130

I want to publish one of my applications as open-source and want to digitally sign the binaries I've created with my own certificate. (Of course, anyone else can just download the code and build it themselves with their own certificate.) I want to do this so anyone can check that this build was made by me, not by someone else. I also want to create a secure website with a valid SSL certificate so visitors can create their own accounts in a secure way so they can contribute to this project.

I could create a self-signed certificate, but I don't really like that option. Or I could pay Verisign a few gold pieces to get the certificates that would be valid for just a few years. I don't like that option either, since my treasury is valuable to me.

So, are there any other options? For example, a provider that supports open-source projects by offering certificates for a reduced price? It doesn't have to be free, just a lot less expensive than Verisign...

(The Project is created in C# with Visual Studio 2008. Plus an additional project in ASP.NET that wants SSL.)

Edward Brey
  • 35,877
  • 14
  • 173
  • 224
Wim ten Brink
  • 24,763
  • 19
  • 72
  • 138
  • This question is on topic. It describes the problem (desire to publish) and what has been done (built app, but not signed it). It does not ask for recommendations, only the names of one or more free or low cost providers. It does ask for answers that "find" an off-site resource, but not in a way that is likely to attract opinionated answers or spam, since there are few options available. – Edward Brey Feb 18 '17 at 09:45
  • 6
    I do want to point out that I've asked this question almost 8 years now. Today, there are a few more options already but reliability is becoming a problem. There are also plenty of free options for SSL and web development but code signing certificates are still scarce... – Wim ten Brink Feb 19 '17 at 11:09
  • 1
    Alas LetsEncrypt [won't be supporting code signing certs](https://community.letsencrypt.org/t/do-you-support-code-signing/370). Mid 2018, cheapest I can find is Comdo's [codesigncert](https://codesigncert.com/) for $59 per anum. It'd be much easier if governments issued all citizens / _subjects_ with a code-signing cert as national ID... but then I'd be forced to _trust_ my government – earcam Jun 01 '18 at 09:04

9 Answers9

36

For open source developers, Certum provides code signing certificates for free*

Just enter "open source developer" in the "company" field when you request the certificate. That's it.

Link to open source code signing certificates is here

[*] Starting 2016, the Open Source Code Signing certificate is no longer available for free. It is now a paid only service.

martinec
  • 7
  • 5
Stefan
  • 42,026
  • 10
  • 73
  • 116
  • 2
    Been to the site and can only see SSL certs, can you deep link to the code signing certs? – Frozenskys Jul 24 '09 at 14:02
  • 3
    They don't seem to offer this anymore. – Chad Sep 10 '11 at 19:37
  • 1
    @Chad, I've just successfully received a certificate from them, so the offer is still valid. – Regent Nov 11 '11 at 12:24
  • 1
    I think they like to issue certificates with strangely formatted common names, though. The certificate that they just issued for me has `Open Source Developer,Daniel Sage` as the common name. –  Oct 13 '12 at 05:22
  • 3
    AFAIK they stopped offering the free Open Source developer certs. Otherwise I'd really appreciate a link. – reiniero Dec 05 '12 at 10:05
  • Isn't it only free for the trial period (30 days)? – Peter Mortensen Aug 30 '13 at 15:33
  • 1
    It still works. I just tried and got a free 1-year certificate. The turnaround time for the entire process (including verifying my identity) was about two hours. I added [an answer](http://stackoverflow.com/a/18959881/145173) with details of the steps. – Edward Brey Sep 23 '13 at 13:01
  • The offer of free certificates for open source developers is STILL VALID and working as of today. The process is simple; fill out the form linked above, then activate the certificate request. They'll send you an email to validate your email address and another one requesting documents to prove your identity (I sent over a drivers license). After that you can install the .cer file on your computer and export the pfx file from it (for use in the signtool). WARNING: The 1st computer on which you install the certificate is the ONLY computer you can install it on!! – Julius Jan 20 '15 at 09:46
  • Correction: The computer on which you generate the private key (click the 'Generate' button when activating the certificate) is the only computer on which you can install the certificate. I hope this helps someone as I had to revoke and apply for 3 certificates before I got it right. I'm a bit slow. – Julius Jan 21 '15 at 09:48
  • As of the time of this comment, https://en.sklep.unizeto.pl/test_certificates is the working link for the code signing certs. – Adam Baxter Jun 19 '15 at 02:42
  • 18
    It appears certificates are no longer free - the reference to open source code signing has been removed from the test certificates page, and there is now a separate product page https://en.sklep.unizeto.pl/data-safety/code-signing-certificates/open-source-code-signing.html. At €14 they're much cheaper than other certificates though. The signup process seems to be the same as when they were free too. – Alex Warren Jul 13 '15 at 10:06
  • 2
    @quasoft those are SSL certificates. – Nathan Osman Sep 29 '15 at 23:01
  • @nathan-osman Actually you are right, it seems GlobalSign is offering SSL only certificates, not suitable for signing code – quasoft Sep 30 '15 at 19:10
  • is that just me or anyone else thinking a link like: https://en.sklep.unizeto.pl/data-safety/code-signing-certificates/ cant be legit .. – Michael Schönbauer Nov 11 '20 at 17:11
27

Update: No longer free, now €105.78 (as of 19 Feb 2017). The cost is less if you already own their crypto hardware. FWIW, following are the previous instructions.

The get a free code signing certificate from Certum/Unizeto for yourself as an individual, follow these steps. Use Internet Explorer or Safari, since they support the key exchange mechanism.

  1. Browse to Test ID and OpenSource Code Signing certificates, and submit the form.

  2. The certificate will appear under Activate Certificates. Click Activate.

  3. Go through the activation wizard. For Organization enter Open Source Developer. For Organizational Unit, enter Software Publishing.

  4. You'll get an email asking for proof of identity. Reply with a link to the open source project and an image of your driver's license (or another accepted document). To protect your privacy, you should encrypt the reply.* The way to encrypt varies by email client. For Outlook, ensure you have an email certificate (freely available), and turn on encryption.

  5. Within a day or so, you should receive an email with a link to collect your certificate. You have to open the link from the same computer and browser you used to start the process.

* Although the verification email from Certum says to send the proof to ccp@certum.pl, Certum also accepts proof sent to the reply address info@certum.pl, to which you can send encrypted email.

Edward Brey
  • 35,877
  • 14
  • 173
  • 224
  • Worked fine, thanks a lot! Do you know if they renew the certificate for free after the 1-year period? Or is this just a trial period and then it becomes a paid certificate? – Al-Khwarizmi Dec 19 '14 at 09:36
  • 1
    After about 10 months you'll receive a mail to remind you that your certificate is expiring. In that mail they mention you can renew, but that didn't work (for me 4 months ago). I had requested a new certificate in the same way as I did a year earlier, and received it. In short: you just request a new certificate every year. – Martijn Stolk Mar 25 '15 at 12:14
  • The country dropdown doesn't seem to list United States anymore? Got a cert back in 2013 so it used to work for me. – Warty Jul 30 '15 at 13:38
  • Tried this. Now a 90 day cert. But, cannot get past the "Activate" step as clicking on the "Generate Keys" button does nothing, and Next throws "Generate key pair" alert.... – StevoKeano May 20 '16 at 16:09
  • They seem to have CSR method remaining. How can they know if CSR was generated by their hardware or not? – OCTAGRAM Nov 17 '17 at 20:40
22

2016 update: StartCom has been acquired by WoSign under questionable circumstances. I wouldn't trust StartCom/WoSign. Consider the below text as a historical note on how good StartCom was up to early 2015.

I've got a code signing certificate from StartCom (StartSSL). I'm very satisfied with their service: Their customer service is very fast, and their prices are very reasonable.

Getting the code-signing certificate

Getting a code signing certificate requires Class 2 Identity Validation. StartCom guides you through the whole process (with excellent response rates, usually within ten minutes in my experience).
If you want to get the details right at once, read this blog post. I was validated within an hour (for a fee of 59.90 $, via Paypal).

After being validated, generate a new private key, and a Certificate Signing Request (CSR). Note that all fields except for the public key are ignored. All information in the certificate is inferred from the information you provide during identity validation, not from your CSR.

# Create key and CSR (key must be at least 2048 bit, per Policy Statement)
openssl req -nodes -newkey rsa:2048 -keyout codesigning.key -out codesigning.csr
# Add pass phrase to key (optional, but highly recommended)
openssl rsa -in codesigning.key -des3 -out codesigning2.key && \
    mv codesigning2.key codesigning.key

Submit this via the web interface and you'll quickly get a new certificate that's valid for two years (I got mine within an hour).

Issue: Lifetime Signing OID

StartCom's class 2 certificates have the Lifetime Signing OID set. Because of this bit, the signature of signed code will become invalid after the certificate expires, even when it's timestamped.

When I asked Eddy Nigg (COO/CTO of StartCom) for the reason of this OID, he replied:

It requires from us to keep the CRLs operating for up to 20 years after the certificates already expired. This is something we can do for EV level certs (much lower volume, different payment terms) but would increase the price for Class 2 just for this benefit (where code signing is only part of the options in this level).

Timestamping is thus only available after Extended Validation (EV), which is only available to legally established organizations and costs 199.90 $. So, individual developers cannot use timestamping with a code signing certificate from StartCom.

For a long time, I considered this limitation as a big issue. Recently, I changed my mind: It only happens once every two years, security-minded users might be more inclined to get the latest version of my software, and old versions of the software will still work (for those who want to use it; though without a verified signature).

Note: Always timestamp your code, even when the Lifetime signing flag is set! Timestamped signatures will remain valid until the expiry date of the certificate, even when the certificate has been revoked (obviously, only if the signature was created before the certificate was revoked).

Practical use of certificate

At StartCom, you only pay for validation. The identity validation is valid for 350 days, and during this period, you can request code signing certificates for free. You can only have one valid code signing certificate, and it can be used to sign any code (MSI, DLL, XPI, ...) but not driver code (this requires EV).

To change an attribute on the certificate, the previous certificate must be revoked an a new one requested. Revocation of a certificate costs 29.90 $. Though when I changed my email a day after getting a code signing certificate, they exceptionally revoked my certificate without fee (I was positively surprised)!

Expiration

When your certificate is about to expire (after almost two years), you get a notification (two weeks in advance). If your verified identity is still valid (recall that validations expire after 350 days; then you have to confirm your identity again for 59.90$), you can request a new certificate without revoking the previous one. Do not forget to publish a new release of your software that's signed with this new code signing certificate, because the previous releases will soon show "(not verified)" or something similar.

OCSP

When I received my certificate, I signed my Firefox add-on. However, it still showed "(Author not verified)", even though my XPI file was correctly signed. It turned out that Firefox did not get the current certificate status when it queried the OCSP servers of StartCom for the revocation status of my new certificate. possibly relevant forum topic

After about a half day, my certificate was known to the OCSP servers, and my name showed up as expected. Lesson learnt: When you've got a new certificate, wait about a day before publishing your software with the new signature.

Rob W
  • 315,396
  • 71
  • 752
  • 644
  • 1
    Thank you for the insights about the lifetime signing and "only one active code signing certificate". Definitely worth to know. I was planning to do this one day, and I think I still want to do it. Using free SSL certificates already. – ygoe Jan 22 '14 at 20:51
  • 2
    Update on StartCom: The code certificates now don't have Lifetime Signing OID set. They are now as good as every other code signing cert. For organization validations, there is even kernel code signing included. – Josef says Reinstate Monica Jan 31 '16 at 20:47
10

You can try CAcert. With this you get certified by other CAcert-users. CAcert has a reputation-based system, so if you are certified often enough your certificate is counted as valid.

You may have to add CAcert as a trusted authority on the target system. Self signing your executable should be a sufficient option but you will need to provide the public certificate. Using a known authority can help verify the file but I think it is over kill in this case use a checksum or sha2 hash of the file in combination with your self signed certificate. You could set up a linux box as a CA however they will need to trust your public certificate.

Wayne Ellery
  • 7,758
  • 1
  • 28
  • 44
Mnementh
  • 47,129
  • 42
  • 140
  • 198
  • 50
    The downside with CACert is that it's not included by default in any of the major browsers (http://wiki.cacert.org/InclusionStatus), so the typical user experience is no better than that of a self-signed cert. – Kohsuke Kawaguchi Oct 25 '09 at 03:24
  • 6
    Also, if you are interested in signing Windows executables, mind that CACert is not listed in the [list of Certification Authorities (CAs) who are members of the Windows Root Certificate Program](http://social.technet.microsoft.com/wiki/contents/articles/14215.windows-and-windows-phone-8-ssl-root-certificate-program-member-cas.aspx), while [Unizeto CERTUM](http://www.certum.pl/) is – user377486 Aug 18 '14 at 09:53
  • 3
    I tried CAcert. This picture sums it up: https://imgur.com/a/rNYqBme – selbie Mar 22 '20 at 02:31
  • updated CA list can be found at https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT – Erdogan Kurtur Apr 22 '20 at 21:10
8

You could have a look the StartSSL product.

Note StartSSL has now closed and is no longer issuing certs.

Frozenskys
  • 3,867
  • 4
  • 24
  • 28
  • 4
    Funny. Google Chrome reports to me that startssl.com has an invalid certificate and warns me about the risks of proceeding to this site. :-) I did proceed, though. Looks okay. – Wim ten Brink Jul 24 '09 at 13:27
  • 1
    If you add the Root CA cert from startsll this will go away. I believe that FireFox 3+ ships with this CA cert built in. – Frozenskys Jul 24 '09 at 13:28
  • 49
    It's always a great feeling to import Root CAs. Kinda defeats the entire purpose of having them. – Matthew Whited Sep 28 '09 at 15:07
  • 3
    StartSSL is the first (only still) free CA with a RootCA in Windows Vista+. There is a certificate update for older versions of Windows that include it too afaik. Why Chrome doesn't have it as a RootCA or fallback to Windows to check is just a Chrome issue. – Robert MacLean Mar 23 '11 at 08:01
  • 6
    BTW StartSSL's code signing certificates are beta and require being verified (which is not free currently $50) – Robert MacLean Mar 23 '11 at 08:14
  • 1
    Now in the 2015 their free cert [does not support](https://www.startssl.com/?app=39) code signing. – Eugene Petrov Apr 17 '15 at 00:26
  • The Free certificate never supported codesigning. The deal breaker with StartSSl is, that on the cheap certificate ALL signatures are invalid after the certificate runs out, even if timestamped. Only the EV certificate doesn't have this problem, but it's not available to persons, only companies :( – Josef says Reinstate Monica Jul 09 '15 at 17:14
  • StartSSL has shut down. From their site: "StartCom CA is closed since Jan. 1st, 2018, it doesn't issue any new certificate from StartCom name roots." – skst Apr 11 '20 at 17:59
8

You can also check out KSoftware. They resell Comodo code signing certificates for US$99/ year.

LadyCailin
  • 765
  • 8
  • 23
Joe Kuemerle
  • 6,200
  • 1
  • 19
  • 18
  • 1
    I've used them successfully in the past. Tucows also is a reseller, and if you do a multiyear deal, I think you can get them for about 70 a year. – EricLaw Jul 24 '09 at 14:27
  • KSoftware has a great service, while Comodo is not good, the guys at KSoftware are quick to answer, I'm not related, just a happy customer. – digitai May 09 '17 at 23:01
  • 1
    I recently bought a certificate with KSoftware, but I still didn't finish the validation process, the validation team of Comodo keeps asking me for a phone number but the Face-to-Face didn't say it was obligatory. – Nicke Manarin Aug 13 '17 at 00:08
  • Beware! KSoftware/Comodo seems cheap, but they do not do any real validation process, and you must PAY for an attorney to validate your identity! This brings unexpected and totally horrendous additional fees. – xroche Sep 16 '17 at 15:52
  • 1
    I just bought a code signing cert from K Software because the difference in price was substantial: $75 per year instead of $175 per year. I'll try and post an update here after I go through the validation and issuance. My gut, however, says that it's probably worth it to pay the extra $100 and just go with Comodo directly. I'll let you know how it goes... – Joshua Pinter May 20 '18 at 17:35
  • 1
    Update: I tried going through our lawyers to get their required document completed, but they said that would cost about $1,500 to do. So we opted to just get registered with D&B.com to get a DUNS number and use that as "verification" that we exist. We have it now but it was a pain in the ass and took about a month to complete from start to finish. If you're in a hurry, I would look at different provider, like digicert.com. (That being said, I'm not sure if they're any different/better.) – Joshua Pinter Jul 01 '18 at 17:18
1

The Linux Foundation, in partnership with Red Hat, Google and Purdue University has launched the sigstore project. Sigstore bills it's self as 'A non-profit, public good software signing & transparency service'.

It doesn't look like it's ready for general use yet, but looks promising.

Nathan
  • 1,632
  • 1
  • 18
  • 26
  • Thank you for updating an 11 year old question with current news! The Certum Certificate which used to be free is now at 50€ per year. I created an open source microscope data analyzing software that I want to make available at my university's lab computers. I did not get paid for writing it and don't want to spend my own money on signing it, so I'm really looking forward to sigstore! – dende Apr 28 '21 at 08:11
0

You will need to buy a code signing certificate. The cheapest ones are from Comodo. I have published source code and binaries, like you plan, and signed the binaries. See Date & time batch changer for photos and other files.

Peter Mortensen
  • 28,342
  • 21
  • 95
  • 123
Michael Haephrati
  • 2,849
  • 1
  • 27
  • 48
0

I use the Comodo Individual Code Signing Certificate. It's $71 per year and doesn't require any special hardware.

I wrote a blog post that walks through the installation and use of the certificate. One important note is that they will put your street address on the public certificate unless you ask them to leave it off.

RandomEngy
  • 13,876
  • 5
  • 60
  • 106