Code signing in 2022

There have been a few forum posts on code signing recommendations, with K-Software (now Sectigo) standing out as a favourite. I have used them successfully for around 5 years myself.

Renewal time came around for me recently, and regrettably, after 3 weeks of delays and frustration (not to mention the phone callback verification never working), they have decided not to renew my certificate because…

“Without official email address which is related with company name we won’t issue the certificate.”

I’ve always used the company which owns my software, or more precisely owns the intellectual property, and not my day-to-day business name (owned by a separate company). The IP company has never had a direct Internet presence since I started my business nearly 25 years ago.

Wonders never cease.

I am now on the lookout for another certificate provider, so suggestions welcome… or I consider moving forward without one.

Cheers, Ian

Yep, noticed that ‘fine print’.

Was wondering if maybe the verified phone number would suffice, but I guess not.

They tried to reject mine with ‘Photo doesn’t match the driver’s license photo’. I ‘queried’ that and they must of found someone with better eyesight.

Mind you, what exactly happens after a certificate expires? Ours still appeared to work with no messages issued anywhere. You had to go into the detail and look at the expiry date to see it had expired.

Files signed with the certificate before it expires will still be fine - you just can’t sign new files once the certificate has expired.

I haven’t looked to read any ‘fine print’ :slight_smile: Both my original application and subsequent renewal even used a gmail account with no questions asked.

We used Sectigo (again), but getting past the hurdle of phone verification for an online only company is not for the faint hearted.

Last time I renewed it was a nightmare - had to change our DUNS details to put my mobile no on there - not ideal.

It’s about to get worse - in Nov they will stop allowing the download of the certificates - they will only be available on a security device - which of course costs more (like EV certificates) - and it’s going to cause all sorts of problems - especially if your build servers are in a data center (like ours are) - can’t just leave the usb key stickong out the back of the server and hope no one else swipes it.

For my market - I fear it’s going to push people to cloud based build tools.

So there’s a sneaky secret agenda ?

Wow - you weren’t joking. So, for me to purchase a $20 domain to get around Sectigo’s ridiculous rule today would be a walk in the park compared with the hoop jumping we’d have to do in the future.

I wouldn’t go that far - I think it’s more about protecting against supply chain attacks. Much harder to steal a certificate if it’s hardware based.

Yep, that about sums it up. We already have issues with using EV certificates (which use the hardware already) in an automated build/CI environment - it’s going to become the norm.

I’m currently researching options for our customers. Our digicert EV has expired - we are still using our OV cert, as I am not comfortable leaving the EV key plugged into a server in a shared cage (and we use hyper-v, which doesn’t support usb passthrough) - so I have to go through the whole process again - in the certificate would there is no such thing as a renewal - it’s always a new certificate.

We have similar ‘pain’.

We run our build on a cloud server. To get the code signing to work, we

  • have the usb token plugged into a machine in an office that is permanently RDP’d to the build server (over a permanent VPN connection).
  • run the safenet software on the build server – it can see the usb token plugged into the RDP client machine.
  • we use the signtool action as per below. It took me a while to figure out the /csp and /k parameters at the time.

It’s been remarkably stable and trouble free considering.

But going forward, we might look at using Azure pipelines and Azure Key Vault – as you said, moving to cloud based build tools :frowning:.
Particularly as we have moved to an online business with staff working from home.

This is what I am afraid of :cry:

One thing I am investigating is the use of USB over IP - to see if it’s practical to have the USB device on a remote machine without needing it to be logged in (which isn’t really a practical solution for most users). I already have a vpn between my home dev network (which is separate from my home network) and our servers in the data center - so having the usb plugged into a server here but used by the servers in the dc would be a workable solution for us at least.

A major issue for us right now is our use of Hyper-v server - it doesn’t support usb passthrough to vm’s
(well it does, but only for storage devices). So I’m currently planning to migrate our servers to xcp-ng - I have been running it for a while on my home server and I’ve been really happy with it.

Just came across this, which looks interesting:
https://github.com/SirAlex/RemoteSignTool

Does it work for you?

Cheers,
Lex

I did look at this a while ago, but it has serious limitations (server is a gui app so user needs to be logged in).

There are other options for code signing remotely - for example ssl.com has eSigner

Depending on how many files/times per month you need to sign this could be an option.

I think I have found a good solution for remote access to the usb token

https://virtualhere.com/home

I’ve been testing it here with my digicert safekey based token.

I have the token plugged into an xcp-ng host and configured usb passthrough to a ubuntu server vm (don’t want to install on the host directly). I installed the virtualhere usb server on the vm (there is a link to an install script on the the linux server page, downloads and installs in a few seconds). There are also servers available for windows, macos, nas (like qnap and synology) etc.

Then I downloaded the client to my windows dev machine and ran it (the client is available for windows, macos and linux).

My machine is on a different subnet to the server (has access to the other subnet via router rules) - so the client didn’t discover the server autoatically - however after adding it manually it shows my token.

I just ran a test and was able to sign a file first time (using the technique I linked to earier in this topic).

I’ve been chatting to the author (looks like he is in qld) and he uses the same kind of token and uses his product to sign the builds on a vm (dogfooding).

The trial version only allows 1 device and pops up a msgbox when connecting - the price is very reasonable - USD$49 per server (license locked to the server).

I did look at a few other usb remoting solutions - but they were all a lot more expensive.

Edit : the author of virtualhere suggest that the server should be installed on the host machine, as usb passthrough with hypervisors is unreliable and can cause problems.