Windows code signing in 2021

A few comments about your blog post:

  • It might be worth mentioning that EV certificates require some sort of extra verification during signing. At one point we had to mail a USB stick to the issuer so they could put the certificate on it and mail it back. We were told it would not work if moved from the drive, but I have no idea how that could be true. For another issuer, we have to use a Yubikey to generate OTP codes for each file signed, or use their online verification for $10 per file signed. Both options seriously hurt build automation.

  • Last time I “renewed” with Sectigo, they told me they don’t use D&B anymore. I forget who, but they let some other company hold your business hostage now.

  • SmartScreen score appears to stay with the certificate. At least, the only time SmartScreen ever interrupts is for a few days after “renewal” for me. Combined with arduous validation, buying the longest certificate you can afford is strongly recommended.