Codes require trust, so there are no free code signing certificates. I’ve tried to send the application package to peers for evaluations through Google drive and Facebook messenger. They did a good job, and it means my codes go nowhere. Individual or organizational developers have to pay for them because of costs incurred during the validation process.
The certificate market is like a maze. I Googled and found the following code signing certificates retailers provide useful information:
I chose Sectigo from the COMODO SSL Store, a retailer of its former parent company, Comodo. However, the registration services are provisioned by the CertPanel for COMODO SSL Store. Sectigo is the certificate authority (CA); CertPanel is the registration authority (RA); COMODO SSL Store is the retailer. It isn’t straightforward!
That is, I placed my order of code signing certificate on the COMODO SSL Store, then submitted my certificate signing request (CSR) and government-issued ID on the CertPanel. Finally, Sectigo will validate my identity in three days by email notification and phone calls.
Bad User Experience, but Good Customer Support
The user experience of CertPanel is not so good. I have to call customer support to finish the registration process. Their website is cumbersome, buggy, and poor notification on error. An address requires no special symbol such as comma, period, dash, etc. Web cache is not well implemented, so that any mistake will turn the sunny scenario into rainy days. I don’t even know a 3072-bit RSA key works, but a 2048-bit one won’t. The filename of uploads requires even no space. It goes beyond my imagination. Luckily, they did provide excellent customer service. I appreciate it.
Registration and Validation
After generating a certificate signing request and finishing registration, it takes one to three days for Sectigo to complete the validation process under normal circumstances.
- sectigo vs comodo
- Comodo Cybersecurity
- Get a code signing certificate
- Cryptographic Key Containers
- How to avoid the “Windows Defender SmartScreen prevented an unrecognized app from starting warning”
- Strong Name sn.exe: Failed to install key pair — Object already exists
- Cannot import the keyfile ‘blah.pfx’ – error ‘The keyfile may be password protected’
- Strongly named assemblies – installing a PFX to your machine