Menu
Authenticode is a Microsoft code-signing technology that identifies the publisher of Authenticode-signed software. Authenticode also verifies that the software has not been tampered with since it was signed and published. Authenticode uses cryptographic techniques to verify publisher identity and code integrity.
There are no free code signing certificates. And be dubious of anyone that says they can offer you free code signing certificate for free. The short answer is there are compliance constraints that prevent it, and economic incentives to abide those constraints.
Comodo is a good starting point to find the cheapest code signing certificate, but one receive the best price from a reseller.
I just now verified the prices from https://author.tucows.com/. They are:
Additional condition are
The only trick to receive the price: you have to register for FREE on author.tucows.com.
One more remark. Independent of the price question I want to add one important information to be sure that you understand correctly why you need the time-stamping. If you sign a file using a code signing certificate you can use for free time-stamping from any time-stamping server like timestamp.verisign.com (see /T parameter of SignTool.exe utility). The practical advantage of time-stamping are following: if you use a code signing certificate which is legal till the end of 2010 for example, the file signature will be stay OK after the end of 2010. Without time-stamping you have to resign the file with the new certificate. The time-stamping server just confirm the date of signing. Because your certificate was OK at the date you will have no problems later. So if you need a certificate only to sell a software one time you can get a certificate for the minimal period: one year. You can read more about time-stamping in SSL Certificate Authority and Digital IDs and Trusted timestamping.
Regarding another subquestion of your question: After you will have a certificate I recommend you just use SignTool.exe utility. It is simple, for FREE and easy in use. You can find examples of the usage of SignTool.exe in Using SignTool to Sign a File and Assembly Signing Example or just start SignTool.exe sign -?.
I used Thawte for years, and now I use Comodo (the cheapest, US$179.95). When you purchase your certificate, don't forget to save your private key. You need the tutorial Code Signing for Developers - An Authenticode How-To.
I'm using a certificate from Certum for my projects. The prices are reasonable, their support is fast and actually quite good, compared to some other companies.
And they provide the certificates for free if you use it for an open source project. But you have to ask for it, they don't advertise that on their website (or I just haven't found it).
Certificate wise we've completely switched to StartSSL.com for all our SSL and code signing needs, because their (to the best of my knowledge) still unique approach to validation and certificates allows for considerably lower prices (~50 USD for 2 years, unlimited certificates) and much increased flexibility: see my answer on Pro Webmasters for some pros and cons regarding their approach in general and SSL certificates in particular.
For quite some time now they do offer code signing certificates for use with Authenticode as well, albeit still labeled as beta - we are using these successfully for ClickOnce deployed applications at several customer sites without any problems. The one thing that definitely seems to be beta quality still is their time stamping server though, which is not responsive at all times, but simply replacing it with one of another vendor worked flawless so far. While their documentation SSL wise is okay, the one for code signing is definitely very weak still (close to non existing), consequently we had to dig out most information from the forums or generic advise elsewhere.
If pricing and flexibility with certificates are your major concerns I think you won't regret to give their offerings a try; if on the other hand thorough documentation and an established process and customer base for code signing in particular are more important to you, this comparably small and distinct vendor won't fill your needs (I've personally never been happy with the respective offerings of larger and/or more expensive vendors either though).
Update:
Just realized that the related question linked by Kate Gregory already features an answer recommending StartSSL as well, so you might cross check the mentioned topics within this thread indeed.
My organization has used Verisign and Comodo (we use the former now since the Windows Error Reporting service wouldn't accept a Comodo certificate - something to consider). There's not too much to it - you can use SignTool.exe that is part of the .NET SDK (there may be other tools, but this one is easily available, especially if you have Visual Studio).
We have a script that runs the following (the %_...% variables are set within the script, %1 is the file you're signing)
signtool.exe sign /f %_PFXFILE% /p %_PASSWORD% /v /t http://timestamp.verisign.com/scripts/timstamp.dll /d %_DESCRIPTION% /du %_URL% %1
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With