Credit Cards offer a level of protection when buying from abroad when a refund situation has potentially arisen.
Definetly, and I always use credit card online. However, MasterCard demands that I do a decent attempt to get a refund before they do anything. They ask for documentation on refund policy and communication (hard to do on phone) etc. So in the end, this also adds to the workload to get refund.
Actually it was the need for documentation that led me to do the entire process again, just to have screenshots.
1 Like
Bjarne_Havnen,
Do you recall on the “https://secure.trust-provider.com/products/CodeSigningSignup1a” page if you entered a “username” and “password” and clicked “Login” before clicking the “NEXT>” button?
I wonder if entering the username/password info and clicking Login would make any difference in their ability to issue a certificate?
I see the total price is $200 USD with Lindersoft’s discount via secure.truest-provider.com for a Sectigo code-signing certificate.
Digicert.com is going to cost me $1422 USD for a 3 year OV code-signing certificate. Is there anyplace to get Digitcert for much cheaper?
When I first found them, it was a Google search that led me here. Maybe the digicert link had a coupon? The price was way lower. That was years ago though. Didnt think to try it again https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate
Today I also bit the bullet.
I don’t know whether it makes a difference, Rich, but I DID log in to those fields using the user name/password from my last purchase. So my prior certificate and my new in-progress one are both visible in the “manage your stuff” area.
At the moment they’ve taken my money and my certificate request.
I have sent them a selfie of myself holding my drivers license, a copy of my city business license, county fictitious business name registration, and IRS employer identification number form.
I’ve put in a ticket which brought no reply. So I’ve phoned them three times. The last two calls I spoke to an apparently nice lady who wanted my state registration number (which I don’t have). I tried explaining to her what a county is; and that the city is within the county, not the other way around.
I’m grateful for having lived 3 years in India because her phone system is about the worst VOIP I’ve ever heard (whoop screech boing ) and her Indian accent might be difficult for some to understand through what sounds like radio jamming by mutant ninja turtles who are into heavy metal.
She then decided that she needs to phone the County registrar to confirm my fictitious business name document. I sent her a link to the County’s clerk-recorder documents website, so they may use that or may decide to phone the County on Monday. If they phone, good luck to any of the old ladies at the County courthouse trying to understand the call.
Then they’ll phone me back at xxxxxx. xxxxx is some number I’ve never seen. Fortunately I was able to give her my Dun & Bradstreet registration number, from which she was able to get my actual correct phone. So if all the other hoops fall into place they’ll phone me back at my actual phone to do the final confirmation.
As thoroughly ludicrous as this all sounds, it unfortunately jibes pretty much with the “organization verification” steps outlined on this page: How long does it takes to get a code signing certificate?
Would having paid $1,000 more to digicert have bought a mellow experience? I don’t know.
Were I not such a charming individual I might have lost my sunny disposition by now.
Instead, I’m just sitting here chewing mellowly on shards of glass… 
The problem with all these privacy laws like GDPR, is any documentation supplied to someone who needs to confirm your identity, cant confirm or deny if the document is genuine or not as they would be giving out someone elses data, which is what the GDPR laws and others are designed to protect.
IMO, its a race condition written into law, plus with so much being online, and the existence of colour laser printers, pretty much anything can be fabricated now*. I’m also uncomfortable passing documents like that outside of the UK because I get loads of foreign numbers calling me, scam calls etc, and you just dont know where they got your details from to ring you up.
Saying that, the only thing I’ve seen in the UK which lets you give your identify documentation to a 3rd party to use for ID purposes is the Driving licence agency.
View or share your driving licence information - GOV.UK (www.gov.uk)
In fact, I havent had a driving licence since before covid, but I have the old driving licence number still and just used this service, which I’ll forward to softvelocity in an attempt to prove my identity to Doreen as I get no response from them when I email them. Its like living in an open air prison in the UK now a days. All legal forms of torture of course.
Edit
(*) Unless of course the tech sector, like FAANG, and/or Intel & Arm have become surveillance state, and/or the 5 eyes and/or + x, is the behinds the scenes data sharing which enables the surveillance, which then suggests these people who have made the decisions have lied to the public, as they might see it as white lies for greater good, without any concept of the physical and psychological harm caused by their surveillance state? This is why I scoff at people who trump out the nothing to hide, nothing to fear meme. I should add, when looking at who participates on the RFC’s for tech, you see a number of university professors and others, and the security services use university’s, so there’s no telling if some RFC’s are watered down to allow backdoors of sorts where security services air a concern to someone participating in the RFC. You see it with lobbyists and politicians and legislation. All very shady.
Yes, I logged in using my Sectigo credentials, then went to the list of previous certificates and used the “Renew” link. I have understood that someone get their certificate in hours, others will have to wait for weeks, and the same company might experience both scenarios. The worst part for me was the requirement to send a copy of my personal ID to validate a company. This was a new requirement and too much to ask in a world where identify theft is so easy.
I don’t know anything about getting it cheaper. For me this became a simple calculation of hours spent loosing money versus hours spent making money.
1 Like
To complete my own saga…
Starting this process on a Friday was perhaps suboptimal. (Although in 2020 I started it on a Saturday and had my certificate in hand 2.5 hours later.)
Saturday I phoned Sectigo again. Much better VOIP this time. Man with medium Indian accent. Again my explanations that I am not a corporation and thus not registered with the STATE of California, but I have city business license and county fictitious name registration.
He’s again talking about phoning the county to verify.
I show him that I sent them a link the prior day to the county’s website, which has a business lookup.
He eventually succeeds in looking up my business name on the county’s website (he was having trouble finding the Search button but we worked through that). But then said he isn’t authorized to make the determination and the A-team would handle it on Monday.
Today, Monday, I waited in Sectigo’s phone queue. Clear VOIP again today. Clear Indian-accented woman took my ticket number, read back my phone number looked up from Dun & Bradstreet for confirmation, and said she’d send the callback email.
Got the email. Clicked “call me now”. Entered the PIN. And I have my certificate. All done on Windows 11 using Edge in IE-emulation mode, BTW.
2.5 hours in 2020. 2.5 days in 2023.
All I can hope is that if I’m still alive in 3 years I’ve found a different way to make a living… sigh…
3 Likes
Do you all know about the change in OV private key generation and storage that has been postponed until June 2023?
See the last bullets under “Key Takeaways” at the following page:
2 Likes
I guess that means buy a 30 year key 
I paid for a Comodo EV key a few years ago, and it came on a USB device.
My experience with it was terrible. After about 2 weeks, my password stopped working, and the number of retries ran out. Commodo sent me a new device immediately, but still. It was a nerve wracking experience.
This week we ordered our code-signing certificate from DigiCert without much trouble for our small company located in the U.S. It was 1.5 days between submitting the order and getting the certificate installed. Their website does not work with Internet Explorer, so we used Edge. This was our first time for ordering from DigiCert. We had previously ordered about one dozen SSL certs from GoDaddy and one code-signing cert from Sectigo.
Does anyone have an idea how these changes are going to impact things like build servers? These are often in the cloud or running in VMs on servers.
1 Like
Have you seen this from Digicert?
Navigating the New OV Code Signing Requirements - YouTube
OV code signing seems to be used for encrypting communication between devices, like cloud servers and on-premises devices like local servers and desktops.
The Yubikey seems to allow certs to be stored on it.
Import Smart Card Certificates onto your YubiKey — Smart Card on iOS documentation (yubico.com)
Code Signing with the YubiKey on Windows – Yubico
Fido2 seems to be used as way to authenticate on cloud servers and other devices but cant be used to store certs.
Page 8 describes the differences between Fido and certs which could be out of date considering the changes.
white-paper-pki-and-fido-in-the-enterprise-2019.pdf (fidoalliance.org)
Use Case PKI FIDO
Device Logon Yes Yes
Pre-boot Authentication Yes Yes
Web Client Authentication Yes4 Yes5
Thick Client Authentication6 Yes7 Yes
Email Encryption and Signing – S/MIME Yes No
VPN-IPSec Yes No
TLS Yes No
EAP-TLS for wireless access Yes No
Transaction Authorization Yes Yes
Document signing Yes Yes8
Code signing Yes Yes9
Disk Encryption Yes No
Single Sign-On Yes Yes
Trust Establishment (E.g. for federation) Yes No
This has given me an idea, I wonder if I can use a cert to prove my identity for GDPR DSAR’s and just give them an x509. It would get around the race condition in law where validity of documents cant be confirmed to be genuine as it would be giving out data. 
Edit.
On the point of photographic id, how does DigiCert and everyone else know I dont have a twin? Its not a question I’ve ever been asked. Everyone is familiar with the winklevoss twins, so how do these CA’s overcome the problem of identifying identical twins?
Plausible deniability 
Hi all,
Today I renewed my 3 years codesign certificate (with the Lindersoft $200 deal).
I started this morning at 10:30 AM and this afternoon at 3 PM I received my Code Signing Certificate!
So all went smooth! 
Best regards
Jeffrey
1 Like
The Rebellion Begins.
In a galaxy not-so-far-away a spark glows in the darkness.
Is there any tinder upon which it might feed?
Are the Structures of Power aware?
Or are They so confident in Their Power that They need not heed?
“Mad as hell and not going to take it anymore” ??
Harbinger or hiccup?
Most interesting Jane
One benefit of signing is a reassurance that your executable has not changed since signed.
It also, as you indicate, identifies the programmer or releasing company.
Installing to windows is less intimidating.
Have you considered self-signing?
It supplies all of the above benefits.
I have been doing this for years. Downside of self signing is the certificate has to be installed manually on the target computer beforehand.
Easy to do but maybe scary for innocent users.
So this is not a solution if your customers are mom and pop or everyman/woman.
Since i’ve been selling to capable developers for 27 years, I provide a download with instructions that walks them through certificate installation.
I also have a utility that creates the certificate(s) from scratch at my end in a few seconds.
This uses executables supplied with Windows and a clarion utility I created here using docs supplied by Microsoft.
Work fine. No special trust required on users behalf as Dev ID and trust status is visible from a right click on the EXE being distributed, say inside a zip.
Just ask and I’m happy to share. No charge for another Clarion developer.
Interested developers contact Gus M. Creces CHT (Clarion Handy Tools) www.cwhandy.ca
[email protected]
Cheers…
Gus
1 Like
Thanks, Gus, but not my announcement.
I received it yesterday from a rather fringe graphics software company and thought it amusing enough to share.
My current Sectigo certificate is good until 2026 and I’m not going to think about it before then! 
I have a Windows domain with its own certificate authority trusted by Active Directory that I use for development but have never considered using a self-signed certificate for anything other than in-house stuff.
But I appreciate the offer!
Cheers,
Jane
They must not deal with the government.