Recently I wanted to sign some code and I had to find and buy a certificate for that purpose.
Short version of the story: I got this one. It was frustrating and cheap. Had to notarize a personal statement, provide a photocopy of driver license, credit card and a utility bill. Also had to publish all my personal contact info on manta.com.
Now, the long version.
First of all, not all certificates are equal - it has to be a code signing certificate (or at least it has to include that capability).
But the majority of code signing certificates are the same. I found an interesting article on this topic.
I compared VeriSign, Thawte, Comodo, K-Software and StartSSL.
First two are crazy expensive and can/should only be used by enterprises that have extra money, so I decided to ignore them from the very beginning. Prices are above 300$
Comodo and K-Software are both selling same certificates (issues by Comodo), but K-Software offers them at lower price. This is the option that I ended up going with.
The last one is StartSSL. The price is very low (59$ for 2 years for the individual certificate). But they do not support time stamping, which means that once your certificate expires your code is no longer signed. (So all of sudden your users start getting errors and warnings and would be forced to contact support or just download the latest version).
About the actual process. K-Software side of the deal is very straightforward and it is very nice dealing with their support. Really nice and helpful.
But once you start to deal with the Comodo side of the deal, it feels like some parallel universe where nothing makes sense. From my conversations it looks like all of their staff is in India and their call center is in India. Those guys are trying their best to work with you, but they still fail.
To get a certificate you have to be authenticated as future owner of the certificate. This means that you will be asked to provide a government-issued photo ID (Driver License), a document that ties you to your home address (for example, a utility bill), and a document that ties you to a financial institution. (Credit card or bank statement). They ask you to fill in an notarize a personal statement about you being you and living where you said you are. This was easy, as any UPS store has a notary in it and it costs around 10$ to notarize that one statement.
The email from Comodo says that you must mail the papers overnight to them - that's extra 50-60$ right there. But a quick call to their support has revealed that it is not necessary - just scan the papers and submit online.
The most frustrating part about that process is that they must find your phone number online in one of the public databases, like www.whitepages.com or www.manta.com. If you own a company, then it's not a big deal - the phone number and the address of your company are both public. But when you are an individual software engineer you do not want your contact information in the public directories.
Unfortunately there was no way to work around this requirement - I had to publish my info on manta.com, they took a phone number from there, a machine called me on that number and gave me some verification code.
After that you get your certificate. It will be installed straight into the certificate store on your machine, so don't be surprised when the final page just says "Success" and nothing else happens. Just export the certificate from the certificates store and you'll have your file.
No comments:
Post a Comment