I was looking something up on the winqual site yesterday and noticed an
offer from VeriSign for a code signing certificate for $99. Use the offer
code THEDEAL99
These seem to be the full 1 year code signing certificate, not just the WHQL
corporate id certificate they have had for $99.
On the other hand, GlobalSign was offering a 3 year renewal on a code
signing certificate for about $385 (ask them to send you a discount code).
GlobalSign is also using 2048 bit keys all up the chain.
Jan
> I was looking something up on the winqual site yesterday and noticed an
offer from VeriSign for a code signing certificate for $99. Use the offer
code THEDEAL99
CoApp is a MSFT project for an opensource-centric, MSC-centric toolchain
that hopes to replace GNU/automake and apt-get, and integrates with
WinQual. The CoApp project info mentions that Versign is going to give
away free certs for use with this CoApp. Not sure if these certs would
work outside CoApp scope. This is referenced in the CoApp home page’s
whiteboard presentation video, and in below FAQ URL.
http://coapp.org/CoApp_FAQ#Why_demand_all_code_be_signed.3f
http://coapp.org/
https://launchpad.net/coapp/
> noticed an offer from VeriSign for a code signing certificate for $99
Didn’t that expire many years ago?
I JUST today received a brand new code signing certificate, it’s a CURRENT
deal.
Jan
> noticed an offer from VeriSign for a code signing certificate for $99
Didn’t that expire many years ago?
Yes, but does it work? Remember, Verisign was just devoured by Symantec.
Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jan Bottorff
Sent: Wednesday, September 15, 2010 7:34 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] FYI - VeriSign has code signing certificates on sale
I JUST today received a brand new code signing certificate, it’s a CURRENT
deal.
Jan
> noticed an offer from VeriSign for a code signing certificate for
> $99Didn’t that expire many years ago?
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
So?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gary G. Little
Sent: Wednesday, September 15, 2010 8:38 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] FYI - VeriSign has code signing certificates on sale
Yes, but does it work? Remember, Verisign was just devoured by Symantec.
Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jan Bottorff
Sent: Wednesday, September 15, 2010 7:34 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] FYI - VeriSign has code signing certificates on sale
I JUST today received a brand new code signing certificate, it’s a CURRENT
deal.
Jan
> noticed an offer from VeriSign for a code signing certificate for
> $99Didn’t that expire many years ago?
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I haven’t run the signed code yet, but the certificate chain sure looks
right.
Jan
C:\Temp\VS>\WinDDK\7600.16385.1\bin\amd64\signtool verify -v -kp SOS.dll
Verifying: SOS.dll
Hash of file (sha1): 664B9BD846DE41CBB6B057A3CF8CA9ED8E738C27
Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority
Issued by: Class 3 Public Primary Certification Authority
Expires: Tue Aug 01 16:59:59 2028
SHA1 hash: 742C3192E607E424EB4549542BE1BBC53E6174E2
Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: Mon May 20 16:59:59 2019
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3
Issued to: Paradigm Matrix, Inc.
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: Thu Sep 15 16:59:59 2011
SHA1 hash: F1A3A58A3FA13F316F27BB6BFFC35E784D90CE1D
The signature is timestamped: Wed Sep 15 18:43:00 2010
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 16:59:59 2020
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: Tue Dec 03 16:59:59 2013
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Issued to: VeriSign Time Stamping Services Signer - G2
Issued by: VeriSign Time Stamping Services CA
Expires: Thu Jun 14 16:59:59 2012
SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 06:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Class 3 Public Primary Certification Authority
Issued by: Microsoft Code Verification Root
Expires: Mon May 23 10:11:29 2016
SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408
Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: Mon May 20 16:59:59 2019
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3
Issued to: Paradigm Matrix, Inc.
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: Thu Sep 15 16:59:59 2011
SHA1 hash: F1A3A58A3FA13F316F27BB6BFFC35E784D90CE1D
Successfully verified: SOS.dll
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-425040-
xxxxx@lists.osr.com] On Behalf Of Gary G. Little
Sent: Wednesday, September 15, 2010 5:38 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] FYI - VeriSign has code signing certificates on saleYes, but does it work? Remember, Verisign was just devoured by Symantec.
Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jan Bottorff
Sent: Wednesday, September 15, 2010 7:34 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] FYI - VeriSign has code signing certificates on saleI JUST today received a brand new code signing certificate, it’s a CURRENT
deal.Jan
>
> > noticed an offer from VeriSign for a code signing certificate for
> > $99
>
> Didn’t that expire many years ago?
>
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Jan Bottorff wrote:
I haven’t run the signed code yet, but the certificate chain sure looks
right.
It should work, but it might be dodgy from a legal perspective:
As far as I understand, technically the $99 cert is a “Level-3 Code
Signing Certificate” (usable for Authenticode and Driver signing).
However, as far as I also understand, you get the $99 rate as a
special deal to identify organizations for WinQual access.
So it might be a breach of legal terms to use it for driver signing.
I tried to ask a VeriSign employee via chat, but got no usable answer.
Any authoritative answer? Doron?
Hmmm according to the WinQual site:
The link is:
https:
and leads to a page that says:
I don’t see anything that says “this is only for you to access WinQual”… It looks like a darn good deal to me. The only bad news is that it’s only good for ONE year… you can’t buy a cert that’s good for 3 years for 3 * US$99.
Peter
OSR</https:></https:>
Hagen Patzke wrote:
It should work, but it might be dodgy from a legal perspective:
As far as I understand, technically the $99 cert is a “Level-3 Code
Signing Certificate” (usable for Authenticode and Driver signing).However, as far as I also understand, you get the $99 rate as a
special deal to identify organizations for WinQual access.So it might be a breach of legal terms to use it for driver signing.
I tried to ask a VeriSign employee via chat, but got no usable answer.Any authoritative answer? Doron?
I think you are imagining problems where none exist. If VeriSign didn’t
want the $99 certificate to be used for code signing, they wouldn’t have
made it a code-signing certificate. VeriSign certainly sells
certificates that work for Winqual but do not work for code signing.
Think about it. Who is the loser here? Microsoft just wants the code
signed by someone they trust. They don’t participate in the money part,
so they don’t care what you pay. VeriSign is still getting $99 for
something that has a net cost of about 30 cents.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Looking at the actual link it is odd that using the discount code results in RED LETTERING stating:
Promotion: VeriSign Organizational Certificate Digital ID Promotion for Microsoft - 1 year for $99!
If it really is still usable for code signing, that is a strange red warning to flash on the screen. Or on the other hand does it insinuate one can purchase organizational certificates generically and use them for code signing?
My company previously had a VeriSign organizational certificate for WHQL,
and you could not use it for code signing, the certificate chained to the
wrong root. The new current $99 deal is a real code signing certificate,
also I assume usable for whql submissions. I haven’t run code signed with
the new certificate yet, but the certificate chain looks totally correct for
kernel code signing, and signtool says the signature is valid using the
kernel policy. I think the VeriSign website text needs updating.
Jan
Looking at the actual link it is odd that using the discount code results
in RED
LETTERING stating:Promotion: VeriSign Organizational Certificate Digital ID Promotion for
Microsoft - 1 year for $99!If it really is still usable for code signing, that is a strange red
warning to flash
on the screen. Or on the other hand does it insinuate one can purchase
organizational certificates generically and use them for code signing?
That’s promising though for completeness it would be interesting to hear the results of attempting to load such a signed driver on 64-bit windows.
C’mon… Look just above that line where it says:
It’s like any introductory deal, people… get the Verisign cert for one year for $99. Once you have it, renew for 3 years for something like $1200.
If you don’t WANT to take the deal, you can leave OFF the discount code and buy the exact same certificate for full price. OSR’s Code Signing Cert is a Verisign cert, and I can assure you it works.
Peter
OSR
Tim Roberts wrote:
VeriSign is still getting $99 for something that has a net
cost of about 30 cents.
Marginal cost, maybe, but not net. That’s like saying MS sells Office for $599 but it costs them 30 cents to burn the DVD and put it in an envelope.
[quote]
Marginal cost, maybe, but not net.
[quote]
OK, 50 cents net cost then 
You’re not seriously arguing that in issuing a certificate Verisign has costs analogous to those incurred by Microsoft in building a release of Office, are you? Or that the cost of a Verisign certificate is justified because of… ah… anything except that the market will apparently pay it?
I mean… it’s a freakin’ CERTIFICATE. What did it cost to have some dude run GUIDGEN to create it, even if one includes the proportional cost of the administrative overhead to process the application, track the cert through it’s life, and for creating a website with a FAAABULOUS customer interface.
Office PRO costs $499 – That includes 7 programs, each of which tool multiple developers multiple years of effort to create… AND you get support.
A Verisign Authenticode Certificate suitable for user-mode and kernel-mode code signing costs exactly the same amount as an Office Pro license – $499.
Peter
OSR
$499? Really? They must had a special when I bought mine … $695.
Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@osr.com
Sent: Saturday, September 18, 2010 3:05 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] FYI - VeriSign has code signing certificates on sale
[quote]
Marginal cost, maybe, but not net.
[quote]
OK, 50 cents net cost then
You’re not seriously arguing that in issuing a certificate Verisign has
costs analogous to those incurred by Microsoft in building a release of
Office, are you? Or that the cost of a Verisign certificate is justified
because of… ah… anything except that the market will apparently pay it?
I mean… it’s a freakin’ CERTIFICATE. What did it cost to have some dude
run GUIDGEN to create it, even if one includes the proportional cost of the
administrative overhead to process the application, track the cert through
it’s life, and for creating a website with a FAAABULOUS customer interface.
Office PRO costs $499 – That includes 7 programs, each of which tool
multiple developers multiple years of effort to create… AND you get
support.
A Verisign Authenticode Certificate suitable for user-mode and kernel-mode
code signing costs exactly the same amount as an Office Pro license – $499.
Peter
OSR
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
What is the purpose of certificate expiry? Why can’t they be used forever and remove the need for time stamping, renewal processing, and recurring costs?
>
[quote]
Marginal cost, maybe, but not net.[quote]
OK, 50 cents net cost then
You’re not seriously arguing that in issuing a certificate Verisign
has costs
analogous to those incurred by Microsoft in building a release of
Office, are
you? Or that the cost of a Verisign certificate is justified because
of…
ah… anything except that the market will apparently pay it?I mean… it’s a freakin’ CERTIFICATE. What did it cost to have some
dude run
GUIDGEN to create it, even if one includes the proportional cost of
the
administrative overhead to process the application, track the cert
through
it’s life, and for creating a website with a FAAABULOUS customer
interface.Office PRO costs $499 – That includes 7 programs, each of which tool
multiple
developers multiple years of effort to create… AND you get support.A Verisign Authenticode Certificate suitable for user-mode and
kernel-mode
code signing costs exactly the same amount as an Office Pro license –
$499.
Compare the price of Office as a retail ‘Boxed’ product and the cost of
the OEM version. Then compare the price that Microsoft sell the product
to the academic market. Done think for a minute that Microsoft don’t
price their products on what the market will pay either.
Also remember that a copy of Office goes out with just about every
computer sold (in our case, pretty much every computer we sell),
dwarfing verisign sales by several orders of magnitude.
James
>
What is the purpose of certificate expiry? Why can’t they be used
forever and
remove the need for time stamping, renewal processing, and recurring
costs?
Because if I steal your certificate and use it to sign my malware, I’ve
only got a finite time to use it. I’m not confident that all computers
actually do CRL lookups so just revoking the certificate isn’t
necessarily going to work.
There is no need to charge as much as they do, but there is a reason for
why they do it.
James