Codesigning - Need alternative to Comodo

This week we ordered our code-signing certificate from DigiCert without much trouble for our small company located in the U.S. It was 1.5 days between submitting the order and getting the certificate installed. Their website does not work with Internet Explorer, so we used Edge. This was our first time for ordering from DigiCert. We had previously ordered about one dozen SSL certs from GoDaddy and one code-signing cert from Sectigo.

Does anyone have an idea how these changes are going to impact things like build servers? These are often in the cloud or running in VMs on servers.

1 Like

Have you seen this from Digicert?
Navigating the New OV Code Signing Requirements - YouTube

OV code signing seems to be used for encrypting communication between devices, like cloud servers and on-premises devices like local servers and desktops.

The Yubikey seems to allow certs to be stored on it.
Import Smart Card Certificates onto your YubiKey — Smart Card on iOS documentation (yubico.com)

Code Signing with the YubiKey on Windows – Yubico

Fido2 seems to be used as way to authenticate on cloud servers and other devices but cant be used to store certs.

Page 8 describes the differences between Fido and certs which could be out of date considering the changes.
white-paper-pki-and-fido-in-the-enterprise-2019.pdf (fidoalliance.org)

Use Case                                      PKI             FIDO
Device Logon                                  Yes             Yes
Pre-boot Authentication                       Yes             Yes
Web Client Authentication                     Yes4            Yes5
Thick Client Authentication6                  Yes7            Yes
Email Encryption and Signing – S/MIME         Yes             No
VPN-IPSec                                     Yes             No
TLS                                           Yes             No
EAP-TLS for wireless access                   Yes             No
Transaction Authorization                     Yes             Yes
Document signing                              Yes             Yes8
Code signing                                  Yes             Yes9
Disk Encryption                               Yes             No
Single Sign-On                                Yes             Yes
Trust Establishment (E.g. for federation)     Yes             No

This has given me an idea, I wonder if I can use a cert to prove my identity for GDPR DSAR’s and just give them an x509. It would get around the race condition in law where validity of documents cant be confirmed to be genuine as it would be giving out data. :grinning:

Edit.
On the point of photographic id, how does DigiCert and everyone else know I dont have a twin? Its not a question I’ve ever been asked. Everyone is familiar with the winklevoss twins, so how do these CA’s overcome the problem of identifying identical twins?

Plausible deniability :wink:

Hi all,

Today I renewed my 3 years codesign certificate (with the Lindersoft $200 deal).
I started this morning at 10:30 AM and this afternoon at 3 PM I received my Code Signing Certificate!
So all went smooth! :slight_smile:

Best regards
Jeffrey

1 Like

The Rebellion Begins.

In a galaxy not-so-far-away a spark glows in the darkness.
Is there any tinder upon which it might feed?
Are the Structures of Power aware?
Or are They so confident in Their Power that They need not heed?

“Mad as hell and not going to take it anymore” ??
Harbinger or hiccup?

Most interesting Jane

One benefit of signing is a reassurance that your executable has not changed since signed.
It also, as you indicate, identifies the programmer or releasing company.
Installing to windows is less intimidating.

Have you considered self-signing?

It supplies all of the above benefits.

I have been doing this for years. Downside of self signing is the certificate has to be installed manually on the target computer beforehand.

Easy to do but maybe scary for innocent users.
So this is not a solution if your customers are mom and pop or everyman/woman.

Since i’ve been selling to capable developers for 27 years, I provide a download with instructions that walks them through certificate installation.

I also have a utility that creates the certificate(s) from scratch at my end in a few seconds.

This uses executables supplied with Windows and a clarion utility I created here using docs supplied by Microsoft.

Work fine. No special trust required on users behalf as Dev ID and trust status is visible from a right click on the EXE being distributed, say inside a zip.

Just ask and I’m happy to share. No charge for another Clarion developer.

Interested developers contact Gus M. Creces CHT (Clarion Handy Tools) www.cwhandy.ca
[email protected]

Cheers…
Gus

1 Like

Thanks, Gus, but not my announcement.
I received it yesterday from a rather fringe graphics software company and thought it amusing enough to share.

My current Sectigo certificate is good until 2026 and I’m not going to think about it before then! :roll_eyes:

I have a Windows domain with its own certificate authority trusted by Active Directory that I use for development but have never considered using a self-signed certificate for anything other than in-house stuff.

But I appreciate the offer!

Cheers,

Jane

They must not deal with the government.