| Apparently there was a surge in fake code signing certificates, blamed on PFX files leaking to the wrong hands. Their solution was to abolish PFX-stored certificates, which must be kept in cloud signing services or "hardware tokens" like yubikey for extra safety. And most recently (last March), the maximum duration of a certificate went down from 3 years to 15 months. |
|
There are 3 types of Code Signing Certificates: IV for individuals, OV for companies and EV for "extended validation". Once upon a time the more expensive EV would buy you an immediate smartscreen reputation (no "this software isn't commonly downloaded" nonsense and installation scare messages for untrusted application) — but no more! Everybody will need to build up their SmartScreen reputation with downloads, even those that paid an arm and a leg for an EV cert. And the recent shrinking of certificate duration means that this reputation loss will be suffered more frequently every 15 months. Thanks!?
I would go for OV "organization" certification if it wasn't for the ridiculous requirement for a company landline telephone (!? so last century) — that's why I ended up with a personal IV cert that says "Nikolaos Bozinis" instead of zabkat LTD.
In the end I bought a digital signing cert from ssl.com that was "only" twice as expensive as my previous one. I bought for 5 years but still I must go through re-validation of my personal details (and the smartscreen loss of reputation) every 458 days. It took them a whole month to validate my address as they sent me a postcard from Germany (!) which took ages to deliver. And their support stuff are clearly overworked. As for their "superior validation tests" on my person, they just wanted a pic of me with my passport. If anything the verification process became easier than last time I renewed back in 2023; costs down, prices up.
And how about this for an illustration of greed: back in March 26 they used to offer 10-year bundles (now the maximum is 5 years) and sold yubikeys for $279. A couple of months later the same hardware token is up to $379 without any price hike from the yubikey suppliers. So the advice is to buy your yubikey independently from yubico for around $120.
How can a mISV make money in this environment? Extra costs, red tape and yearly loss of downloaded installer reputation? I have trouble convincing loyal customers that the scaremongering is artificial and get them to go through extra lengths to download xplorer². The sad fact is that they get jumpy with microsoft defender/smartscreen scary warnings that "this file is not downloaded frequently", forgetting that zabkat is a 20 year old company without any grounds for distrust. Such is folk psychology. There is a clear push towards downloading from "official" app stores that would be the death of mISVs; either we starve from loss of sales or from 30% MS store fees.
What can one do but suffer stoically, an unwelcome addition to life's other annoyances like mosquitos, paper straws and recurrent "This page is using cookies" messages...
To digitally sign your installer you use the same SIGNTOOL.EXE command line as previously (eg signtool sign /fd sha256 /a installer.exe). To convince signtool to read your code signing certificate from the yubikey, you must install a smart card minidriver which will prompt you to plug in your yubikey in a USB port if you forget about it. Annoyingly you must enter your PIN for each signature, so you can kiss goodbye those automated builds of yore.
Apparently there is a free tool that takes the PIN in a command line, but I haven't tried it
If you are a travelling nomad kind of developer, you must add your yubikey in the list of things to carry around with your person. The jury is still out regarding the reliability of the device. I hope it won't break easily.
Good luck rebuilding your installer's download reputation every 15 months. May the force be with us all <g>
Post a comment on this topic »