I just went through renewing my signing certificate through comodo. I have renewed it for about 5 years now but had to go through the new “Face-to-Face” validation since I’m an individual. Found a notary public in town that was highly recommended so that was a good experience and she faxed and mailed everything to comodo on my behalf. took about 3 days and comodo issued me my certificate (.pfx certificate)
I do not sell software but sign so my friends and family do not get all scared
If anyone has any questions on the process for getting a cert I would be happy to help answer from my experiences as an individual as business has other requirements
I bot mine as a company and got it in under 24 hours. My company has a D-U-N-S number. They didn’t call or email for info or docs. 22 hours after the order, I received an email that says:
QUOTE
[i]In order to complete the validation process we will be performing a callback (via Telephone) for this order. Please allow up to one business day before contacting our validation department about this order. We are processing your order and collecting the required documentation to verify your organization details and your telephone number. If we are unable to verify the required information we will contact you via email to let you know what we require. We will perform the callback only after all required documentation has been collected.
We have verified a phone number for your organization. In order to review this phone number and initiate the callback please click here.[/i]
Unquote
Initially, I wasn’t sure to initiate the callback or to wait for them to do it. I eventually just clicked on the link (more than an hour later) which brought me to a Comodo webpage that showed my phone number and asked me to verify. I click on the button that says my phone number is correct and the page then showed a input textbox asking for a PIN. Seconds later I got a call from Comodo. It was automated and I was given a 6-number PIN. I entered this into the webpage, click a button an then message said verified.
Within a minute or 2, I received an email from Comodo:
QUOTE
[i]Thank you for placing your order. The necessary background checks have been successfully completed and we are pleased to announce that your Code Signing Certificate has been issued.
To collect your Code Signing Certificate, please click here.[/i]
UNQUOTE
I do not know where they collect the required documentation to verify my organization details. I can only guess it is from my D-U-N-S number.
I should add that I did not provide the D-U-N-S number to Ksoftware/Comodo. The order page did not have a provision for this. But if they go to dnb duns website and search for my company name, they can find it.
I have not applied for an Apple Developer program yet. I did check out their website last year for proceedure and think they do ask for D-U-N-S number.
I just purchased a codesigning certificate from kSoft. Seamless. They verified my LLC from my phone number in the D-U-N-S database and voila, I’m certified!
Quick question. Do you codesign the main ,exe, the dll’s and the installer .exe, or what?
I codesign the exe and a few DLLs that are mine.
This prevent UAC security popup when running the program that shows unknown publisher.
Then after I create the installer, I codesign the installer also.
This prevent Windows security popup when downloading that says this file (installer) is from unknown publisher and might harm the computer. Some of my users say they cannot find the installer afterwards.
Different behaviour depends on Windows user and UAC settings.
I look into Windows files. Some are signed some are not. Example the newer MSVC***.dlls are signed while the older are not. Nearly all their OCXes are signed.
[quote=233238:@Cho Sing Kum]1) I codesign the exe and a few DLLs that are mine.
2) Then after I create the installer, I codesign the installer also.[/quote]
I’d just like to chime in and say that this the advice that I would give as well.
My experience so far is less than optional. Bought the certificate a week ago and KSoftware said Comodo would contact me within 1 business day. On the third day, I hadn’t heard anything, so I emailed Comodo at the email address KSoft said to use…nothing. I’ve emailed Comodo 3 times over the past few days, no response. Going to go back to KSoftware on Monday… Uggh.
At the time of order, there should be two quite immediate emails to your inbox:
From KSoftware confirming order.
From Comodo confirming order.
The Comodo email address is the same as subsequent emails. If you did not receive any, maybe check the spam folder. (Just in case for info: Some free email service providers (gmail, hotmail, yahoo, etc.) can have nasty filters that never deliver emails even to spam folders if they deem so. And if this is the case, you may never recieve any email from Comodo if they are blocked. This is from my own experience where my customers may not receive my order confirmation.)
The Comodo email provided an email address questions regarding validation process that is different from what KSoftware provided:
docs-enquires@
instead of
docs@
Or try support website where they “operate a registration-based system for support”. You need to open a ticket.
Thanks, Cho. It’s not in my SPAM filter, I always check it daily, for business reasons. I found the email name difference early on, tried both. Neither one bounces back, but I know that docs-enquires is the correct one and have been using that one. It is coming from my business account, not using a free email account. I’ll wait until Monday and see if they answer, if not I will open a support ticket. Thanks for the help.
FWIW, it took me about a month to get a response from Comodo.
Eventually when they did respond they said they didn’t have enough to validate, but they didn’t actively send me anything to say so.
I did eventually get it sorted.
Sorry to hear. After I did the phone call validation, I waited a few hours then called their support number. Someone answered quickly, and my certificate was issued 5 mins later. I would call them.
I had similar frustration, Comodo wanted a DUNS number, but the DUNS data was using our old address/phone number, so we needed to get DUNS to update it, but DUNS wanted to verify us by fax or telegraph or something, etc. None of this actually provides any actual authentication, but it’s an interesting exercise in security theatre.
Today I find using a code certificate is just like adding a help file to a solution. In other words, it’s part of being a “professional” vendor and provide a “professional” product. Asking You clients to accept to click on whatever that popups is asking Your clients to violate the security in Windows. As a software vendor You simple cannot ask Your clients to do that. It’s like a car company recommend their customer to ignore the traffic rules.
In the beginning a code certificate did cost US$ 400-500/year. Veritas used to followed up every application by a phone call where they interviewed you. All of the sudden a flood of new certificate vendors came and the application procedure became much more simplified. However, for some years ago Comodo and some other companies was subject to “dark forces” who got certificates and used them in illegal purposes. As a consequence the application procedure became more complex, especially for individual with no companies.
Given the price/year today it’s cheap. To reduce the administration and get the best price the best is to buy for 5 years. Working with Comodo directly is a “pain in the a…” as they have language difficulties and their approach is not friendly. I must admit that I’m surprised to learn that K-Software is not giving a prompt support. In my own experience they have alwats been great to work with.
As for third-part’s DLLs I have noticed that larger Windows based vendors actually provide clients with signed files. In some cases per request in other cases not.
DUNS really p&$$ed me off. I needed one for Apple and my company, and boy, do they try and upsell you. Way too frequently. That and the DUNS database seems to be sold/easily searchable so if I get another call telling me how to optimize for Yahoo!!! Well…
