Can anyone recommend a source for an inexpensive personal code-signing certificate, suitable for Windows requirements?
I’m looking for something free, or under $100.00.
Certum has what they call an Open Source certificate that is free, but I don’t know if it meets the Windows requirements or not. I’m in the process of obtaining one from them, and I’ll update this post to let you know if it works. Anyone have success or failure with this certificate already?
In case the Certum certificate isn’t valid for Windows signing, I’d like to know where else to go.
BTW, if this question has been raised before, please post a link to it.
Can anyone recommend a source for an inexpensive personal code-signing
certificate, suitable for Windows requirements?
I’m looking for something free, or under $100.00.
Certum has what they call an Open Source certificate that is free, but I don’t
know if it meets the Windows requirements or not. I’m in the process of
obtaining one from them, and I’ll update this post to let you know if it works.
Anyone have success or failure with this certificate already?
In case the Certum certificate isn’t valid for Windows signing, I’d like to know
where else to go.
BTW, if this question has been raised before, please post a link to it.
Cheapest I’ve seen is StartSSL’s code signing certificates which say they work with windows drivers, but I haven’t actually tried them. USD$199 but they have a charging model that is a little bit different to others so it might end up being a little bit more. I’ve used their free https certs and they deliver what they promise.
Please do post back when you have tested the Certum certificate! I just checked their websites and they list “OpenSource Code Signing” and “Microsoft Code Signing” separately (with availability of cross certificates explicitly listed under the latter). I’m guessing that their OpenSource root is different and won’t have an ms cross certificate available.
Can anyone recommend a source for an inexpensive personal code-signing certificate, suitable for Windows requirements?
I’m looking for something free, or under $100.00.
Certum has what they call an Open Source certificate that is free, but I don’t know if it meets the Windows requirements or not. I’m in the process of obtaining one from them, and I’ll update this post to let you know if it works. Anyone have success or failure with this certificate already?
xxxxx@pdsys.biz wrote:
> Can anyone recommend a source for an inexpensive personal code-signing
certificate, suitable for Windows requirements?
>
> I’m looking for something free, or under $100.00.
>
> Certum has what they call an Open Source certificate that is free, but I
don’t know if it meets the Windows requirements or not. I’m in the process
of obtaining one from them, and I’ll update this post to let you know if it
works. Anyone have success or failure with this certificate already?
For sure. Issuing a certificate to an organisation without doing the legwork to establish their identity is the wrong way to do it, and the legwork costs money. It’s already easy and cheap enough for malware authors to get a certificate, we don’t want it easy and cheap enough for them to get thousands.
Whatever the reason for it, code signing has been a big joke hasn’t it? All it has done for us is create confusion, incur unnecessary cost, waste time, and erode time to market. A truly lose-lose situation for developers and customers alike neither of which gained any benefits at all compared to the old days.
One common example we need to deal with is always amusing when we bring up the code signing issue with a company which wishes to have a driver produced by us. In every case so far, they decide to leave ours slapped on it so they don’t have to bother with it. They see it for what it is–a waste of their time better off spent elsewhere. So in many cases you have an OEM that makes the hardware, a VAR that ships it, and packaged with a 3rd party consultants signing certificate. What does this all mean to the end user? Absolutely nothing of course. A recent usability study showed code signing popups are seen as a barrier between the user and what they need to get done and they quickly click through it without even reading it. I imagine a few old fogies here will get in a huff about this, but this is the reality in the real world. I just wish Microsoft could accept it has been a failure and relax this ridiculous task.
Actually by doing that you are leaving your firm open to lawsuits. I
guess I’m one of the old fogies even though I complained about them
being a pain in the ass, I think the principal is correct.
> Whatever the reason for it, code signing has been a big joke hasn’t it? All it has done for us is create confusion, incur unnecessary cost, waste time, and erode time to market. A truly lose-lose situation for developers and customers alike neither of which gained any benefits at all compared to the old days. > > One common example we need to deal with is always amusing when we bring up the code signing issue with a company which wishes to have a driver produced by us. In every case so far, they decide to leave ours slapped on it so they don’t have to bother with it. They see it for what it is–a waste of their time better off spent elsewhere. So in many cases you have an OEM that makes the hardware, a VAR that ships it, and packaged with a 3rd party consultants signing certificate. What does this all mean to the end user? Absolutely nothing of course. A recent usability study showed code signing popups are seen as a barrier between the user and what they need to get done and they quickly click through it without even reading it. I imagine a few old fogies here will get in a huff about this, but this is the reality in the real world. I just wish Microsoft could accept it has been a failure and relax this ridiculous task.
I prefer Geezer because it rhymes with Weezer which is at least a good band.
I also don’t quite see how acquiring a Code Signing Certificate and using it
to sign binaries and packages is all that big a deal.
And users that blindly click-through are not the use-case. Clearly they do
not care about establishing trust. Consumers [on average] will always be
under-informed, in a hurry, and click-through. Heck, you know anyone who
has read an entire mortgage documentation set before they signed it?
(besides, you, me, and probably a fair number of folks on this list; hardly
a sampling of society at large). How about the iTunes license? Or the
MSDN license? The user click-through escape is the admission that the
system is not going to apply everywhere.
Managed systems where the users are not given the option to ignore
unverified trust but are given the operational lee-way to install arbitrary
software just so long as it can be verified as trusted, that is the
use-case.
Kernel Mode Code Signing Policy comes to mind as a generally good thing. I
don’t want my OS to load un-trust-verified code into KM.
But I don’t disagree with your sentiment completely. I just don’t think
declaring it a failure and going back to MS/DOS era non-rules make any sense
at all.
> Actually by doing that you are leaving your firm open to lawsuits
I think this is exactly the point but I would perhaps state it as not
diminishing the likelihood of a suit being brought but one of being able to
offer proof that the code involved is (or is not) “authentic” and thus
aiding in diminishing the length and impact of a suit.
> In every case so far, they decide to leave ours slapped on it so they
don’t have to bother with it.
As a ‘driver author’ I don’t have a Code Signing Certificate. All of my
past customers were not given any choice in the production agreement
regarding this point. They got source code from me, a build procedure, a
test plan, maintenance assistance, WHQL signing assistance, even assistance
acquiring a certifice! But they assumed the legal responsibilities of
putting that driver and associated system into the world, selling it, etc.
and they signed it with *their* certificate if they wanted to sell it.
It suddenly does not measure as so much a PITA when it is necessary instead
of optional.
This is among the silliest sentences that have been posted to NTDEV in weeks.
Properly signing a kernel mode executable and its associated package takes no more than one minute. Acquiring the appropriate cert from Versign takes about 2 minutes of paperwork, a one day wait, and then another 2 minutes to install the issued cert.
The additional cost is marginal and represents an insignificant percentage of the cost to develop a driver, never mind the cost to develop and bring to market the hardware the driver controls.
Your mistake here is in signing that driver in the first place. Unless you intend to place that driver in the market, you shouldn’t. At OSR, we write drivers for IHVs, OEMs, and software firms all the time. We *do not* sign the kernel mode modules we produce for them.
Well, it doesn’t help that your willing subverting the process, does it. But at least the user know the driver package was created by an actual company, as opposed to somebody other than a 16 year old living in their parent’s basement. They also know that the driver package created by that semi-reputable company has been unchanged from the time it was produced. These are both useful things to know.
Do you really not get it? OK, let me explain it to you then, in case you’re not simply being deliberately provocative: ALL kernel mode code signing does is unambiguously identify the origin of the driver. It does little more than that. It also has the POTENTIAL that if malware is found that has been signed by a given certificate, that certificate can be revoked and the malware will be prevented from loading. Note I say “potential” here… I don’t expect this could practically happen except in the most extreme case.
I don’t THINK this has anything to do with being old or being young. The architect at Microsoft responsible for kernel-mode code signing is a pretty young guy, if you must know.
What you don’t seem to understand is that there is a large number of items that one needs to do to bring a hardware product to market. They all cost something. For most devices, one of these is writing a driver. For many pieces of hardware, the IHV would rather not have to write a driver at all… it’s “silly” and it inreases their costs and time to market unnecessarily. There are lots of similar requisites: CE marking, fcc compliance testing, ROHS certifications, WHQL testing. I’m sure there are several I’m forgetting. It’s a long list. For you to single out kernel mode code signing – one of the simplest, shortest, and least costly of all those steps – from among this loooong list of requisites and say it, above anything else, “incur[s] unnecessary cost, waste[s] time, and erode[s] time to market” is laughable. The time and cost of signing a driver executable is nothing in comparison to the time and cost of getting even just FCC certification for a device.
By the way what is the publisher name on your code certificate? If you
have this attitude on the cert, I definitely don’t want to ever load
code from you on my system. I suspect it is unlikely since if I buy a
package marketed by Vendor A and Vendor X shows up with the code signing
certificate, I take that as flag. But just to be sure I put it in my
CRAP FILTER what is the name.
> Whatever the reason for it, code signing has been a big joke hasn’t it? All it has done for us is create confusion, incur unnecessary cost, waste time, and erode time to market. A truly lose-lose situation for developers and customers alike neither of which gained any benefits at all compared to the old days. > > One common example we need to deal with is always amusing when we bring up the code signing issue with a company which wishes to have a driver produced by us. In every case so far, they decide to leave ours slapped on it so they don’t have to bother with it. They see it for what it is–a waste of their time better off spent elsewhere. So in many cases you have an OEM that makes the hardware, a VAR that ships it, and packaged with a 3rd party consultants signing certificate. What does this all mean to the end user? Absolutely nothing of course. A recent usability study showed code signing popups are seen as a barrier between the user and what they need to get done and they quickly click through it without even reading it. I imagine a few old fogies here will get in a huff about this, but this is the reality in the real world. I just wish Microsoft could accept it has been a failure and relax this ridiculous task.
Haven’t we also been here before, via the same member, who was all pissed
off that he had to pay for a certificate?
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@osr.com
Sent: Friday, January 11, 2013 2:23 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Where can I get a free (or cheap) code-signing
certificate?
This is among the silliest sentences that have been posted to NTDEV in
weeks.
Properly signing a kernel mode executable and its associated package takes
no more than one minute. Acquiring the appropriate cert from Versign takes
about 2 minutes of paperwork, a one day wait, and then another 2 minutes to
install the issued cert.
The additional cost is marginal and represents an insignificant percentage
of the cost to develop a driver, never mind the cost to develop and bring to
market the hardware the driver controls.
Your mistake here is in signing that driver in the first place. Unless you
intend to place that driver in the market, you shouldn’t. At OSR, we write
drivers for IHVs, OEMs, and software firms all the time. We *do not* sign
the kernel mode modules we produce for them.
Well, it doesn’t help that your willing subverting the process, does it.
But at least the user know the driver package was created by an actual
company, as opposed to somebody other than a 16 year old living in their
parent’s basement. They also know that the driver package created by that
semi-reputable company has been unchanged from the time it was produced.
These are both useful things to know.
Do you really not get it? OK, let me explain it to you then, in case you’re
not simply being deliberately provocative: ALL kernel mode code signing
does is unambiguously identify the origin of the driver. It does little
more than that. It also has the POTENTIAL that if malware is found that has
been signed by a given certificate, that certificate can be revoked and the
malware will be prevented from loading. Note I say “potential” here… I
don’t expect this could practically happen except in the most extreme case.
[quote]
I imagine a few old fogies here will get in a huff about this, but this is
the reality in the real world [/quote]
I don’t THINK this has anything to do with being old or being young. The
architect at Microsoft responsible for kernel-mode code signing is a pretty
young guy, if you must know.
What you don’t seem to understand is that there is a large number of items
that one needs to do to bring a hardware product to market. They all cost
something. For most devices, one of these is writing a driver. For many
pieces of hardware, the IHV would rather not have to write a driver at
all… it’s “silly” and it inreases their costs and time to market
unnecessarily. There are lots of similar requisites: CE marking, fcc
compliance testing, ROHS certifications, WHQL testing. I’m sure there are
several I’m forgetting. It’s a long list. For you to single out kernel
mode code signing – one of the simplest, shortest, and least costly of all
those steps – from among this loooong list of requisites and say it, above
anything else, “incur[s] unnecessary cost, waste[s] time, and erode[s] time
to market” is laughable. The time and cost of signing a driver executable
is nothing in comparison to the time and cost of getting even just FCC
certification for a device.
Planting a virus, Trojan on my computer without my consent but with the
intention to damage my computer, or steal my information is a federal
felony. It’s also crime punishable in some states. I have reported some
incidents to the FBI cyber crime unit although it gets nowhere.
As for law suit, I thought most EULA will say, hey by clicking “Accept”,
you agree not to go after me even your computer explode as a result of
using the software. I don’t know how it works out in real life though.
Calvin Guan
Sent from my PC on WIN8
On Fri, Jan 11, 2013 at 9:24 AM, Tim Roberts wrote:
> Calvin Guan (news) wrote: > > > > It’s already easy and cheap enough for malware authors to get a > > certificate, we don’t want it easy and cheap enough for them to > > get thousands. > > > > > > I thought the idea of code cert is that the person can be tracked down > > hence FBI can arrest him. > > No, writing dumb code is not a crime (at least not yet), so the FBI > wouldn’t be involved. It is so the person can be tracked down so he can > be sued. > > – > Tim Roberts, xxxxx@probo.com > Providenza & Boekelheide, Inc. > > > — > NTDEV is sponsored by OSR > > OSR is HIRING!! See http://www.osr.com/careers > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >
Planting a virus, Trojan on my computer without my consent but with the
intention to damage my computer, or steal my information is a federal
felony. It’s also crime punishable in some states. I have reported some
incidents to the FBI cyber crime unit although it gets nowhere.
As for law suit, I thought most EULA will say, hey by clicking “Accept”, you
agree not to go after me even your computer explode as a result of using the
software. I don’t know how it works out in real life though.
Laws vary by country, but in general it is not possible to make someone sign away their statutory rights and such a contract can be considered void. You’ll find that most warranty sheets that come with products will state their clauses and then “… except where the law in your area says different”. It doesn’t stop people trying to take your rights away though.