Affordable code-signing certificates, no chance!

GlobalSign == relatively cheap code-signing certificates.

Cool, I thought.

Bullcrap! After attempting to apply for a code-signing certificate for use with Authenticode in kernel mode drivers and other Windows binaries and then calling them on the phone I learnt that private persons are unwanted. Brilliant!

According to the person I spoke with (a German representative of GlobalSign), the problem is not so much GlobalSign but rather Microsoft which doesn’t allow individuals to receive a code-sigining certificate.

To sum it up. Despite all the identity checks and the costs which are still considerable (more than 500 EUR incl. VAT) I was interested and willing to get a 3-year code-signing certificate even though I do not earn money with my software. Nevertheless it seems to be impossible for me as an individual to get one. (BTW: VeriSign wants approximately 1300 USD for the same duration and considering that the above limitation seems to be imposed by Microsoft, odds are that the same limitations exist for certificates from VeriSign.)

Heck, I have no clue why MS tries to prevent normal people to write and distribute freeware and OSS for their operating systems like that. I am really disgruntled this time!

// Oliver

PS: In the case of kernel mode code there is no alternatives. MS effectively prevents such attempts. In the beginning I kind of liked the idea of enforced code-signing, now I hate both, the enforcement and MS …

This entry was posted in EN, IT Security, Programming, Software and tagged , . Bookmark the permalink.

7 Responses to Affordable code-signing certificates, no chance!

  1. Fowl says:

    What Rick Brewster for Paint.Net did was create a LLC. He describes this on his blog:

    Although he seemed to be able get a certificate as “Rick Brewster” before hand so perhaps you might want to contact him to find out how.

  2. carlos says:

    Well WinPcap install fine in vista x64

  3. Oliver says:

    Carlos: have you checked whether the driver is signed? I know it loads, but from experience as driver developer I know that Vista x64 does not allow unsigned code, at most test-signed but in this case you have to install the respective CA certificate.

  4. Fowl says:

    I think daemon tools installs their root CA when you install it for the first time.

  5. Oliver says:

    Phew, that’s kind of ugly, don’t you think? But yes, it’s likely they do not get through WHQL at the very least, they are using quite some tricks in their driver 😉

  6. Fowl says:

    I don’t believe that they (daemon tools) are doing anything “suspect”, a virtual DVD drive is very useful.

    Unfortunately I just discovered that their actual kernel-mode code is provided by Duplex Secure Ltd. which I assume has a real cert – although this box is “compromised” as it were (has daemon tools installed) so I can’t be certain.

  7. carlos says:

    yes it’s signed by CACE TECHNOLOGIES.

Leave a Reply

Your email address will not be published. Required fields are marked *