Certum is granting open-source developers free code signing certificates. I have applied, and got a certificate in less than a day.
You can find details on how to apply on Pete Batard’s blog. My additions to Pete’s article:
- Avoid using Opera 12 or earlier. A known bug might delete the private key required to use and export the issued certificate, and you will be forced to reapply.
- If you use a web browser which uses Windows’ certificate store, such as Chrome, you will not need to export the certificate and specify it manually – after clicking “Install Online” on Certum’s website, signtool sign /a should pick it up immediately.
- I couldn’t use the certificate immediately after obtaining it – its status was indicated as “expired or not yet valid”, and signtool displayed the error “The signer’s certificate is not valid for signing”. The problem disappeared after an hour – I assume this to be due to timezone differences.
- This certificate can only be used to sign Windows user-mode executables. It cannot be used to sign 64-bit drivers, but I heard that the ReactOS Foundation may sign your open-source driver for you.
- Unlike the cheap StartSSL code-signing certificates, the signatures on your signed files will remain valid even after the certificate used to sign them expires. StartSSL certificates “contain the enhanced key usage (EKU) attribute “Lifetime Signing” (184.108.40.206.4.1.3220.127.116.11), which causes the file signatures to expire when the certificate expires, regardless of any timestamps”.
My thanks to Certum for providing this free service to the open-source community.
Update 2015-09: It looks like the certificates are no longer free. The price is still very low ($14), however my country (Moldova) is not in their country drop-down list in the checkout page, so I can no longer use a Certum certificate. I have contacted Certum about this, but even though the representative told me he will look into the issue, I never received a reply.
Update 2017-08: Moldova is now on the dropdown list, but now certificates are only purchasable together with a cryptographic token (see comments below).