WARNING: if you are getting your code signing certificate from VeriSign or Thawte, DO NOT use a Windows Vista or Win7 computer to get your certificate. If you do, you will not be able to export the private key and so you won't be able to sign code on any other computer and you won't be able to back up your certificate. If this happens to you, Thawte will give you a free reissue (Thanks Thawte!) See https://www.thawte.com/ssl-digital-certificates/technical-support/ Make sure you do not use a Vista or Win7 computer for the reissue! [Added 7/13/2008]
Code signing certificates are expensive. VeriSign charges about $495/year. We've had a VeriSign certificate since 2001, originally because ActiveX controls must be signed to easily distribute them. Today, the Windows Vista Logo Requirements require that your installer, your EXEs, and all of your DLLs be signed with a code signing certificate.
This year I tried to find a cheaper solution than VeriSign. I thought I'd share my results.
VeriSign
VeriSign is arguably the King of Code Signing Certificates. They've established a strong brand and are widely recognized by consumers. Their certificates are universally recognized.I have two frustrations with VeriSign. First, they use PVK files, which are aggravating to deal with, as I describe in an earlier blog entry.
Second, something breaks every other time we renew. The first time was when they started signing their code signing certs with an intermediate certificate instead of a top level cert. That caused us all sorts of problems. For a later renewal VeriSign suddenly decided that they couldn't support punctuation in the name, which meant that putting a comma before "Inc" was problematic. We had to change the company name in our build process, create a new cert from scratch instead of getting a renewal, and other problems.
When you are charging your customers that much money, you shouldn't be causing them this many problems.
Thawte
Thawte is about half the price of VeriSign. They appear to have equivalent compatibility (all the way back to Windows 95) but they don't have the brand recognition.VeriSign now owns Thawte and continues to sell Thawte certs for half the price of VeriSign certs. It makes no sense to me.
Note that Thawte uses the VeriSign timestamping URL.
GlobalSign
GlobalSign also has compatibility going back to Windows 95, but I would not use them. GlobalSign limits you to 50 timestamps per year. Since we timestamp about 12 components every time we do a release build, we go through thousands of timestamps every year. Since timestamps are critical for a commercial product, I would not consider buying a certificate from GlobalSign.Comodo
Comodo is the preferred "cheap solution." Both John Robbins and Keith Brown have blogged about this company.A concern with Comodo certificates is that they don't work under Win9x unless the users have installed the Root Certificate Update. Since that update is an "optional" component under Windows Update, it's rare for unsophisticated users to install it. Therefore, if your application supports Windows 9x, I recommend you skip Comodo.
Conclusion
Here's my opinion if your audience is largely English speaking:- Internal use application - use your company's root certificate if you have one, otherwise use Comodo.
- Commercial software application - buy VeriSign if you have a premium brand, otherwise buy Thawte.
- Hobby or shareware developer - buy Comodo unless you need to support Win9x, in which case buy Thawte.
- If you are using Visual Studio 2008 or later, Win9x isn't supported, so you might as well use Comodo.
- If you buy your Comodo certifiate through Tucows, the price goes down to $75/year or less!
- To join WinQual (required for Microsoft Partner status), you must have a VeriSign certificate. However, you don't have to spend $495. You can get a one year code signing certificate from VeriSign for $99! This offer is only valid for one year certificates. If you try and choose two or three year, the price goes back up to normal. At the end of that year, switch to Comodo.
- Comodo does not try calling the registered phone number. Thawte does.
- Comodo requires that the WhoIs Registrant for the company domain have the same postal address as the company paperwork (such as the DUNS listing.) If necessary, you can change your WhoIs listing until the cert is approved, then change it back. Changing the Administrative or Technical contact is not sufficient.
- This article does not apply to code signing for device drivers.
Thanks. I want folks to feel comfortable using my software.
ReplyDeleteI hope this is the Comodo you were talking about
http://www.instantssl.com/code-signing/
Hi Jim,
ReplyDeleteThanks for the interesting blog. We've recently renewed our VeriSign cert after switching to Vista, and found that VeriSign actually doesn't issue the old PVK/SPC key file formats if you use a Vista machine to request a cert from their site. Instead, the cert got added to the personal certificate store in my browser - just the way Vista likes it, and I've managed to sign our new releases using the SDK update for Vista: http://www.microsoft.com/downloads/details.aspx?FamilyID=4377F86D-C913-4B5C-B87E-EF72E5B4E065&displaylang=en
Worked fine.
Cheers,
Stephane
Even cheaper (read: for free) would be to request a certificate from CAcert.org. Only problem there is that users need to install their root certificate to verify the signed code. This becomes a problem on mobile devces, since they only rarely allow larger certs than 1024 bit.
ReplyDeleteKim,
ReplyDeleteOther than hobbyists, I'm not sure what the target audience would be for a situation where users need to install a new root certificate. For our product, we have tens of thousands of customers, most of whom are very naive users. If they had to install a certificate to make use of our product, we wouldn't be in business very long.
So true.
ReplyDeleteCAcert are working hard to have their root cert spread and default installed, but without heaps of money to back it up it takes a long time.
Stephane,
ReplyDeleteI just renewed with Thawte and my experience mirrored yours. Unfortunately, there's a BIG problem with creating certificates under Windows Vista - it's impossible to export the private key on a Vista computer. This means that you will be forced to use that particular computer to sign your code. It's not possible to move that certificate's private key to any other computer, nor is it possible to back up the private key. The lesson is: don't use Vista to request ANY kind certificate. You'll regret it.
(The only exception is Comodo, which allows you to mark private keys as exportable, but only if you follow special instructions.)
Hi Jim
ReplyDeleteThen you're "lucky".
I still haven't managed to request/install a single certificate from Thawte on my Vista Business laptop. I always have to request them on my XP-system at work and then export them and bring them home.
Certificates like Comodo and CAcert are utterly useless for kernel mode components that require a microsoft cross signature.
ReplyDelete"use your company's root certificate if you have one"
ReplyDeletePlease explain what is meant by your above remark.
Example: I have a SSL certificate for next to nothing on my website. I am assuming that is NOT what you mean.
How does one get a really cheap "company root certificate"?
Do certificates have some form of indicating their type? i.e., how is a "code signing certificate" the same as/different from other certificates?
If I use Google:
cheap ssl certificates
I get (today, 2009-12-10) for example http://www.cheapssls.com/
for US$9.95 ... that's a lot less than $80.
Regards,
Gerry (Lowry)
A code signing certificate is different from an SSL certificate. They are not interchangeable (the allowed usages of a cert are built into the cert.)
ReplyDeleteWhen I say "company root certificate," I mean that software that is for internal usage only can be signed with the company's internal certificate. In general, only large companies would have such a thing because the domain infrastructure must exist to distribute such certificates. It's not useful for distributing software to the public.
For doing development on your own computer or for a very small group, you can always create a self-signed certificate and add it to your cert store in Windows. Again though, this is useless for distributing software.
Yet more problems to add to the list to Vista!
ReplyDeleteI've been using Thawte certificates for around 4 years now and find their installation procedure much simpler then i remember the VeriSign process was. The SSLs are crucial for success for us so we need to keep downtime and our site up all the time!
My clients were experiencing problems with thawte regarding their telephone connection on name, they certainly requires to have a telephone line to be registered on company name. I recommend comodo as well for simple verification and instant issue.
ReplyDeleteI can't find any mention of the 50-per-year limit on timestamps with GlobalSign. The link in the article seems to redirect to a boring index page. Perhaps GS have changed their policy in the last two years. Certainly it seems absurd to have such a limit, since anything signed without a timestamp will "expire" on the customer's machine and there is nothing they can do about it. A certificate without a timestamping service is unfit for purpose.
ReplyDeleteThe "50-per-year" limit seems to have been raised to "50-per-month", and they've now put it in the contract: http://www.globalsign.com/repository/GlobalSign_ObjectSign_SA_v1.5.pdf
ReplyDeleteThis is still a ridiculous restriction. I stand by my recommendation to avoid this company.
@Jim: Why not use a Globalsign Cert with a Verisign or Comodo timestamping URL?
ReplyDelete@Udo: The fact that Globalsign makes this limitation gives some indication of the expense of providing the service, and using a VeriSign or Comodo timestamping URL after paying Globalsign seems unethical to me. If you want to use the services that VeriSign provides, then you should pay for it.
ReplyDeleteJust my opinion.
thanks for the information Jim, did not know about all the issues with vista.
ReplyDeleteThanks for sharing core information about supported platforms for thawte code signing certificate and verisign code signing certificate, but special thanks for pricing.
ReplyDeleteWe going to share your blog on our social platforms.