Code signing (Microsoft Authenticode)
I have a program which is used by a large number of people who are not always super computer savvy. I want to make sure that rather than having my executable say it is from an unknown author that it says it was signed by me.
As far as I know this can be done with Microsoft Authenticode. I understand I need a certificate to do this and was looking for one at a reasonable price. I stumbled upon the page Microsoft Authenticode Certificates.
It looks like GlobalSign has everything I need. What is the experience with certificates from them or is there a better company? Are there any good tutorials for someone doing this for the first time?
Answer
Comodo is a good starting point to find the cheapest code signing certificate, but one receive the best price from a reseller.
I just now verified the prices from https://author.tucows.com/. They are:
- Comodo Code Signing Certificate - 1 year: US$75
- Comodo Code Signing Certificate - 2 year: US$140
- Comodo Code Signing Certificate - 3 year: US$195
Additional condition are
- Most cost effective fully validated and full supported SSL certificates available
- As trusted as Verisign and Thawte, yet a fraction of the price
- 99% browser ubiquity
- Industry standard 128 bit
- Validation processes as strong as Verisign and far stronger than GeoTrust
- 30 day money back guarantee
- 30 day free replacement and reissue policy
- Varying levels of warranty for specific site needs
- Free SecuritySpace security audit
- Free TrustLogo (worth $119) with every InstantSSL Pro and PremiumSSL certificate
The only trick to receive the price: you have to register for FREE on author.tucows.com.
One more remark. Independent of the price question I want to add one important information to be sure that you understand correctly why you need the time-stamping. If you sign a file using a code signing certificate you can use for free time-stamping from any time-stamping server like timestamp.verisign.com (see /T parameter of SignTool.exe utility). The practical advantage of time-stamping are following: if you use a code signing certificate which is legal till the end of 2010 for example, the file signature will be stay OK after the end of 2010. Without time-stamping you have to resign the file with the new certificate. The time-stamping server just confirm the date of signing. Because your certificate was OK at the date you will have no problems later. So if you need a certificate only to sell a software one time you can get a certificate for the minimal period: one year. You can read more about time-stamping in SSL Certificate Authority and Digital IDs and Trusted timestamping.
Regarding another subquestion of your question: After you will have a certificate I recommend you just use SignTool.exe utility. It is simple, for FREE and easy in use. You can find examples of the usage of SignTool.exe in Using SignTool to Sign a File and Assembly Signing Example or just start SignTool.exe sign -?.