Sectigo Code Signing Certificate (2024 Edition)

Followup to Sectigo Code Signing Certificate Problems

My 3 year certificate was about to expire, and Sectigo was running a sale, so (perhaps against my better judgment) I decided to renew with them rather than finding another company. The price was $888/3 years.

Problems started immediately:

  • the “renew now” link in the email let to INTERNAL SERVER ERROR. Sigh.
  • after contacting sales, the salesperson said they could renew it for me over email and charge my credit card. Convenient, but this suggests a pretty lax attitude to security.
  • after the payment went through, I had to re-validate myself and my company again. I don’t know if this is required for all certificates, or just something Sectigo makes you do. I had to provide business documentation, validate over email and a published phone #, and send a selfie with me and my drivers license
  • after a few days, it was all validated
  • the email announced that I’d be receiving a physical token.
  • The UPS “track delivery” link in the email has no tracking number.
  • the tracking number was in the email, but has “__” characters on both sides, so if you double-click to copy and paste on UPS, it fails
  • After finally getting the tracking info from UPS, it shows the device is being mailed from Canada. I’m in the USA. I’m guessing this will not be quick.

I’ll update once I have the dongle and figure out how to use it.

Edit to add:

  • of note, so far, nowhere in this process did I have to create a CSR (Certificate Signing Request) which was something I struggled with last time. Does the dongle mean I don’t need to do that?
2 Likes

My certificate-file from KSign expires soon, and so out of the blue after not hearing from them for three years, I get an email about the expiration. Even though I had to keep nudging them, SSL.com support agents were at least helpful and in contact with me.

Does the $888 include the Yubikey?
Was this an IV, OV, or EV certificate?

My recent endeavor testing the EV waters was $1000 for 3 years + 1 Yubikey.

If you ordered a Yubikey from Sectigo, they will set this up for you. There are instructions out there for how to generate a secure certificate on the token, but you will not need to do this unless you indicated to Sectigo that you will provide your own Yubikey.

1 Like

Who the hell knows? :joy:

The first email says:

Please note your EV Code signing certificate will be provisioned upon the media device you selected and sent via postal ma

The next email says:

your OV Code Signing certificate has been issued and will be sent shortly via UPS

Both emails mention a “token” or “eToken” or “USB Token” and also say I’ll need to use the SafeNet Authentication Client which I’m really looking forward to.

If you’d like help figuring out what you ordered, I’m happy to try but I might need some private order details. You can reach me privately by support@strawberrysw.com if you’d like.

Hopefully you’ll be able to automate code signing! Here’s the info from Thom that helped me, but you’ll need a Yubikey. (We need to figure out what kind of USB Token you have).

https://thezaz.com/blog/code_signing_for_xojo_apps_on

1 Like

Thanks, Tim - I’m good to see how this plays out. My invoice says “Standard Codesigning Certificate” so I’m pretty sure I’ll get one of the following:

  • IV, OV, EV, or Standard Certificate, stored on a
  • Token, eToken, or USB token
    :rofl:

My hope is that I can follow the instructions here for getting my InnoSetup working with the SafeNet software: New method of Code Signing with K Software - #12 by Ryan_Hartz

And I missed your blog post the first time, that’s very useful. I’ll link it here again for reference: The ZAZ: Code Signing for Xojo apps on Windows with a Yubikey

So I went to the website and took a look at the offer you went for.

$888 was for 3 years IV/OV level (so still subject to SmartScreen), and they say the token is “FREE”, so you weren’t “charged” for the token.

Sectigo is offering the same free-token deal for EV at $1137, so just a tad more but still in the ballpark of SSL.com.

I gave Sectigo a call to try and figure out the details about the token. I was told “Yubikey and SafeNet are not the same thing” so I do not know if you will be able to follow the Yubikey instructions I had linked from Thom.

1 Like

How to automate SignTool with a SafeNet Token from Sectigo

Modern code-signing certificates require a USB hardware dongle. Here’s how to automate the process so you can use signTool with InnoSetup to sign Windows EXEs.

In addition, these instructions support doing the code-signing on a Windows VM hosted on macOS.

Install a recent Windows SDK
Link
Note: you only need the “Windows SDK Signing Tools for Desktop App” component which is about 15MB

Download and Install the SafeNet Authentication Client software
Link
Note: version 10.9 worked, but an earlier 10.8 version was failing for some reason. The “typical” install option is good.

Launch “SafeNet Authentication Client Tools
“SafeNet Authentication Client” may also show up in the Start menu, but you need the “…Tools” version

Plug the hardware token into a USB port
Note: if you are using a Virtual Machine, the USB hardware may show up as two separate devices, and if you connect the wrong one, it only partially works (the app freezes up for 3 minutes and shows “Orphan Objects” instead of your actual certificates)
I connected the one named Aladdin Knowledge Token JC to my Windows VM USB and it worked.
I’m using VMWare Fusion 13.6.1 running a Windows 10 VM build 19045 hosted under macOS 14.7.1 on a 2019 Intel MacBook Pro

Optional: Change the Token Password
Note: be careful here - my token has 3 password attempts before bricking, so make sure you are changing the right password (there is a user password and an admin password).

Test SignTool
At this point, you should be able to use signtool to sign an EXE, but it will require you to enter your token password every time.

Example signtool command:

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe" sign /v /tr http://timestamp.sectigo.com/ /td sha256 /fd sha256 /d "A Description"  /n "My Company" "C:\path\to\MyApp.exe"

Notes

  • /n "My Company" should be the same name as your Token name
  • the signtool path ...\bin\10.0.26100.0\ may be different based on the SDK version you installed

Automation
There are two options to make signtool easier to use.

  • Single Logon mode: requires you to enter the token password once, and it will keep working until you log out. This is probably the more secure option, but won’t work for completely unattended builds or batch processing. To use this mode: inside SafeNet Authentication Client, click ‘Client Settings’, ‘Advanced’, and then enable the Single Logon checkboxes.

  • Full Automation - in this mode, you export a certificate file from the hardware token, and then include your token password in the batch file. Less secure, but the only way to do full automation of your builds.

Full Automation Steps
Reference: Link

In SafeNet Authentication Client
Export your public certificate

  • Click ‘Advanced’ (gear icon)
  • navigate to Tokens/Token Name/User certificates/Company name
  • right click and choose “Export Certificate”
    This will export your Public certificate. Save it to a convenient location

Find the Container Name

  • Look for your Private Key
  • find the Container Name. Mine looked like this:
    Sectigo_202411xxxxxxxx
  • note the Cryptographic Provider - it should be
    eToken Base Cryptographic Provider

Create a signtool command
The signtool command will use the Public Certificate and Token Password with a special /csp option

Sample command line:

IMPORTANT Notes:

  • the [{{ and }}] characters below are literals and must be included surrounding your actual password
  • be careful!
    if you get the password wrong 3 times, it’s easy to brick your dongle.
  • the string /csp "eToken Base Cryptographic Provider" is a literal - use it exactly as shown (it needs to match the Cryptographic Provider field in your Private Certificate)

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe" sign /v /tr http://timestamp.sectigo.com/ /td sha256 /fd sha256 /d "A descriptive comment"  /f "C:\path\to\my\PublicCertificate.cer" /csp "eToken Base Cryptographic Provider" /k "[{{MyTokenPassword}}]=MyContainerName" "C:\path\to\myApp.exe"
2 Likes

$888 for a 3 year OV certificate?! I paid ~$650 for a 10 year OV certificate!

2 Likes

Actually, I’m still not sure what kind of certificate I got (both EV and OV were mentioned in the process – Sectigo seems still fairly disorganized.)

Is there a way to look at some fields in the certificate and tell which I have?

The Issuer field will contain the phrase “EV” somewhere easy to spot.

1 Like

If you have the money and time, EV is definitely the way to go because as Tim mentioned, you get instant SmartScreen.

But as Thom said, there’s a huge cost difference (my OV cert is similar to yours at 10 years and at a similar cost). Also add in the fact that at every EV renewal, you need to jump through the purchase and validation hurdles again. At least at the time I did ssl.com a year or so ago, this means getting a certified letter from your accountant or lawyer on the validity of your business. Not hard to do but more time and expense and you’ll be doing this three times during the span of a 10-year OV cert.

The OV cert on the other hand doesn’t come with instant SmartScreen, but your app should gain this reputation as your app gets downloaded and used.

So no right or wrong answers here, just different ones depending upon one’s needs, time availability to invest in the process and one’s pocketbook.

Looks like I did not get an EV certificate, but rather the plain old OV (standard) one.

Also, the device is not a Yubikey, it appears to be a SafeNet eToken 5110 or similar which looks like this:

1 Like

Hi Thom, who did you go through? I paid around $600 for 3 years at Sectigo late last year. A bit of hassle to get all the documents together, but I eventually got there. I used them mostly because I previously had a Sectigo OV through KSoft, which I couldn’t ever get them to respond, so going straight to Sectigo seemed reasonable at the time.

It’s part of my blog post on the subject, but I used ssl.com. I found them a lot easier to deal with than Sectigo and KSoft.

1 Like

Thanks, I will certainly check them out in 2 years when my current certificate is up for renewal.

Truer words were never spoken. My experience this year with SSL.com was so much smoother than Sectigo. Part of this, I’m sure, was that with experience I had my own ducks in a row.

My last Sectigo experience was wild, though. I got my attorney involved. He said to me (after they wanted to vet HIM), “who are these people?!” :slight_smile:

I got that same token with Sectigo and it works fine. The previous dongle was lost in the mail. I am able to codesign my Xojo apps in Parallels Desktop using a M1 Mac mini.

It’s not the easiest process, but I thought it would be a lot more complicated when they went from all software to hardware-assisted. They also had to validate the company again and it was a bit tedious. But as long as I don’t misplace the token and it keeps on working, I’ll be happy for the next 3 years.

1 Like