views:

4123

answers:

10

Does anyone know where I can get an inexpensive Java code signing certificate? Everywhere I look wants $200 to $300 per year! Unfortunately I cannot use a self-signed one, I'm trying to get rid of the scary warnings so that users will be more likely to accept my application. And as far as I know (per this question), it has to be a code signing certificate, it cannot be a SSL certificate.

A: 

Cheapest I can find is $149/year (if you buy 3 years at once) from GlobalSign. Not great, I know!

Oli
Can you give a direct link? When I browse their site the best I see is $187/year (if you buy 3 years at once). Maybe it's some promotion I missed?
davr
I read that price on a blog talking about them. They've [rather unhelpully] since uppped their prices.
Oli
A: 

Comodo has code-signing certs for $179.95/year and you only need to buy 1 year. They don't talk about Java. I don't know if they are different than what you use to sign Microsoft based stuff.

Darrel Miller
A little cheaper, but I was hoping for a lot cheaper. You can get a SSL certificate for $20, why not a code certificate? :(
davr
+12  A: 

How about $80 a year? Tucows apparently resell for Comodo at their Author Site. Again, apparently, they give further discount for 3 years (~$199).

I can't confirm any of this without creating an account there (which is, frankly, above my pay grade) but if it is that much and it does work with Java, $66 a year for 3 years doesn't seem too steep.

Hopefully GoDaddy will add this to their bag of tricks one day.

Edit!

The prices are as follows:

  • 1 year for $75
  • 2 years for $140 ($10 saving)
  • 3 years for $195 ($30 saving)

And by the looks of things, they can be used for signing Java apps. Happy days.

Oli
That's a good price compared to the others, and I can confirm it because I created the account and saw the prices. For future reference, 1 year = $75, 2 years = $140, 3 years = $195.
davr
Awesome! I'll edit my post so it's more accurate for future people who stumble in here.
Oli
Bought one from Tucows a few months back. Works fine, no problems.
Roddy
Yes it's the best I've seen as well. I signed up last year for 3 years, just in case they stopped offering it at that price. I was fuming at the time that Comodo would sell their product on their own site for so much higher more than they let a reseller sell it.
lkessler
GoDaddy now DOES offer codesigning certificates, but at ridiculously expensive rates:1 year for $199.992 years for $359.98 ($40 saving)3 years for $509.97 ($90 saving)
Henning
Thanks, it works! Its a bit of a process to get it to work (converting between their cert into a cert that can be recognized by keytool), but its worth the huge cost savings. It's the "UTN-USERFirst" signer CA in the JRE, in case anyone is curious.
CarlG
+1  A: 

You can also get heavily discounted Comodo certificates from:

  • Lindersoft: $79 for one year, $200 for 3 years, plus a 25$ membership fee
  • K Software: $99 per year
Roddy
+6  A: 

What about startssl? They offer code signing certificates for 49.90$ for 2 years (with wild card capabilities). I haven't tried using it, so no guarantees, but it looks good.

Mirko Jahn
AFAICT, StartCom certificates are only 'trusted' by Windows 7, or earlier Windows versions with an appropriate root certificate upgrade installed: https://blog.startcom.org/?p=205 However, it's certainly interesting.
Roddy
I always wondered how serious StartCom is. Their website looks very old and cheap and today they SSL connection fails https://auth.startssl.com/ (SSL connection error)Anyway, It looks that they manage to get accepted by Microsoft as root CA.
Sorin Sbarnea
Notice that Java brings its own certificate list and do not implicitly trust the same certificates as the operating system.
Thorbjørn Ravn Andersen
+5  A: 

You can tell if a CA's certs will work for Java code-signing by examining the Java cacerts file, which lists all the CAs known to Java. If their cert is in this file, then Java will not complain about the signed code. If it isn't, then it will warn the users. For example:

root@girflet:~# keytool -list -keystore /usr/lib/jvm/java-6-sun-1.6.0.15/jre/lib/security/cacerts | grep comodo

Enter keystore password: changeit

comodoaaaca, 02-May-2006, trustedCertEntry,

Note that I had to enter the default keystore password, changeit. This command should work on Windows as well, although you'll have to change the path to the cacerts file and you won't have grep. Use more instead and page through until you find or don't find what you're looking for.

As of today, Comodo is in the cacerts file, and startssl aren't. So a startssl cert wouldn't be much good for Java code.

realflash
It's a little trickier than that, since certs can be chained. eg startssl might inherit from comodo for example, and in that case it would be accepted without complaining.
davr
Might need a "-v" on MacOSX to run that list command: keytool -list -v -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5.0/Home/lib/security/cacerts -storepass changeit
Jason Thrasher
A: 

Thanks for note about Comodo and Tucows/author page. I've just finished the whole process and it's exactly as said before - it works with java CA certs (I've checked java 1.6 on winXP and 1.6 on mac os x) with no problem. And it's much cheaper then verisign/thawte.

Last 4 years I was buying 2-year ones from thawte, but not anymore. The only thing you have to do is:

  • export this cert to *.p12 file (it depends on your OS, on mac os is just simple as right click on this cert and choose "export" option :))
  • import this cert into new keystore (java one) which is recognized by jarsigner, something like this: keytool -importkeystore -v -srckeystore exported-file-name.p12 -srcstoretype PKCS12 -destkeystore dest-keystore-filename-for-use-with-jarsigner

Additionally you can change the alias (mine was "klucz z secure.comodo.net") to something better :) But it's not necessary, just for convenient.

best regards, and thanks again for this tip (3 years for $195 ;-))

zgibek
A: 

Another good option (don't know how long this will last) is http://www.discountcodesigning.com/ They give you a real GlobalSign certificate for $99 (usually $229).

Despite the lack of branding, the site is run by GlobalSign themselves, and was registered just over two months ago. I have a feeling that they're doing price-testing to see how many more sales they get.

dordal
+1  A: 

This is from an Email, which I received

On 05/10/2010 08:22 PM, From XY: Dear Sir or Madam

I have a rather simple question: Will I be able to sign an Adobe AIR Application with the “Start SSL Verified” Object Sign Feature? I have not found any information on this on your Website or the FAQs.

It depends what the basis for the trust anchor is, but I suspect since Adobe doesn't support the StartCom root yet, there will be probably a warning for this type of application.

So far Windows, Apple and Mozilla applications and extensions are supported.

Regards

Signer: Eddy Nigg, COO/CTO StartCom Ltd. Twitter: Follow StartSSL™ XMPP: [email protected] Phone: +1.213.341.0390

Besi
A: 

Hi,

If you want a free code signing certificate or a commercial (€17* for 1 year) which can only be used in closed communities then try one from Ascertia: http://www.ascertia.com/OnlineCA/default.aspx

Regards, Wahaj

Wahaj
Not interested in 'closed communities', if I was, I'd just use my self-signed certificate. The point of paying for one is so that random people on the internet can access my file and verify the certificate, without knowing me in advance. Thanks though.
davr