
Goran Rista
https://gorangrooves.comHandy Drums and Handy Grooves
https://library.gorangrooves.com -
@David-Healey Looking through that Azure post, it also looks convoluted and overly complicated. It blows my mind that, in this day and age, we can get complex videos created by AI just by typing a simple text prompt, yet we have to spend hours, days, or weeks trying to obtain a stupid cert only to get a less-annoying Microsoft pop-up. It is absurd.
Goran Rista
https://gorangrooves.comHandy Drums and Handy Grooves
https://library.gorangrooves.com -
Yeah, I've tried to log into my Azure account a year after evaluating the certificate (which worked back then) and now my account is deleted with absolutely no way of restoring it, so if you end up using it make sure to login there regularly and click some random buttons in their backend lol.
Honestly I would just go "don't negotiate with terrorists" and live with this popup - if people complain you can point them to the vast online resources that explain the scammy nature of this entire concept.
-
@Christoph-Hart @gorangrooves I had a real fun time with Azure as well before opting to pay the cartel at signmycode. Azure charged me for months (4-5) while I waited to have my account authenticated. I followed the link David shared (which is really great imo).
Azures customer support is nonexistent. My case got stuck in limbo, I suspect it may be due to the fact that my documents are all in French but I have no idea honestly.
If you have time to wait and saving money is a priority, then maybe Azure is a good option. I wouldn’t hold my breath. I kind of agree with Christoph about just not signing the plugin, it’s not really a big deal at the end of the day.
-
@Christoph-Hart said:
Honestly I would just go "don't negotiate with terrorists" and live with this popup.
That's exactly what I'm going to do. I think by this point, Windows users are completely used to skipping the warning screen when installing stuff.
Mac and Windows systems are kind of opposite.
Mac is cheap and easy to implement, but almost impossible to go ahead without it.
Windows is expensive and difficult to implement, but extremely easy to go ahead without it. -
@David-Healey Azure signing is no longer offered for individual developers. If you're an incorporated entity of some sort you might have better luck. https://github.com/Azure/trusted-signing-action/issues/42
Since my software is open source I was able to get a signing certificate with http://certum.store/ for $29 after submitting a ludicrous amount of personal information and paying extra for the special card they ship to you. Not exactly recommended, but it was the cheapest I found.
I saw another option for open source developers come up on hackernews that I'll have to look for again.
Thing is, I haven't actually got around to signing my Windows binaries yet, and I have received zero complaints from customers so far... Which is rather surprising.
-
@Simon said in What cert are you using for code-singing on Windows these days?:
Thing is, I haven't actually got around to signing my Windows binaries yet, and I have received zero complaints from customers so far... Which is rather surprising.
Good to know. Supports the argument to not deal with these cert scams and just let Windows users do what they've been used to doing for years - skip the warning and install anyway.
Meat Beats: https://meatbeats.com
Klippr Video: https://klippr.video -
I was about to throw my towel in with SSL.com and requested a refund. Then, they offered a screen-sharing session, where we finally got the issue resolved. Before that, they never properly issued me a certificate to be loaded onto the YubiKey hardware. Their website and the overall procedure are just terrible.
Had I had such a shitty design, implementation, and support offered by my business, I would have folded within a week.
We'll see what route I'll take in 3 years when this one expires.
Goran Rista
https://gorangrooves.comHandy Drums and Handy Grooves
https://library.gorangrooves.com -
@gorangrooves So it works with the YubiKey?
Free HISE Bootcamp Full Course for beginners.
YouTube Channel - Public HISE tutorials
My Patreon - HISE tutorials -
@David-Healey Yes. The only reason I purchased the YubiKey was to use the certs from SSL.com. However, they kept issuing incompatible certs, not for YubiKey, for what I could tell. There are two places that apparently offer downloads on their website...and they may not be the same...a shitshow.
Fun fact: after I purchased the certs from SSL.com, I watched a YouTube video on how to obtain them and install them on a YubiKey by a guy who said he spent a month and a half trying to get them to work. I thought: That's insane, what an incredibly patient person. And here we are, a month and a half later!
