GoDaddy Code Signing and Driver Signing Certificates no longer issued or renewed after June 1, 2021

Go Daddy are ceasing to renew certs for Windows. Which alternative service do you use and why?

I’ve been using https://www.ksoftware.net/ for a couple years, and it has been fairly smooth. They’re a Sectigo reseller, and provide actual human support to answer any issues that might arise.

2 Likes

Are you going with EV 1,2 or 3 year plan? I’m curious what folks opt for… I guess it depends on your sitiuation, @refusesoftware.

We’ve used https://www.globalsign.com for years. Works great.

Matt

Standard or EV, @matt?

EV. We use it for signing apps as well as device drivers.

Nice! Presumably you take the token approach (vs HSM)?

They sent us a SafeNet USB token to store the certificate, so we can only sign if the USB token is physically connected to the computer.

Matt

Woot! That’s awesome. Thanks for the insight.

I did an OV certificate, as I’m just using it to sign plug-in installers for Windows. Didn’t take long to clear that SmartScreen Reputation once I had a couple installers in the wild. Plus I didn’t want to deal with a hardware token, it’s just more stuff to go wrong if you don’t really need EV-level certification.

Initially, I started with a 1-year plan, to try out the company. Then when I renewed I switched to the 3-year, because there is some overhead involved in issuing the new certificate, and I’d rather not have to repeat that every year if I can help it.

I’ll also point out that K Software has some excellent FAQs you can reference, if you have more specific questions about using their certs for code signing:

[Code Signing Certificates : K Software]

2 Likes

That’s a really good set of points, @refusesoftware! Thank you for taking the time.

@refusesoftware I went ahead with your suggestion of an OV certificate through the Reseller. Sectigo are now going through a validation process. Did you go through something similar? Did you have to register your business with BBB (assuming you’re in the US)?

Yes, there was a validation process with Sectigo. It requires interfacing with a clunky and impersonal bureaucracy, so leave extra time for that to complete. I didn’t register with BBB, I had already set up a Dun & Bradstreet listing (I think for Apple Developer verification, I can’t remember now), which also works for Sectigo validation.

@refusesoftware I’m all set with my OV cert from Sectigo. Do you mind if I ask what process you used to convert the .cert for signing the installers?

I don’t remember exactly, I just know I followed the suggestions in the K Software FAQ. Try this one?

I checked my notes on this, we keep the cert locally as a .p12 file. Here is the FAQ where they explain doing the certificate export from IE (yes, IE!):

These directions are to export as a .pfx file. However this format is the same under the hood as .p12, so you can just rename the file’s extension if you want .p12.

1 Like

That’s what I need. I’ll give it a go! Thanks @refusesoftware!

@refusesoftware that worked perfectly! I’m now running into an issue with the timestamping. I can’t seem to connect to the server using SignTool despite following the prescribed directions on the Sectigo website. SHA256 as per OV cert issued.

SignTool Error: The specified timestamp server either could not be reached or
returned an invalid response.

Any ideas what I might be doing wrong here?

Can you post your script that you’re using to run the SignTool command?

Sure! I’m using Inno Setup Compiler 6.0.3. This is how I have configured SignTool. The double quotes around the whole command are so I can debug using command line (cmd.exe /k)

cmd.exe /k ""C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /f "C:\Users\My Name\Desktop\certificatename.pfx" /p mypassword /t "http://timestamp.sectigo.com?td=sha256" $f"

I tried the URL with and without quotation marks.