Thank you. Do you happen to know what this choice means? I suspect I should select Microsoft Authenticode?
Not sure I will call it tax, but it could easily have been a conspiracy.
I had to start signing for two reasons: a) The Windows dialog stopping installation and/or running a program because it was not signed and b) Many of my programs behave like a virus with extensive file manipulation on disk and thus antivirus quarantined them.
If you need to have that extra piece of mind your dev machine is not infected and thus passing on malware or viruses to your customers (excluding the malware/viruses leveraging virtualisation at the cpu level), may I suggest this… GitHub - vitoplantamura/BugChecker: SoftICE-like kernel debugger for Windows 11
BugChecker is a SoftICE-like kernel and user debugger for Windows 11 (and Windows XP as well: it supports Windows versions from XP to 11, both x86 and x64). BugChecker doesn’t require a second machine to be connected to the system being debugged, like in the case of WinDbg and KD. This version of BugChecker (unlike the original version developed 20 years ago) leverages the internal and undocumented KD API in NTOSKRNL. KD API allows WinDbg/KD to do calls like read/write virtual memory, read/write registers, place a breakpoint at an address etc.
Yes you want Microsoft Authenticode.
The purpose is for the end user to know that the executable file was signed by the publisher and has not been altered because the checksum matches. There no assurance the code is safe, if the publisher’s machine has malware that could be in the EXE.
1 Like
and that does happen, where malware is in a signed executable, using a reputable cert vendor.
I think you would call that LOTL attacks, its a term I’ve never heard before but I got it from here…
GitHub - jmau111-org/windows_security: Is Windows a joke or are you? 
I ordered from DigiCert after lunch and had my code signing certificate five hours later. No hassle at all.
This is the story of Sectigo/Comodo failing for me:
I was purchasing my ceritificate for the third time. Last time it took three weeks, but I blamed it on holidays then. This time, Sectigo requests information they already have on file, like the phone number I have in my order, and they ask for documents that do not exist, eg. a Photo Id with current address. Documents I upload just vanish without a trace, and they still ask me for the same, making me very insecure about their document handling and security. Promise of 24 hour response time has no real meaning, a week or two is more realistic.
When I finally get the call from a person that speaks extremely fast and Indian accented english, I demand my order being cancelled. Then they claim that the order is not in their system(!), despite them sending me order confirmation and taking my money. They claim I ordered through a reseller, but I did not, LinderSoft (always helpful) is an affiliate, the order is placed at Sectigo.
I responded twice to the same support ticket that I wanted to cancel my order, but no answer.
Yesterday I opened a new support ticket with billing,to get the refund. Didn’t get a reply. Today a chat person told me I had to open a support ticket with billing, to get the refund. He claimed the previously created support ticket didn’t exists. So I tried. The system denied me that, since it already exists. Then it was because he didn’t have access. Still he expected to see it in the first place???
So far I have lost more money in terms of working hours than the certificate cost in the first place, and the process is so long that even if I got the certificate, it would probably cost more than what I could save with their prices compared to other vendors.
Clearly Sectigo/Comodo are a bunch of nitwits who will be the first at the wall if a revolution comes.
Credit Cards offer a level of protection when buying from abroad when a refund situation has potentially arisen.
Definetly, and I always use credit card online. However, MasterCard demands that I do a decent attempt to get a refund before they do anything. They ask for documentation on refund policy and communication (hard to do on phone) etc. So in the end, this also adds to the workload to get refund.
Actually it was the need for documentation that led me to do the entire process again, just to have screenshots.
1 Like
Bjarne_Havnen,
Do you recall on the “https://secure.trust-provider.com/products/CodeSigningSignup1a” page if you entered a “username” and “password” and clicked “Login” before clicking the “NEXT>” button?
I wonder if entering the username/password info and clicking Login would make any difference in their ability to issue a certificate?
I see the total price is $200 USD with Lindersoft’s discount via secure.truest-provider.com for a Sectigo code-signing certificate.
Digicert.com is going to cost me $1422 USD for a 3 year OV code-signing certificate. Is there anyplace to get Digitcert for much cheaper?
When I first found them, it was a Google search that led me here. Maybe the digicert link had a coupon? The price was way lower. That was years ago though. Didnt think to try it again https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate
Today I also bit the bullet.
I don’t know whether it makes a difference, Rich, but I DID log in to those fields using the user name/password from my last purchase. So my prior certificate and my new in-progress one are both visible in the “manage your stuff” area.
At the moment they’ve taken my money and my certificate request.
I have sent them a selfie of myself holding my drivers license, a copy of my city business license, county fictitious business name registration, and IRS employer identification number form.
I’ve put in a ticket which brought no reply. So I’ve phoned them three times. The last two calls I spoke to an apparently nice lady who wanted my state registration number (which I don’t have). I tried explaining to her what a county is; and that the city is within the county, not the other way around.
I’m grateful for having lived 3 years in India because her phone system is about the worst VOIP I’ve ever heard (whoop screech boing ) and her Indian accent might be difficult for some to understand through what sounds like radio jamming by mutant ninja turtles who are into heavy metal.
She then decided that she needs to phone the County registrar to confirm my fictitious business name document. I sent her a link to the County’s clerk-recorder documents website, so they may use that or may decide to phone the County on Monday. If they phone, good luck to any of the old ladies at the County courthouse trying to understand the call.
Then they’ll phone me back at xxxxxx. xxxxx is some number I’ve never seen. Fortunately I was able to give her my Dun & Bradstreet registration number, from which she was able to get my actual correct phone. So if all the other hoops fall into place they’ll phone me back at my actual phone to do the final confirmation.
As thoroughly ludicrous as this all sounds, it unfortunately jibes pretty much with the “organization verification” steps outlined on this page: https://codesigncert.com/resources/how-long-does-it-take-to-get-code-signing-certificate
Would having paid $1,000 more to digicert have bought a mellow experience? I don’t know.
Were I not such a charming individual I might have lost my sunny disposition by now.
Instead, I’m just sitting here chewing mellowly on shards of glass… 
The problem with all these privacy laws like GDPR, is any documentation supplied to someone who needs to confirm your identity, cant confirm or deny if the document is genuine or not as they would be giving out someone elses data, which is what the GDPR laws and others are designed to protect.
IMO, its a race condition written into law, plus with so much being online, and the existence of colour laser printers, pretty much anything can be fabricated now*. I’m also uncomfortable passing documents like that outside of the UK because I get loads of foreign numbers calling me, scam calls etc, and you just dont know where they got your details from to ring you up.
Saying that, the only thing I’ve seen in the UK which lets you give your identify documentation to a 3rd party to use for ID purposes is the Driving licence agency.
View or share your driving licence information - GOV.UK (www.gov.uk)
In fact, I havent had a driving licence since before covid, but I have the old driving licence number still and just used this service, which I’ll forward to softvelocity in an attempt to prove my identity to Doreen as I get no response from them when I email them. Its like living in an open air prison in the UK now a days. All legal forms of torture of course.
Edit
(*) Unless of course the tech sector, like FAANG, and/or Intel & Arm have become surveillance state, and/or the 5 eyes and/or + x, is the behinds the scenes data sharing which enables the surveillance, which then suggests these people who have made the decisions have lied to the public, as they might see it as white lies for greater good, without any concept of the physical and psychological harm caused by their surveillance state? This is why I scoff at people who trump out the nothing to hide, nothing to fear meme. I should add, when looking at who participates on the RFC’s for tech, you see a number of university professors and others, and the security services use university’s, so there’s no telling if some RFC’s are watered down to allow backdoors of sorts where security services air a concern to someone participating in the RFC. You see it with lobbyists and politicians and legislation. All very shady.
Yes, I logged in using my Sectigo credentials, then went to the list of previous certificates and used the “Renew” link. I have understood that someone get their certificate in hours, others will have to wait for weeks, and the same company might experience both scenarios. The worst part for me was the requirement to send a copy of my personal ID to validate a company. This was a new requirement and too much to ask in a world where identify theft is so easy.
I don’t know anything about getting it cheaper. For me this became a simple calculation of hours spent loosing money versus hours spent making money.
1 Like
To complete my own saga…
Starting this process on a Friday was perhaps suboptimal. (Although in 2020 I started it on a Saturday and had my certificate in hand 2.5 hours later.)
Saturday I phoned Sectigo again. Much better VOIP this time. Man with medium Indian accent. Again my explanations that I am not a corporation and thus not registered with the STATE of California, but I have city business license and county fictitious name registration.
He’s again talking about phoning the county to verify.
I show him that I sent them a link the prior day to the county’s website, which has a business lookup.
He eventually succeeds in looking up my business name on the county’s website (he was having trouble finding the Search button but we worked through that). But then said he isn’t authorized to make the determination and the A-team would handle it on Monday.
Today, Monday, I waited in Sectigo’s phone queue. Clear VOIP again today. Clear Indian-accented woman took my ticket number, read back my phone number looked up from Dun & Bradstreet for confirmation, and said she’d send the callback email.
Got the email. Clicked “call me now”. Entered the PIN. And I have my certificate. All done on Windows 11 using Edge in IE-emulation mode, BTW.
2.5 hours in 2020. 2.5 days in 2023.
All I can hope is that if I’m still alive in 3 years I’ve found a different way to make a living… sigh…
2 Likes
Do you all know about the change in OV private key generation and storage that has been postponed until June 2023?
See the last bullets under “Key Takeaways” at the following page:
2 Likes
I guess that means buy a 30 year key 
I paid for a Comodo EV key a few years ago, and it came on a USB device.
My experience with it was terrible. After about 2 weeks, my password stopped working, and the number of retries ran out. Commodo sent me a new device immediately, but still. It was a nerve wracking experience.
This week we ordered our code-signing certificate from DigiCert without much trouble for our small company located in the U.S. It was 1.5 days between submitting the order and getting the certificate installed. Their website does not work with Internet Explorer, so we used Edge. This was our first time for ordering from DigiCert. We had previously ordered about one dozen SSL certs from GoDaddy and one code-signing cert from Sectigo.
Does anyone have an idea how these changes are going to impact things like build servers? These are often in the cloud or running in VMs on servers.
1 Like
Have you seen this from Digicert?
Navigating the New OV Code Signing Requirements - YouTube
OV code signing seems to be used for encrypting communication between devices, like cloud servers and on-premises devices like local servers and desktops.
The Yubikey seems to allow certs to be stored on it.
Import Smart Card Certificates onto your YubiKey — Smart Card on iOS documentation (yubico.com)
Code Signing with the YubiKey on Windows – Yubico
Fido2 seems to be used as way to authenticate on cloud servers and other devices but cant be used to store certs.
Page 8 describes the differences between Fido and certs which could be out of date considering the changes.
white-paper-pki-and-fido-in-the-enterprise-2019.pdf (fidoalliance.org)
Use Case PKI FIDO
Device Logon Yes Yes
Pre-boot Authentication Yes Yes
Web Client Authentication Yes4 Yes5
Thick Client Authentication6 Yes7 Yes
Email Encryption and Signing – S/MIME Yes No
VPN-IPSec Yes No
TLS Yes No
EAP-TLS for wireless access Yes No
Transaction Authorization Yes Yes
Document signing Yes Yes8
Code signing Yes Yes9
Disk Encryption Yes No
Single Sign-On Yes Yes
Trust Establishment (E.g. for federation) Yes No
This has given me an idea, I wonder if I can use a cert to prove my identity for GDPR DSAR’s and just give them an x509. It would get around the race condition in law where validity of documents cant be confirmed to be genuine as it would be giving out data. 
Edit.
On the point of photographic id, how does DigiCert and everyone else know I dont have a twin? Its not a question I’ve ever been asked. Everyone is familiar with the winklevoss twins, so how do these CA’s overcome the problem of identifying identical twins?