I contacted sectigo and they said this (last week)
We send out a Yubikey USB token with each Code Signing certificate.
But some resellers have said they send out Safenet - but the responses I have so far have been vague or ambiguous. When it comes to renewal and you want to use your existing token, Sectigo say if you use your own hardware
you must have one of the following devices:
• Yubikey 5 FIPS
• LUNA Network Attached HSM, version 7+
I ended up purchasing an 3yr OV certificate (EV seems like a waste to me) from GoGetSSL.com which was substantially cheaper (USD$730 including $120 shipping - better come wrapped in a vault!) than anywhere else - turns out they are owned by digicert and once you order you they create an account for you on Digicert and the request process is done on the digicert site.
Fingers crossed now that the correct token kind arives - once I get past the validation stage!
Our Digicert token arrived today. Basically a blue USB device, looks like a memory stick, and has a blue light on the top
Started the DigiCertHardwareCertificateInstaller, after installing the driver.
Tells you a token has been found, checked the ‘Re-initialize my token box’
After the token password it prompts for an ‘Administrator’ password, or ‘use factory default’. Didn’t seem to be able to set an administrator password, said ‘Your Token password is incorrect’, so went back and started again accepting the factory default. Then everything completed as expected.
Nothing appeared to be any different on the computer, i.e. no USB drives or anything.
Firing up DigiCertUtil and the new certificate was available for use.
After you sign the first file it prompts for the token password before signing, it only prompts once per session.
Still waiting for Digicert to actually do something on their end - I have not had any calls or verifcation requests or any communication from them. The order still says pending validation - they don’t seem to be in any hurry considering how much money they charge for this gold plated service.
Second time using their chat, managed to get them to call me - aparently waiting on their anti-malware team to check if I am a distributor of malware - anyway seems like that may have progressed things a little.
It feels a bit like trying to deal with bigpond on the phone in the early 2000’s
much chat and 2 calls later, I got past the security theatre part and aparently the certificate has been issued - now just have to wait for it to arrive.
Just to close off this topic, my OV cert/token arrived from Digicert today. It’s a Safenet eToken 5110+ FIPS token - phew - I was able to sign files from FinalBuilder as I outlined before in my blog post.
Sorry to raise this old thread from the dead, but our cert expires in a few months so starting to go down this rabbit hole.
We got our current cert through ksoftware just before the token requirement came in, so that’s adding an extra layer of uncertainty. It seems the consensus last year was go with Safenet rather than Yubikey. Does this still hold true?
@vincent have you had any regrets about going OV instead of EV?
and bloody hell, prices have multiplied in 3 years!
We have had an OV and an EV for the last couple of years.
My OV has just expired, and I’m going to renew the EV when it comes due early next year.
The EV is much better than the OV in my opinion, because it eliminates annoying messages when a client tries to download the software from my website.
The OV doesn’t do that in my experience.
Whichever way you go - plan ahead to make sure you get the now-mandatory hardware token to you. Some suppliers send it by mail and that can take a few days.
In my experience of using both OV is not a problem if you get enough downloads to trigger the MS SmartScreen validation accepting you. But EV is definitely the way to go and since both require the hardware token it is worth the extra price just to guarantee zero problems. The information and validation is almost identical now so it’s really down to price, although this can be a significant factor.
