Codesigning - Need alternative to Comodo

I am renewing my code signing certificate these days. I tried Comodo in the past, since I have a Setupbuilder license and it comes cheap there. Luckily I only do this each third year, but Sectigo/Comodo is killing me with their total lack of work ethics and support. If I get a stroke, it is on them.
Can anyone recommend a good alternative?
Doesn’t necessarily have to be the cheapest, 'cause spending weeks on a process is more expensive for me than the money I can save.

Even if you did find another certificate authority, I’m reminded of when the London riots kicked off back in the days when everyone had a blackberry and used BBM to message. I heard that the Royal Mounted Canadian Police had a copy of the root cert from RIM and RMCP gave it to the Met Police in London to trawl through all the messages in order to convict rioters and instigators.

I just view these things as a technology tax now to keep customers happy.

Hi Bjarne -

I never actually purchased a cert from them, but they were very responsive to my queries. Not cheap, though. https://www.digicert.com/order/order-1.php

1 Like

Thank you. Do you happen to know what this choice means? I suspect I should select Microsoft Authenticode?

Not sure I will call it tax, but it could easily have been a conspiracy.
I had to start signing for two reasons: a) The Windows dialog stopping installation and/or running a program because it was not signed and b) Many of my programs behave like a virus with extensive file manipulation on disk and thus antivirus quarantined them.

If you need to have that extra piece of mind your dev machine is not infected and thus passing on malware or viruses to your customers (excluding the malware/viruses leveraging virtualisation at the cpu level), may I suggest this… GitHub - vitoplantamura/BugChecker: SoftICE-like kernel debugger for Windows 11

BugChecker is a SoftICE-like kernel and user debugger for Windows 11 (and Windows XP as well: it supports Windows versions from XP to 11, both x86 and x64). BugChecker doesn’t require a second machine to be connected to the system being debugged, like in the case of WinDbg and KD. This version of BugChecker (unlike the original version developed 20 years ago) leverages the internal and undocumented KD API in NTOSKRNL. KD API allows WinDbg/KD to do calls like read/write virtual memory, read/write registers, place a breakpoint at an address etc.

Yes you want Microsoft Authenticode.

The purpose is for the end user to know that the executable file was signed by the publisher and has not been altered because the checksum matches. There no assurance the code is safe, if the publisher’s machine has malware that could be in the EXE.

1 Like

and that does happen, where malware is in a signed executable, using a reputable cert vendor.

I think you would call that LOTL attacks, its a term I’ve never heard before but I got it from here…
GitHub - jmau111-org/windows_security: Is Windows a joke or are you? :billed_cap:

I ordered from DigiCert after lunch and had my code signing certificate five hours later. No hassle at all.

This is the story of Sectigo/Comodo failing for me:

I was purchasing my ceritificate for the third time. Last time it took three weeks, but I blamed it on holidays then. This time, Sectigo requests information they already have on file, like the phone number I have in my order, and they ask for documents that do not exist, eg. a Photo Id with current address. Documents I upload just vanish without a trace, and they still ask me for the same, making me very insecure about their document handling and security. Promise of 24 hour response time has no real meaning, a week or two is more realistic.
When I finally get the call from a person that speaks extremely fast and Indian accented english, I demand my order being cancelled. Then they claim that the order is not in their system(!), despite them sending me order confirmation and taking my money. They claim I ordered through a reseller, but I did not, LinderSoft (always helpful) is an affiliate, the order is placed at Sectigo.
I responded twice to the same support ticket that I wanted to cancel my order, but no answer.

Yesterday I opened a new support ticket with billing,to get the refund. Didn’t get a reply. Today a chat person told me I had to open a support ticket with billing, to get the refund. He claimed the previously created support ticket didn’t exists. So I tried. The system denied me that, since it already exists. Then it was because he didn’t have access. Still he expected to see it in the first place???

So far I have lost more money in terms of working hours than the certificate cost in the first place, and the process is so long that even if I got the certificate, it would probably cost more than what I could save with their prices compared to other vendors.

Clearly Sectigo/Comodo are a bunch of nitwits who will be the first at the wall if a revolution comes.

Credit Cards offer a level of protection when buying from abroad when a refund situation has potentially arisen.

Definetly, and I always use credit card online. However, MasterCard demands that I do a decent attempt to get a refund before they do anything. They ask for documentation on refund policy and communication (hard to do on phone) etc. So in the end, this also adds to the workload to get refund.
Actually it was the need for documentation that led me to do the entire process again, just to have screenshots.

1 Like

This post was flagged by the community and is temporarily hidden.

Bjarne_Havnen,
Do you recall on the “https://secure.trust-provider.com/products/CodeSigningSignup1a” page if you entered a “username” and “password” and clicked “Login” before clicking the “NEXT>” button?

I wonder if entering the username/password info and clicking Login would make any difference in their ability to issue a certificate?

I see the total price is $200 USD with Lindersoft’s discount via secure.truest-provider.com for a Sectigo code-signing certificate.

Digicert.com is going to cost me $1422 USD for a 3 year OV code-signing certificate. Is there anyplace to get Digitcert for much cheaper?

When I first found them, it was a Google search that led me here. Maybe the digicert link had a coupon? The price was way lower. That was years ago though. Didnt think to try it again https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate

Today I also bit the bullet.

I don’t know whether it makes a difference, Rich, but I DID log in to those fields using the user name/password from my last purchase. So my prior certificate and my new in-progress one are both visible in the “manage your stuff” area.

At the moment they’ve taken my money and my certificate request.

I have sent them a selfie of myself holding my drivers license, a copy of my city business license, county fictitious business name registration, and IRS employer identification number form.

I’ve put in a ticket which brought no reply. So I’ve phoned them three times. The last two calls I spoke to an apparently nice lady who wanted my state registration number (which I don’t have). I tried explaining to her what a county is; and that the city is within the county, not the other way around.
I’m grateful for having lived 3 years in India because her phone system is about the worst VOIP I’ve ever heard (whoop screech boing ) and her Indian accent might be difficult for some to understand through what sounds like radio jamming by mutant ninja turtles who are into heavy metal.

She then decided that she needs to phone the County registrar to confirm my fictitious business name document. I sent her a link to the County’s clerk-recorder documents website, so they may use that or may decide to phone the County on Monday. If they phone, good luck to any of the old ladies at the County courthouse trying to understand the call.

Then they’ll phone me back at xxxxxx. xxxxx is some number I’ve never seen. Fortunately I was able to give her my Dun & Bradstreet registration number, from which she was able to get my actual correct phone. So if all the other hoops fall into place they’ll phone me back at my actual phone to do the final confirmation.

As thoroughly ludicrous as this all sounds, it unfortunately jibes pretty much with the “organization verification” steps outlined on this page: https://codesigncert.com/resources/how-long-does-it-take-to-get-code-signing-certificate

Would having paid $1,000 more to digicert have bought a mellow experience? I don’t know.

Were I not such a charming individual I might have lost my sunny disposition by now.

Instead, I’m just sitting here chewing mellowly on shards of glass… :scream:

The problem with all these privacy laws like GDPR, is any documentation supplied to someone who needs to confirm your identity, cant confirm or deny if the document is genuine or not as they would be giving out someone elses data, which is what the GDPR laws and others are designed to protect.

IMO, its a race condition written into law, plus with so much being online, and the existence of colour laser printers, pretty much anything can be fabricated now*. I’m also uncomfortable passing documents like that outside of the UK because I get loads of foreign numbers calling me, scam calls etc, and you just dont know where they got your details from to ring you up.

Saying that, the only thing I’ve seen in the UK which lets you give your identify documentation to a 3rd party to use for ID purposes is the Driving licence agency.
View or share your driving licence information - GOV.UK (www.gov.uk)
In fact, I havent had a driving licence since before covid, but I have the old driving licence number still and just used this service, which I’ll forward to softvelocity in an attempt to prove my identity to Doreen as I get no response from them when I email them. Its like living in an open air prison in the UK now a days. All legal forms of torture of course.

Edit
(*) Unless of course the tech sector, like FAANG, and/or Intel & Arm have become surveillance state, and/or the 5 eyes and/or + x, is the behinds the scenes data sharing which enables the surveillance, which then suggests these people who have made the decisions have lied to the public, as they might see it as white lies for greater good, without any concept of the physical and psychological harm caused by their surveillance state? This is why I scoff at people who trump out the nothing to hide, nothing to fear meme. I should add, when looking at who participates on the RFC’s for tech, you see a number of university professors and others, and the security services use university’s, so there’s no telling if some RFC’s are watered down to allow backdoors of sorts where security services air a concern to someone participating in the RFC. You see it with lobbyists and politicians and legislation. All very shady.

Yes, I logged in using my Sectigo credentials, then went to the list of previous certificates and used the “Renew” link. I have understood that someone get their certificate in hours, others will have to wait for weeks, and the same company might experience both scenarios. The worst part for me was the requirement to send a copy of my personal ID to validate a company. This was a new requirement and too much to ask in a world where identify theft is so easy.

I don’t know anything about getting it cheaper. For me this became a simple calculation of hours spent loosing money versus hours spent making money.

1 Like

To complete my own saga…

Starting this process on a Friday was perhaps suboptimal. (Although in 2020 I started it on a Saturday and had my certificate in hand 2.5 hours later.)

Saturday I phoned Sectigo again. Much better VOIP this time. Man with medium Indian accent. Again my explanations that I am not a corporation and thus not registered with the STATE of California, but I have city business license and county fictitious name registration.
He’s again talking about phoning the county to verify.
I show him that I sent them a link the prior day to the county’s website, which has a business lookup.
He eventually succeeds in looking up my business name on the county’s website (he was having trouble finding the Search button but we worked through that). But then said he isn’t authorized to make the determination and the A-team would handle it on Monday.

Today, Monday, I waited in Sectigo’s phone queue. Clear VOIP again today. Clear Indian-accented woman took my ticket number, read back my phone number looked up from Dun & Bradstreet for confirmation, and said she’d send the callback email.

Got the email. Clicked “call me now”. Entered the PIN. And I have my certificate. All done on Windows 11 using Edge in IE-emulation mode, BTW.

2.5 hours in 2020. 2.5 days in 2023.

All I can hope is that if I’m still alive in 3 years I’ve found a different way to make a living… sigh…

Do you all know about the change in OV private key generation and storage that has been postponed until June 2023?

See the last bullets under “Key Takeaways” at the following page:

2 Likes