tags:

views:

829

answers:

6
+6  Q: 

Which code signing authority should I go with?

I'm looking at options to buy a code signing certificate for my company. I want it to be usable for MS Authenticode and also for Java and I want it to be trusted with the default trusted authority list that ships with a new install of Windows (ie. I don't want the use to have to add a new trusted authority). I've seen previous discussions recommending Comodo, but I'm a bit confused since I've checked the list of trusted authorities on my XP machine and I couldn't find Comodo. Also Comodo seems to have a somehow spotty reputation, issuing certificates to malware.

This kinda leaves me with Verisign (ie. the evil company that broke DNS for profit) or Thawte, and both cost an arm and a leg.

Are there other options I'm missing?

+4  A: 

If you want to be allowed to pick up your crash dumps from WinQual, you must use a Verisign certificate.

Edit: Verisign, not Thawte. i meant Verisign. Thanks Marc.

Ian Boyd  2009-07-03 05:00:18
@Ian Boyd: I think you wanted to say Verisign, no? Thawte certs don't work for WinQual.
Marc  2010-02-04 12:25:58
@Marc: You are absolutely right, i completely got that backwards. i knew it, just a brain fart.
Ian Boyd  2010-02-04 13:47:41
A: 

Actually, I think GoDaddy certificates will work. They are much less expensive than Verisign, and less than Thawte. I would ask them if they guarantee that their certificates will work in the manner you describe.

Robert Harvey  2009-07-03 05:02:07
Someone adverse to VeriSign for ethical reasons might not be particularly keen on GoDaddy... (qv http://www.nodaddy.com )
AakashM  2009-07-03 05:09:44
You need a trusted authority. Otherwise the users are going to be confronted with a nasty warning when they try to run the program.
Robert Harvey  2009-07-03 05:11:45
@Aakash: I'm not adverse to them on ethical grounds, but more on business grounds. If they broke the internet backbone, what's to stop them screwing *me* over?
Remus Rusanu  2009-07-03 05:18:24
+5  A: 

http://www.globalsign.com has a complete focus on such matters, and is really good to work with.

AppCove, Inc. (day job) is a reseller and can provide quite good pricing, fyi....

gahooa  2009-07-03 05:19:03
These guys look better than GoDaddy. They explain in clear language they are a trusted authority, and they support 64 bit Vista drivers, unlike GoDaddy.
Robert Harvey  2009-07-03 05:27:20
They seem decent indeed
Remus Rusanu  2009-07-03 05:35:53
I got cert from globalsign, I got scared is signed by intermediate authority when I first saw it, but is OK. I was testing it wrong.
Remus Rusanu  2009-07-12 03:53:58
A: 

Also visit https://secure.ksoftware.net/code%5Fsigning.html Response to emailed questions was very fast.

Tony Toews  2009-12-18 03:21:11
A: 

It might be worth looking at Comodo. I have not used the code certificates, only the free email certs.

Remou  2009-12-18 11:23:58
+3  A: 

Have a look at StartSSL. They're beta-testing code signing certificates and their prices are very nice. Their certificate for code-signing is $40 ($80 if you need organization name on it), valid for two years.

The have unusual business model, too: they charge for validation of your personal/business information, not for issuing certificates. Validation is done once a year and you can create as many certificates as you need during this period.

vslavik  2009-12-29 19:45:49
One thing to watch out for though is that according to http://stackoverflow.com/questions/2213784/how-to-verify-that-timestamping-is-done-correctly-for-signed-code StartSSL certificates have the "Lifetime Signing" OID set which means that signatures will be marked as invalid after the certificate expires, even if it was timestamped.
BruceCran  2010-08-04 22:39:55

related questions

Get the issuing CA for a given certificate
ColdFusion CFHTTP I/O Exception: peer not authenticated - even after adding certs to Keystore
Solutions to web service client certificates/auth best practices
What recognized computer language certificates exist?
What do CAs (Certificate Authority) deliver from CSR ?
Revoking certificate in c# with ICertAdmin2::RevokeCertificate method
Could not find trusted certificate
Missing X509 extensions in certificates created with Certificate Assistant
ClickOnce Trusted Root Certification Authorities
Certificate Authority for myself/small organisation
Code signing Windows Mobile applications - Recommendations?
How do I programmatically remove a certificate in Trusted Root Certification Authorities?
Certificate autoenrollment errors on Win 2003 development server
How do I code Citrix web sites to use a Secure Gateway (CSG)?
Why is using a certificate, made with the MakeCert tool, in production bad?
Programmatic Signing of Native Windows Mobile Apps
Does a truststore need the sub-ca certificate?
What's the difference between class 1 and class 3 roots, and the certificates signed by them?
Getting issued certificates' info from windows server 2008 CA
Are CAs allowed to modify CSRs before signing?
Who sells the cheapest EV SSL certificate?
SSL Certificate encryption vs cypher encryption
What's the difference between rapidSSL and geotrust certificates?
What Certificate Authority Software is Available?