Ask HN: Experience with code signing Windows apps Preparing to code sign a Windows app, coming from signing Mac apps it's a breeze, Windows not so much. What is everybody's goto place for code signing a Windows app? Also have you been able to do this on a Mac as well? |
This is where I buy the cert, as it's proven to be consistently the cheapest (no affiliation):
https://www.ksoftware.net/code-signing-certificates/
The OV cert is usually sufficient. I've never seen a reason to go with the EV cert.
Before you buy the cert, read ALL the instructions very carefully on the website, as once you apply you can't easily change things.
Things you need to have set up correctly in advance:
- A business name, not a personal name
- A website and email address for the business name
- Whois information that matches the website address / phone number to the website businesses physical address and phone number. Don't hide your Whois information!
- A landline phone number (VOIP works)
- An entry in some sort of recognised telephone directory so that the landline phone number's connection to the business can be externally validated
This all looks like overkill and many of them are illogical, but if any of these things are amiss your order will fail the basic validation, putting you getting the cert in doubt.
These 'security' steps are all meant to prevent dodgy individuals or fake business getting code signing certs, but they make it a real hassle for small businesses or one man shops to get a cert.
For this reason, always buy a cert for as many years as possible -- this isn't a process you want to be doing every year.
Indeed, an OV is sufficient, Sectigo is pretty fast at this -- you will need proof of business (phone number + proof to see that the business is still running), and that's about it.
Another "fun" fact - when you start signing, every browser will flag your app as "this application is not commonly downloaded", and this will go on for a while (2-3 weeks, sometimes even more). This might also happen for Antiviruses -- yeah, it's really fucked, I could say.
A few years back Microsoft came up with another type of code signing certificate (don't remember the name), that doesn't have the problems I outlined above. However, it usually costs 4-5x as much, and personally I don't think it's worth it.
Where though? This is what I mean by place, I would like to know the best place people get this certificate.
Again, coming from Mac, I go to Apple, for Windows where do I go?
https://docs.microsoft.com/en-us/windows-hardware/drivers/da...
I would buy a non-EV code signing cert from any of those. Look for discount codes, I know DigiCert used to have a pretty nice discount code, although it still cost a bunch of money; OTOH, DigiCert was very flexible in my experience, even when I was just a small customer; I think we had a maximum of 5 wildcard certificates at once, plus one code signing certificate, but they would issue all sorts of 'custom duplicates' and let me 'rename' a wildcard to a totally different domain to avoid buying a new wildcard, and were helpful with adjusting expirations for the sha-1 cert sunset. If the price isn't a huge barrier, I think they're cool; but I also understand if the price is a barrier.
https://github.com/mtrojnar/osslsigncode should be able to sign windows executables on a mac, but I haven't tried that personally