Code signing certs for Windows thread

Targets Windows
1

My OV certs for Windows are going to expire soon so I am looking for renewing.

In the past I used KSoftware.net and some years ago everything went fine.
Looking at the TrustPilot ratings and comments, it’s a mess now.
K Software Reviews | Read Customer Service Reviews of ksoftware.net

I looked at Code Signing Certificate, Cheap Comodo Code Signing, Digital Code Signing
But TrustPilot, same problems as with KSoftware.

So my question: Which provider could you recommend (with low/good prices)?

2

Update:
I did send a mail to LeaderSSL and they replied within 30 minutes.

They claim the following is needed to do the verification process:

  • ID card (with adres).
  • Selfie you holding the ID card.
  • Dun&Bradstreet link (every official company is listed there).
  • A phonecall

Mostly the verification is cleared within 48h

The only thing is, they do not have software like kSign.
Not sure if you can use the keys from other providers to code sign your stuf.

3

You can use digicert software, k-sign software, windows cmd or inno scripting (with windows cmd).

1 Like
4

You will need the signtool from Microsoft. According to their docs it’s included in the Visual Studio installer.

It was also included in the Ksign installer, but that tool stores your certificate password hex-encoded in a text file so I really would recommend not using it.

2 Likes
5

Again, American centric
We dont have ID cards in the UK. I wonder what they will ask for…
they offer EV SSL certs for 5 years at less than £500
I wonder why code signing EV certs are massively more expensive?

6

Weird, LeaderSSL is based in Amsterdam, The Netherlands.
Do you have any ID with your address? (driver’s license or other)

In Mexico, they changed the driver’s license to not have an address (at least in Tamaulipas). The passport has no address too. I don’t know what they accept in this case.

7

If no adres is shown on the ID card (In Belgium this is the case) you need to provide for example an electricity bill too.
Also a Dun&Bradstreet link to your company is important, so it seems. That for sure rules out people who do not have a VAT.

Anyhow, I probably going to buy at LeaderSSL next week and pay with PayPal so if needed a refund is easy to do.

8

Well, it seems I do have a DUNS number, even though I’m not registered for VAT.
So there’s that.
It’s a pain though.

9

It seems KSign can only be used by certs that are bought at KSoftware (it does call home before calling the cert provider timestamp server).
So I made a similar tool were you can set the Timestamp server. This way it works to code sign with all cert providers.

I need to tweak and do some more tests and will release it for free (maybe someone with a GitHub account can make it opensource later).

2 Likes
10

I have ben using Digicert certificates with ksign. No problem.

1 Like
11

Perhaps a passport will do ?

12

Ksign.exe does call home (http://ksoftwaren.net/sh/426775). Not sure what it does but I did read somewhere only Comodo or Sectigo certs work.

13

Perhaps I am using an old version that does not call home, but it works flawlessly.

1 Like
14

Update communication with LeaderSSL:

They are very fast in answering my questions (and very friendly too). That gives me some confidence to buy my certificates there.
I am going to buy new certs on Monday and see how it goes.

1 Like
15

I also added a verification option so you can check if the file is already code signed (if yes, it shows more details).
It also accepts file drops.

A screenshot how it looks for now…

Screenshot1

2 Likes
16

Funny … it seems the timestamp servers cannot use https :slight_smile:

17

Here is the download link of the project file (including SignTool.exe).
Zip PW: Xojo

EDIT:
Forgotten to add: The password is not saves encrypted in the .ini file. So you may need to add some code for doing this.

18

How did it go?

19

Forgotten to update my findings with LeaderSSL:

I can highly recommend LeaderSSL. They are extremely helpful and very fast answering questions and guide you thru the whole process.
Dealing with Sectigo is another matter. In short, it’s all black and white doing the verification process.
Basically this is what they need to do the verification:

  • A photo of your IDCard.
  • A selfie you holding the IDCard.
  • If you have a company and VAT, you also need to proof this via Duns & Bradstreet and VIES.
  • If you do not have a company, you need to have a IDCard with your adres shown. If your IDCard does not have an adres shown, you will need to go thru an extra verification process with a notary (which will cost you about $500).
  • Proof that you are the owner of the domain used by your company. They use WHOIS for this. But for EU domain owners, this does not work because because of GDPR the owner is not shown. Only the registrar. In this case you need to provide the latest invoice of your domain provider that shows you are the owner.
    And be prepared for a dozen questions of Sectigo for all kind of (stupid) details. Anyhow, it takes about 4 days (in my case) to get verified.

Important! In the past you needed to use Firefox to get your certs. For Windows, this is not working anymore and you need to use Internet Explorer 8 or Edge.

Regarding doing the code signing:
kSign (of KSoftware) does not work with the OV certificate I received. Luckily I made my own code sign tool and that works fine.

Relieved that I now have a new OV certificate for 3 years. :slight_smile:

1 Like
20

Forgotten a step:

  • They also do a phone call verification.

For this they use a phone number found on the internet linked to your name or company. They will not use a phone number you provide. So make sure your phone number is registered at for example Whitepages (for EU).