How to sign code?

cobito

I've been wanting to sign the executables of the test bank for a while now so that the Windows Smartscreen warning stops coming up. I've been looking for information but I don't understand it. Reading FAQs from US certifying authorities, I see that they only allow issuing certificates to organizations. Looking into individual certificates, I haven't found anything clear. In any case, they ask that you find a lawyer to do I don't know what legal documents that prove your identity. All of that seems like a hassle and I'm also not very sure if it's valid for Spain. In total, after looking a bit more, I've seen that the FNMT issues code certificates but I don't know what they cost or what they ask for to verify my identity. When making the request, a form appears where they ask for things that I don't understand: · NAME OF THE COMPONENT · CERTIFICATE REQUEST (PKCS#10 OR SPKAC) From a technical standpoint, I've read that the easiest thing is to use SignTool. I've installed the Microsoft SDK and it seems like I already have it. But anyway, that will be a fight for later. My priority in this case is to find the most economical option because, in principle, I'm only going to use it for the test bank. I'm pretty clueless about all of this. Does anyone have experience with this kind of thing? What do independent developers usually do in these cases? Is there any entity that you can recommend? Thank you very much.

cobito

After several days of investigation, I'm starting to have things a bit clearer.

First of all, the FNMT no longer issues code certificates, so that's out of the question. I think the only entity that certifies code in our country at a national level (some regions seem to have their own options) is Camerfirma (from the Chamber of Commerce). The joke costs 400 euros a year and I'm not sure if they issue it individually. This is out of the question because of the price.

Looking for more economical options, about the process by which I confirm I am who I say I am (which is what bothers me the most about the issue), the certifier where they seem less abusive in requesting information is Certum, a Polish company that, according to their FAQ, would only ask for an ID document (driver's license for example) and a utility bill (electricity bill for example). Seeing that American CAs like Comodo/Sectigo ask for a ridiculous amount of documents, including a document signed by a notary, I have asked Certum about the accuracy of the information on their website, but they have not yet responded. On the other hand, I feel more confident giving this type of personal documents to a EU company before an American one, despite the fact that Certum is considerably more expensive than Comodo/Sectigo, especially in the first expedition.

If they respond affirmatively to the issue of documentation, it is likely that I will go for it for a year to see what happens. In general, I see that the test bank is downloaded much more frequently than validations are received and I understand why it could be happening.

Meanwhile, I have signed the program with a free certificate from Ascertia for a duration of one month. This entity does not even have an agreement with Microsoft and for practical purposes, it is like having nothing. But running the executable through VirusTotal gives me only one positive (out of 72) while with the unsigned executable, 4 positives pop up. So at least in this way, it seems that something improves the situation.

kynes

@cobito I'm sorry I can't help with this topic, the only thing I can say is that the issue of digital certificates is a fucking nightmare with the cnmt, I don't understand how they don't make it somehow less cumbersome in terms of browsers and operating system options.

cobito

That's it! In a little while I will publish the signed executable.

Well, this whole code certificate thing is a joke turned into a business. Certum has been frustrating; their technical support is terrible and I've lost confidence in them to be honest. In the end I opted for a Texan certification authority called SSL dot com. They don't have the cheapest prices but they're nowhere near the most expensive. And they don't ask for crazy things. The process was as follows:

Last Thursday I made the purchase and uploaded the validation documents. In my case it was enough with:
· A copy of my driver's license
· A water bill from 3 months ago
· A photo of me showing both documents

This afternoon I asked how things were going. Since the question, in less than an hour they activated the certificate. If I hadn't asked the same thing I would have had to wait a month. In general, the SAC of these companies seems quite lamentable, both in response time and quality of the same. But these ones, seeing that I've loosened the purse strings, seem to have taken me a little more seriously.