Well, I had to do this and got an USB token, which is now connected to my Mac regularly to sign within the Windows VM.
You can build a command line to sign without needing to enter a pin every time.
Kisgn had lost so much reputation - even when you could still get file-based certificates - that I had to remove my references to them from the blog post I wrote about ExeWrapper. Do not use “them”. It’s some guy in a basement who chooses to answer the phone at random.
I was pleased by my interactions with SSL.com. I was getting an EV certificate and they were extremely helpful in making sure I got the correct type for the documents I was willing to provide. @Thom_McGrath and I have both had success setting up automated code signing with the USB dongles from SSL.com.
I had long ago purchased from KSoftware but on renewal I had delayed obtaining certificate from Sectigo and the meantime the Windows world ‘enhanced’ their code signing process (ie added a x3-x5 price multiplier).
Although this was a 3-year code signing cert it was suddenly useless. Mitchell from KSoftware said he would offer a deal to get this working, I never again heard from him and have not been satisfied with this service.
I remember thinking that it was no longer value for money either, as in older times he was able to offer a much cheaper cert, but more recently became pretty much the same as Sectigo (from which he was obtaining his certs).
From the exchanges and unanswered tickets, I can’t say I’m surprised ksoftware.net is down sadly… hopefully it’s a temporary issue, but if I ever renew code-signing for Windows I’ll probably go to Sectigo directly.
I currently am using a YubiKey from SSL and “thoroughly” enjoy the process of updating it with a new key every 3 years.
I paste the key’s password to the clipboard and run this script. I cannot find a way to supply the password.
Lots to look at there. If you used SSL.com , they seem to want to go the Yubikey route.
The guide starts at software and then into ‘Plug the hardware token into a USB port’
Was it a Yubikey, or ‘another’?
My renewal notice has come from Leader.SSL, and references Sectigo as my previous file-based option.
Its a weird site.. so far, they have generated new certificates at random just in response to me looking at pages. I have had to keep cancelling them.
Yesterday I saw an option to go USB key, now it will only offer ‘sign in the cloud’ , which nobody here seems to be doing, (and I don’t understand anyway)
The ELI5 description for this version of cloud signing, is that the cloud signing service has your USB token connected to their computer / server. You pay a monthly subscription fee, and in some cases a per-file fee, to upload a thumbprint of each file to their server which will use your identity (USB token) to sign the file.
I do not recommend that method for small businesses. I found it worth the cost to simplify and buy the key. The instructions for attesting your own key are available if the cost savings is worth it to you. (everyone is different!)
When you’re struggling with the website, are you struggling with SSL.com? I can connect you with the contact I had if you are interested in them.
Their site seems easier to navigate, and it offers 10 years worth of renewal. (I doubt I’ll still be trading in 10 years, although I said exactly that 20 years ago!)
I haven’t used them before, and theres always a worry changing providers, but using the Leader.ssl site feels like I’m playing D&D.. any choice could be a trap.
Apologies all round for my obviously worried tone. In many ways, I wish it was still Y2K. Life were simpler then..
So @Mike_D .. if I go the SSL.cm route and get a Yubikey, the instructions linked above are the ones I need to follow?
Be sure to check out Thom’s blog to see how that works. You still have to get new certificates every 3 years. I’m not sure if the CA rules about identity validation length are circumvented by the “10 years” certificate or not. That would be a great question to ask SSL.com.
Mike’s instructions are for Sectigo / SafeNet tokens. Thom’s are for SSL.com / YubiKey tokens. I was able to get a client operational with a SafeNet token and the scsigntool.exe instructions for YubiKeys.
No need for apologies. Code signing certificates are a very large investment and I completely understand being nervous about getting it right.
I’m not sure if the CA rules about identity validation length
SSL say:
‘All signing certificates can be purchased with 1-3 year durations with discounts for longer durations as well as the convenience of only having to undergo a validation process once for longer duration certificates. ‘
This whole rigamarole of code-signing is so fraught with traps and frustrations, I went with Sectigo not because I liked their offer, but because I already had an account with them since I had purchased from a reseller (ComodoCA) in the past.
Turns out, when buying the new certificates it was almost like starting from scratch: I had to do the whole “prove you exist” dance again.
FYI, note that there are many resellers. Visit https://www.sectigo.com/store-login to get a sense of how many there are. You might find better prices with resellers? I don’t know.
Of note: I’m frustrated that I only got a normal “OV” certificate instead of the better “EV” certificate - the practical issue now is that whenever I put a new version of my app on my website to download, it triggers the Microsoft Smart Screen warning
“App.exe isn’t commonly downloaded. Make sure you trust App.exe before you open it”
Eventually Microsoft learns my app is safe and this warning goes away, but I’m sure I’m losing customers until it does.
This is how it used to be. I’m not certain it works anymore. With my previous certificate, my reputation was built within hours and for the next 3 years, every build published with my certificate was automatically trusted. My understanding is this is how it is (or was) intended to work.
With my most recent certificate, after 3 months, I still hadn’t built the reputation. I did get plenty of tickets about it, and Microsoft intentionally makes the UI for bypassing the warning as obtuse as possible. It’s not discoverable at all.
I had already spent $600 on 10 years of an OV certificate, but I cut my losses and moved to Azure Trusted Signing. OV certificates just aren’t worth it anymore.
They can call it security, but it’s extortion when it comes down to it.
‘Give us money, or we will badmouth your app to your customers even though it’s codesigned’
I am also in that case with no more valid certificats.
I have renew them to see that I can’t use them with ExeWrapper like before.
After reading some posts about this problem, I bought a Yubikey and send its certificates to ssl and now I wait for new certificate from ssl to use with my Yubikey.
When I read all posts, I am worried. Why it is so complicated?
