I have developed free software that I want to code sign as Microsoft and Google are currently blocking it as it looks like malware due to taking screenshots. The software is by me personally - so a business is not involved.
Ive been trawling through old forum posts that mention you need a business / DUNS listing and requires a business address. I dont want to use any of those as this is just for small software tools that I am available for free. I prefer not to make these open source, but might have to do that if required for code signing
Id like to be able to code sign without disclosing my home address and without having to put it under a business. Is that possible ?
I dont mind disclosing my home address to the certificate issuer, but dont want the address made public
Id like this to be cheap as I am not earning any revenue from this. $150 per year is ok.
Please recommend any certificate providers that would be suitable for this
The Code Signing Certificate (Separate Cost)
It is important to note that a SignPath subscription typically does not include the actual digital certificate. For non-Open Source software, you must purchase a certificate from a trusted public Certificate Authority (like DigiCert, Sectigo, or GlobalSign) and hook it into SignPath.
OV (Organization Validation) Certificates: Generally cost between $100 to $400 per year.
EV (Extended Validation) Certificates: Generally cost between $300 to $900+ per year.
Itās for open source (not the same as Free software).
You have to apply, but from what I have seen on reddit etc, you need to have a reputation and a user base before they will consider it.
This a big failing with the whole code signing thing. Weāre told not to run anything from outside that is not signed - but itās no easy for open source or free software maintainers to justify the cost of a certificate - not to mention individual certificates (IV) practically doxxing the person by including contact details in the certificate - I have heard of that happening but not sure if itās the norm or only some CAās or a mistake.
Code signing has always been a major PITA for developers and in the last two years itās got even worse.
The trouble is thereās no equivalent of LetsEncrypt (currently) for Code Signing - and nobody wants to step up for the little guys and free apps because thereās no money in it. Sectigo et al are raking it in financially and have zero incentive to change.
This rests squarely on the shoulders of Microsoft who want all apps to be signed but have made zero effort to make it possible to do so in a practical and affordable way. Apple and Google Play show that it can be done. So why canāt the same thing exist from Windows? And NO the Microsoft store is not a viable alternative; itās an absolute 100% fail from all sides of the equation.
Could this be a service that ADUG provides to members following the SignPath Foundation model?
This isnāt my area but Iām thinking ADUG could apply for an organization certificate and then allow ADUG members in good standing to use it to sign their non-commercial software.
Iām sure thereās technical and legal details Iām handwaving away (I can hear Vincent in the distance laughing at my naivety as I type), but in principle it sounds like a useful service ADUG could provide.
@Lachlan nice idea, however that would probably break certificate identity trust - and possibly leave ADUG exposed if a member started signing malware with their certificate. Rule number 1 with code signing certificates, donāt let anyone else use it - you risk having it be revoked.
FWIW - if you are working on applications for internal use only - you donāt need an externally trusted certificate. You can use Active Directory Certificate Services (ADCS) to generate code signing certificates, and have your domain admins distribute the root/intermediate certificates via a group policy object (GPO) so that your machines on the domain trust that certificate. This is something we are working on in Signotaur - support for ADCS and itās own internal CA for generating code signing certificates (internal trust only). Many enterprises are doing this already - ADCS is a bit of a pain to work with - hence our decision to simplfy things with Signotaur.
Microsofts recent change (in a windows update) to change how .rdp files (remote desktop connection files) has the community in a spin with regards to code signing - if you donāt sign them now the user gets a scary warning.
Embarcadero (and Idera) have previously looked at offering some kind of code signing service, or partnering with one, and we came to the same conclusions - the way the current system is set up itās not viable.
It definitely needs someone like LetsEncrypt to step up and offer free or low-cost certificates at scale and with a full trust chain mechanism in place.
The problem with this is that the ātrustā comes from the CAās actually verifiying that you are in fact who you say you are, that your company is legit etc before they issue a certificate.
Doing that at scale is not really feasible. If they dumb down the verification then the trust is no longer there, which would make code signing pointless.
I guess they are employing some sort of automation (ai perhaps) in the verification process - I know if customers whoās renewal came through in days with very little verification, and others where it took weeks.
I suspect if you renew with the same CA that issued your previous certificate, things go a little smoother. I shop around for the best deals - and due to the nature of one of our products, I needed multiple certs - my experience was not ideal.
Thatās normal - and a different message from the scary one you see when the software is unsigned.
I wouldnāt go that far - the process is far from ideal - but it is was it is - we are playing in someone elseās sandpit.