Where can I get a free (or cheap) code-signing certificate?

The Certum Open Source Code Signing certificate is NOT acceptable for Microsoft. This is according to reply to e-mail that I sent to certum about this question.
So that leaves me looking for the least expensive Microsoft valid cert, and I’d like to hear from anyone who can give me a supplier and their price.

I have philosophical issues about whether a certificate needs to be so expensive, and someday I’ll start a new thread for that discussion. This current thread has become mostly a discussion about why code signing mechanism is the way it is, and the pros and cons. I at least understand why Microsoft wants somebody to do the legwork to verify the identity of the signer.

xxxxx@pdsys.biz wrote:

The Certum Open Source Code Signing certificate is NOT acceptable for Microsoft. This is according to reply to e-mail that I sent to certum about this question.
So that leaves me looking for the least expensive Microsoft valid cert, and I’d like to hear from anyone who can give me a supplier and their price.

Couldn’t you have Googled this just as easily as the rest of us?

Verisign (now Symantec) wants an incredible $450 per year. GlobalSign
wants $100 per year for an individual, $190 per year for a business.
GoDaddy wants $170 per year.

Note that IF you intend to file with WHQL, you MUST have a certificate
from Verisign. No other vendor is acceptable. That certificate doesn’t
have to be a code-signing certificate (so their $99 cert will work).

I have philosophical issues about whether a certificate needs to be so expensive, and someday I’ll start a new thread for that discussion.

Supply and demand. These companies are incurring a legal liability, in
which they attest that you are who you say you are. That liability has
a cost.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

There certainly are no FREE code signing certificates. You often can get one for $99 from Verisign if you use a discount code often available from Microsoft. I don’t know the current status of that discount program. To me, $99 is not expensive, about the same as you pay Apple to be a developer which includes a code signing certificate. If you plan on doing WHQL certification, last I knew, you were required to have a Verisign certificate, which was valid for code signing too.

Jan

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@pdsys.biz
Sent: Monday, January 14, 2013 12:09 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Where can I get a free (or cheap) code-signing certificate?

The Certum Open Source Code Signing certificate is NOT acceptable for Microsoft. This is according to reply to e-mail that I sent to certum about this question.
So that leaves me looking for the least expensive Microsoft valid cert, and I’d like to hear from anyone who can give me a supplier and their price.

I have philosophical issues about whether a certificate needs to be so expensive, and someday I’ll start a new thread for that discussion. This current thread has become mostly a discussion about why code signing mechanism is the way it is, and the pros and cons. I at least understand why Microsoft wants somebody to do the legwork to verify the identity of the signer.

I presume you looked at both Thawte and VeriSign, and rejected those because of the price? For a certificate that is accepted by Microsoft, I believe Thawte is about the cheapest out there.

Gary Little
xxxxx@comcast.net
C 952-454-4629
H 952-223-1349
Tain’t what you want that makes you fat, it’s what you get.

On Jan 14, 2013, at 2:08 PM, xxxxx@pdsys.biz wrote:

The Certum Open Source Code Signing certificate is NOT acceptable for Microsoft. This is according to reply to e-mail that I sent to certum about this question.
So that leaves me looking for the least expensive Microsoft valid cert, and I’d like to hear from anyone who can give me a supplier and their price.

I have philosophical issues about whether a certificate needs to be so expensive, and someday I’ll start a new thread for that discussion. This current thread has become mostly a discussion about why code signing mechanism is the way it is, and the pros and cons. I at least understand why Microsoft wants somebody to do the legwork to verify the identity of the signer.


NTDEV is sponsored by OSR

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

People trust software based on where they get it, not what it says it is. This was validated when Don Burn of all people on this very forum recommended that we install a particular unsigned driver on our systems. He apparently felt his own simple recommendation in that instance was of higher importance than the presence of a signed driver. Case closed.

Peter says getting the paperwork is easy. In fact it is easier than many may realize. There are services in the US that create all the necessary company documents you need to get a signing certificate. You pay them a small sum of money, give them any address where you wish your company address to be “located”, give them an arbitrary company name and presto you get everything you need. Anyone who thinks “tracking down” someone through KMCS is somehow easier now must not be aware of this.

Hey, if those two simple paragraphs aren’t enough convincing evidence that driver signing is a joke, someone tell me.

>

People trust software based on where they get it, not what it says it is. This
was validated when Don Burn of all people on this very forum recommended
that we install a particular unsigned driver on our systems. He apparently felt
his own simple recommendation in that instance was of higher importance
than the presence of a signed driver. Case closed.

Peter says getting the paperwork is easy. In fact it is easier than many may
realize. There are services in the US that create all the necessary company
documents you need to get a signing certificate. You pay them a small sum of
money, give them any address where you wish your company address to be
“located”, give them an arbitrary company name and presto you get
everything you need. Anyone who thinks “tracking down” someone through
KMCS is somehow easier now must not be aware of this.

Hey, if those two simple paragraphs aren’t enough convincing evidence that
driver signing is a joke, someone tell me.

I was of the same opinion. Then someone pointed out that it might be driven by the recording industry who want to make sure that the “digital hole” is closed because now nobody can possibly load an unauthorised driver. That’s just as much of a joke, for all the reasons you mention above, but at least you can appreciate that the recording industry is now in a happy place with their false sense of security and the reason for the existence of KMCS makes sense in terms of $$$.

Or at least it makes more sense than Microsoft doing it to try and stop malware or something.

James

wrote in message news:xxxxx@ntdev…
>This was validated when Don Burn of all people on this very forum
>recommended that we install a particular unsigned driver on our systems.

Can you explain what installing that driver is good for if it won’t even
load without a signature ?

Let’s suppose you are right, anyone without a passport can register for a
company in the US and the FBI has no clue how to track down malicious
companies and individuals. Still, after the malware has been discovered, the
malicious entity will have its certificate revoked and soon my system is
updated with the new revocation list so it will not run on my system.

So while this is a great anti malware feature, code signing also gives you a
very reasonable guarantee that your own driver has not been tampered with.
That is very valuable.

While I initially viewed KMCS as nothing but a necessary evil, I have become
to appreciate its features very much over time. We should have a system like
this for
application code as well, signature required. And it exists but it’s a
policy that’s unfortunately disabled by default.

//Daniel

xxxxx@gmail.com wrote:

Peter says getting the paperwork is easy. In fact it is easier than many may realize. There are services in the US that create all the necessary company documents you need to get a signing certificate. You pay them a small sum of money, give them any address where you wish your company address to be “located”, give them an arbitrary company name and presto you get everything you need. Anyone who thinks “tracking down” someone through KMCS is somehow easier now must not be aware of this.

Hey, if those two simple paragraphs aren’t enough convincing evidence that driver signing is a joke, someone tell me.

Just because shoplifting is easy does not mean the laws against
shoplifting are a joke. What you’re describing violates a number legal
agreements. Possible, yes. Legal, no. I guess it’s up to you to
decide whether that makes shoplifting OK.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

For the record, I never advocate doing anything illegal so your response about shoplifting is quite bizarre. I don’t know what the goals of driver signing are. I don’t know why Microsoft decided to force everyone to do it. There is a big difference between mandatory and optional. I have received no benefits by signing my drivers. All feedback indicates neither have our customers. It’s been a useless waste of time and money.

And by the way cert revocation turned out to be a joke. There were several cases that hackers were able to get certs issued to them with Microsoft’s name on them. Do you think Microsoft simply added these to the revocation list and went merrily on its way? Nope. They physically patched Windows to guard against these. That tells you something right there.