Code signing

Certum is granting open-source developers free code signing certificates. I have applied, and got a certificate in less than a day.

UAC prompt

I’ve signed most executables I have released on files.thecybershadow.net, and plan to sign those I release in the future, especially for programs that need to run elevated (such as TrimCheck).

You can find details on how to apply on Pete Batard’s blog. My additions to Pete’s article:

  • Avoid using Opera 12 or earlier. A known bug might delete the private key required to use and export the issued certificate, and you will be forced to reapply.
  • If you use a web browser which uses Windows’ certificate store, such as Chrome, you will not need to export the certificate and specify it manually – after clicking “Install Online” on Certum’s website, signtool sign /a should pick it up immediately.
  • I couldn’t use the certificate immediately after obtaining it – its status was indicated as “expired or not yet valid”, and signtool displayed the error “The signer’s certificate is not valid for signing”. The problem disappeared after an hour – I assume this to be due to timezone differences.
  • This certificate can only be used to sign Windows user-mode executables. It cannot be used to sign 64-bit drivers, but I heard that the ReactOS Foundation may sign your open-source driver for you.
  • Unlike the cheap StartSSL code-signing certificates, the signatures on your signed files will remain valid even after the certificate used to sign them expires. StartSSL certificates “contain the enhanced key usage (EKU) attribute “Lifetime Signing” (1.3.6.1.4.1.311.10.3.13), which causes the file signatures to expire when the certificate expires, regardless of any timestamps”.

My thanks to Certum for providing this free service to the open-source community.

Update 2015-09: It looks like the certificates are no longer free. The price is still very low ($14), however my country (Moldova) is not in their country drop-down list in the checkout page, so I can no longer use a Certum certificate. I have contacted Certum about this, but even though the representative told me he will look into the issue, I never received a reply.

3 thoughts on “Code signing

  1. Debdut Biswas

    Sir, I want to buy a open source code signing certificate from certum. I have an account in certum but when ever I filled the form to buy a certificate India is not listed in country field in the submission form. Please help me…

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *