Codesigning - Windows
-
Ok, I will list you the order of events that I went through when trying to acquire a code-signing certificate:
- Bought a certificate for 60 bucks.
- The company denied handing out the certificate because I was an individual entity and not a company.
- They told me to make a business entry in any kind of "official" database (like the telephone book) to prove that I'm not a scammer (as if that would actually work LOL).
- I did so despite my concerns of data visiblility and privacy.
- Sent them the link to my profile
- They denied again because I made a "business account" on the telephone-book thingy internet page and since I ordered a "personal" certificate I have to create a "personal" account.
- I called the internet phone book company and asked them to switch the profile.
- They denied, saying that switching a profile will take about 2 years, however if I sign up for their "business pro" account, which costs 800€ / year, it will be done in a few hours.
- I told them they can stick their "dead horse head in the bed" extortion tactics somewhere else and hung up. Got so angry that I abandoned any further efforts (no amount of customer support mails saying "Just click on open anyways" can be more annoying that keeping up with these kind of people).
So now you think the story is over, but no:
- Two years later, the german agency that collects the license payment for publicly-funded media (GEZ) wrote me a letter saying that they found out I am running a company (most likely by running a script over the telephone book database thingie) and require me to register the office and pay additional license fees (although I'm working from home and my company is registered at my private address which is already covered by the private household fees).
- I ignored the letters as much as I could because it brought back PTSD style memories from the code-signing scam that I was trying to forget.
- At some point they called me, where I said "nope, working from home, go away", which miraculously worked
- Every two or three months I get a phone call from some marketing scam company because of that business entry.
TLDR: It's not worth it - if you're in another country or have a registered company that meets up their weird requirements as a sole-trading business will not cut it, it might work just well...
-
@d-healey i just bought a windows asus duo pc. with all that there are recent folds inside. I had a message of this style, that my plugin was surely something not verified and therefore dangerous. I simply cut my perfume and their crappy antivirus. and everything is ok. i really hope windows won't piss off like mac with their crappy certificate. sorry I had to evacuate ^^
-
Just Bundle The .dll Files, And Give The Choice To Your Customer, It Works For Me.
And Remember Windows People Are Not Mac Cutey Teenagers, They Do Hack Stuffs, And Know The Environment Of Windows Very Well...
So Copy & Pasting Dll Files Are More Welcome Here -
@Christoph-Hart Which company did you buy the certificate from?
-
I'm using https://comodosslstore.com/
-
@dustbro Ok so you buy a certificate - what next?
-
Me trying to remember the company:
-
@Lindon Install the certificate on your machine (.p12 file), and then pass the private key to your code signing software.
I'm using Pace, so I add it to the command line wrap configuration with:--signid <your dsig ID>
-
@dustbro "Pace" --- shudder....;-)
-
The price is prohibitive, so maybe when I'm sure to earn enough I'll have a second thought...
-
@Christoph-Hart said in Codesigning - Windows:
Ok, I will list you the order of events that I went through when trying to acquire a code-signing certificate:
I'm at about step 6 here and I think I'm going to give up. Agreed, probably not worth it.
-
@Lunacy-Audio said in Codesigning - Windows:
@Christoph-Hart said in Codesigning - Windows:
Ok, I will list you the order of events that I went through when trying to acquire a code-signing certificate:
I'm at about step 6 here and I think I'm going to give up. Agreed, probably not worth it.
Yes definately. I can live without doing it and it's not worth it.
-
@dustbro have you actually paid for that extra smartscreen thingie? I found that to be particularly scammy as it's literally "Give me money or I will harass your customers for no reason".
The more I think about the subject the more I wonder why this is legally possible...
-
@Christoph-Hart said in Codesigning - Windows:
The more I think about the subject the more I wonder why this is legally possible...
Money makes anything legal...
-
Clearest instructions I've found so far https://www.ssl.com/how-to/using-your-code-signing-certificate/
-
@d-healey but it starts at list item #14 in my procedure ;)
-
@d-healey so then I should be able to use my Apple Developer Application Certificate - as I think this exports as a P12 file....
-
@Lindon Nope that doesn't work. Apple is not a certified signing entity on Windows. Now why that is the case and why a bullshit company like Comodo should be anymore trustworthy than Apple, speaks volumes about the actual motives behind this.
https://stackoverflow.com/questions/12468783/code-sign-windows-programs-with-apple-certificate
-
@Christoph-Hart thanks - Yes the politics is pretty stinky.... hey ho...
-
I finally looked into this. The process for me was mostly painless, just a bit slow.
First, if you're not getting an EV certificate then I don't think there is any point in going any further. To get an EV certificate requires you to pay more and jump through some hoops.
I bought the EV certificate from signmycode.com. No matter which company you buy from it seems all the certificates come from Sectigo/Comodo, so just find the cheapest you can. Gone are the days when the prices @Dan-Korneff posted were available. You're looking at 3x that price now.
Next they want to verify who you are. This involves giving them details about your business (you must have a business to get an EV certificate).
I have a registered limited company in the UK, so I'm off to a good start. Then I also got a phone call where I had to give more info.
Then came the waiting. Two weeks later (today) a dongle arrives. I plug it into my Windows VM, download their certificate management software, login with the password they emailed me, and accessed my certificate.
Then it's a one line command (which they provided in the email) to codesign my binary.
So I'm quite happy, except for the expense and waiting. The process was very easy for me. If you don't have a registered business and D.U.N.S number then it will be more difficult for you.