I missed the opportunity to get a new non-hardware-based code signing certificate last May. Here are some notes of the process to get a new one.
-
First option is to get it through Lindersoft. Cost is US$681 for the 3 years certificate, plus $50 for the USB token and $40 for standard shipping ($90 for expedited shipping). Average cost is $257 per year.
-
Googling I found the site SignMyCode which is a certificates reseller, but has a lot for resources and tutorials. SignMyCode lets you buy certificate without a USB key, if you have your own hardware to store the keys.
-
Hardware Security Modules (HSM) are usually expensive, but you can also use a cheaper Yubikey
-
Since I always use a laptop to work, I liked a lot the idea to use a tiny Yubikey Nano and keep it plugged in the USB port, instead of having to find a regular sized USB token every time I need to sign code.
-
Ordering the lowest priced certificate from SygnMyCode costs US$599.97 for 3 years, no shipping needed. A FIPS Certified Yubikey 5C Nano costs $95 plus tax and shipping, total $107.51. Average per year is $235.82, a little less than Lindersoft’s option. Since you don’t need to buy another USB token every three years, the average per year for 9 years is $211.93. But the decisive reason for me was the convenience of the size of the Yubikey Nano.
-
To be fair, the certificates sold through Lindersoft are EV (Extended Validation). The one I bought is only OV (Organization Validated). Upgrading to EV in SignMyCode costs $70 more per year. I think the validation process for EV may be more complicated than OV so I preferred the OV option.
-
Important: if you order a Yubikey, double check that you are buying the FIPS certified version. I didn’t know there were two version and ordered the first one I found in Amazon, but it was rejected when I tried to get the certificate. The FIPS capable versions cost around US$60, the FIPS certified versions are closer to $100. It may be better to order directly from Yubico.
-
When you receive your Yubikey, you should change the default PIN and Management keys, then follow this tutorial to create a CSR (certificate request) and to export the key attestation and intermediate files. The video talks about merging the files, but the order page in SignMyCode now lets you paste each file in a different field.
-
With your CSR and key attestation files, you are ready to order the certificate. The process will ask information about your company. A DUNS number is requested but I think it’s optional (I had one I got when registering in the Apple Developer Program).
-
The next day you’ll received a link to upload the documentation. They ask for a picture of a government issued ID and a selfie of you holding the ID. You also should upload any documentation that proves that your company exists. I lost a few days at this part because I only had uploaded the ID pictures, and I realized I needed to upload more documents until they replied to my support ticket.
-
After the documentation is validated, you receive another link to start the order validation phone call. The link shows the phone number they are going to call. They must validate this number somewhere else, fortunately I used my personal cel phone when registering with the Apple Develpers Program, so that part was easy. The process is automated, you press a Call me now button, your phone rings and a recording tells you to dial 1 to confirm the order (it took me a few tries until the 1 registered) and then reads you a number. You enter that number on the page where you pressed the call me now button and the order is validated.
-
The next day you receive a notice that your certificate was issued (I confirmed my order in a Friday and received the certificate until next Monday). You can then log into the SignMyCode site and download a zip file that includes your certificate .crt file and an additional CA bundle .crt file.
-
SignMyCode gives you support through a chat window in their site, they are very responsive. Support with the certificate issuer is through support tickets. Maybe they are in a diferente time zone because all interactions took 24 to 48 hours to complete.
-
Now that you have the crt file, the next step is to import it into your Yubikey using this tutorial. This video also explains the command you use to sign your files, more details bellow.
-
After if you import the certificate, if you run
certmgr.mscyou should see your new certificate underPersonal / Certificates. In my case, when I first tried to sign code, I received errors saying the certificate wasn’t found. When I rancertmgr.mscthe certificate wasn’t there. The solution was to install the YubiKey Smart Card Minidriver. After installing the drivers and unplugging and plugin again the Yubikey, the certificate was displayed. -
You need a
signtool.exeto sign your code. I’m not sure if older versions (I had one from 2016) are compatible with hardware-based certificates, but if you want to download the latest version (May 2023) you need to install the Windows SDK, or download the Windows SDK .iso file and extract the code signing tools installer. -
This is the command I’m using to sign exes and dlls:
signtool sign /sha1 CERTIFICATE_THUMBPRINT /ac Certera_CABundle.crt /as /fd sha256 /d "DESCRIPTION" /du "URL" /td sha256 /tr http://timestamp.sectigo.com FILENAMEsigntool sign: sign command for signtool/sha1 CERTIFICATE_THUMBPRINT: Instead of passing the name of the pfx file as usual, you pass the sha1 thumbprint of your certificate. You can view it usingcertmgr.msc, it’s a 40 digits hex number./ac Certera_CABundle.crt: The additional file you receive in the zip file where you get the certificate. If not included, the certificate may show as not validated in the signature./as: Add a new signature in case the file has already been signed./fd sha256: Use the sha256 signing algorithm/d "DESCRIPTION" /du "URL"Information about you program/td sha256 /tr http://timestamp.sectigo.com: Timestamp the signatureFILENAME: name of the exe or dll to sign (may be more than one)
-
For completeness, this is the command to sign using sha1, but I don’t think it’s needed anymore, unless you need compatibility with computers running an os older than Windows XP SP2
signtool sign /sha1 CERTIFICATE_THUMBPRINT /ac Certera_CABundle.crt /as /fd sha1 /d "DESCRIPTION" /du "URL" /t http://timestamp.sectigo.com FILENAME -
In the version of Setupbuilder I’m using (2019.7 with current maintenance plan) I didn’t find a way to configure a certificate using its thumbprint. I ended disabling code signing and the option
Enable Installer Integrity Check, and now I sign the installer after SB finishes, using the same command shown above. There’s a Setupbuilder 2023 version currently in beta, but I haven’t tested it yet. -
Since the certificate is now protected by the Yubikey, it’s necessary to enter the PIN code every time a file is signed, in my case it’s a few dozen files for every release, very annoying. There seem to exist options to cache the PIN for a few minutes, but they must be specified when the key is crated, maybe I’ll look into this in 3 years. Another option is to pass all the exes and dlls to sign to a single signtool command, so it only asks for the PIN once. A simpler solution is to use this alternate signing tool that lets you pass the PIN as a parameter. With it the command can be changed to:
scsigntool -pin PINNUMBER sign /sha1 ... -
If you have an automated cloud-based build server, it’s possible to use Azure Keyvault HSM to store your certificate. I think you pay Azure around US$5 per key per month, but it only works with more expensive certificates.
-
NEW: I had visited the Lindersoft order page a few months ago and only found options to order the certificate with physical token. Now they also have an option to order by pasting a key attestation file from a Yubikey. If you want an EV certificate, this may be a better deal.
I hope this helps anyone getting a new certificate. If you need help in a particular part, just let me know and I’ll try to share more details or screenshots.
Regards,
Carlos