Go Daddy are ceasing to renew certs for Windows. Which alternative service do you use and why?
I’ve been using https://www.ksoftware.net/ for a couple years, and it has been fairly smooth. They’re a Sectigo reseller, and provide actual human support to answer any issues that might arise.
Are you going with EV 1,2 or 3 year plan? I’m curious what folks opt for… I guess it depends on your sitiuation, @refusesoftware.
EV. We use it for signing apps as well as device drivers.
Nice! Presumably you take the token approach (vs HSM)?
They sent us a SafeNet USB token to store the certificate, so we can only sign if the USB token is physically connected to the computer.
Matt
Woot! That’s awesome. Thanks for the insight.
I did an OV certificate, as I’m just using it to sign plug-in installers for Windows. Didn’t take long to clear that SmartScreen Reputation once I had a couple installers in the wild. Plus I didn’t want to deal with a hardware token, it’s just more stuff to go wrong if you don’t really need EV-level certification.
Initially, I started with a 1-year plan, to try out the company. Then when I renewed I switched to the 3-year, because there is some overhead involved in issuing the new certificate, and I’d rather not have to repeat that every year if I can help it.
I’ll also point out that K Software has some excellent FAQs you can reference, if you have more specific questions about using their certs for code signing:
@refusesoftware I went ahead with your suggestion of an OV certificate through the Reseller. Sectigo are now going through a validation process. Did you go through something similar? Did you have to register your business with BBB (assuming you’re in the US)?
Yes, there was a validation process with Sectigo. It requires interfacing with a clunky and impersonal bureaucracy, so leave extra time for that to complete. I didn’t register with BBB, I had already set up a Dun & Bradstreet listing (I think for Apple Developer verification, I can’t remember now), which also works for Sectigo validation.
@refusesoftware I’m all set with my OV cert from Sectigo. Do you mind if I ask what process you used to convert the .cert for signing the installers?
I don’t remember exactly, I just know I followed the suggestions in the K Software FAQ. Try this one?
I checked my notes on this, we keep the cert locally as a .p12
file. Here is the FAQ where they explain doing the certificate export from IE (yes, IE!):
These directions are to export as a .pfx
file. However this format is the same under the hood as .p12
, so you can just rename the file’s extension if you want .p12
.
@refusesoftware that worked perfectly! I’m now running into an issue with the timestamping. I can’t seem to connect to the server using SignTool despite following the prescribed directions on the Sectigo website. SHA256 as per OV cert issued.
SignTool Error: The specified timestamp server either could not be reached or
returned an invalid response.
Any ideas what I might be doing wrong here?
Can you post your script that you’re using to run the SignTool command?
Sure! I’m using Inno Setup Compiler 6.0.3. This is how I have configured SignTool. The double quotes around the whole command are so I can debug using command line (cmd.exe /k
)
cmd.exe /k ""C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /f "C:\Users\My Name\Desktop\certificatename.pfx" /p mypassword /t "http://timestamp.sectigo.com?td=sha256" $f"
I tried the URL with and without quotation marks.