This article has been updated with experience of code signing renewal in 2021 – Update to ‘Comodo Individual Code Signing – UK Issues’
Programmers out there will understand the importance of code signing, to the end user, it stops the yellow untrusted publisher window from appearing when running software, and shows the executable has not been tampered with.
All the utilities on this site are Code Signed, for the last 2 years they were signed by Thawte but they no longer do individual code signing so I had to go with Comodo this year.
My Notarized passport should have been valid for 27 months, but Comodo would not accept it as they had added extra documents to be Notarized. As there is no standard document for identification requirements (set by the CA Browser Forum), each form is different and each seems to expect their own form to be completed with different requirements even though the main information and purpose are the same. This was mentioned in the CA Browser forum in 2015 as a discussion topic.
It is not cheap to apply for these certificates they cost about $70/year with Comodo, and up to $499/year for Symantec, a bit of disparity in the prices but this is not the issue here. What they don’t make clear on their websites is the price for validation is not included, which in the UK can be about $140.
kSoftware (a Comodo reseller) offer 3 years @ $209.00, factor in the $140 notary fees then this is $116/year, not the $70/yr advertised. kSoftware have been very helpful in sorting my issues directly with Comodo, so I highly recommend them.
- Buy a codesigning certificate for as long as you can afford.
- Notarize the forms they request and get all ID used to attend the Notary copied and certified as a true copy (especially if you are buying the cert for 2 years, as you will have 3 months left on your notarized documents.
I want to be clear that I do understand that there is a lot of fraud with the individual code signing certificates, notarizing documents is essential, but needs to be standardized across the certificate authorities to keep costs down.
Sent this to email@example.com on 30 Mar 2018:
2 years ago I purchased a Individual Code Signing certificate from Thawte, on renewal I found they no longer except Individual Code Signing.
On presenting the same Thawte Notorized documents to Comodo, which should have been valid for 27 months, they will not accept it, because they also need a notorized phone bill and bank statement (which was not required by Thawte), this is an extra cost of $140 for notary in the UK.
I have seen this document below
Could not find the final version, but this does seem to mention standardization.
The expensive parts are the process of validation should be standardized, with proper professional looking fillable pdf forms, at the moment there is no cheap way to buy a 1 or 2 year cert as the documents may not be valid on renewal, even though the docs should be valid for 27 months.
Received this quick response on 30 Mar 2018:
Thank you for contacting the CA/Browser Forum. Currently, the Forum’s scope does not include Code Signing. The document you referenced, although drafted by Forum members, was not passed by the Forum. However, it was adopted by Microsoft as a standard relating to Code Signing Certificates. The latest version of that document is maintained by the CA Security Council here: https://casecurity.org/wp-content/uploads/2017/05/Minimum-requirements-for-the-Issuance-and-Management-of-code-signing-.pdf.
The CA/B forum is undergoing a governance change whereby code signing could be included in a future scope. If the Governance reform ballot passes in the next week, it could be possible that a code signing working group will be formed and will take on this topic in the future.
As a general statement which applies to code signing or TLS certificates, it’s up to each CA to determine document requirements above and beyond a minimum standard.
Might help with some of the issues
Share your comments
I understand the benefits of code signing and the requirement to confirm the identity of applicants.
But for individuals this is pretty much a non-starter. You have to pay a law practitioner to confirm your identity, and it’s expensive!
You’re right, this is not made clear and unfortunately I have had to cancel my order with Comodo because of it.
From your post I also get the impression that I’d have to go through the entire process all over again after my certificate expires.
I can stomach a sub £100 per year ongoing charge for the benefits of a code signing certificate. But I can’t agree to an ongoing payment to a law practitioner to continually confirm my identity.
Cheers for the article.