Menu
What Happens When Your Code Signing Certificate Expires. When a code signing certificate expires, unless you choose to timestamp your code, it means that any software or applications that have code signed by the certificate are no longer trusted by Microsoft SmartScreen, Google Safe Browsing, and antivirus programs.
There are no free code signing certificates. And be dubious of anyone that says they can offer you free code signing certificate for free. The short answer is there are compliance constraints that prevent it, and economic incentives to abide those constraints.
For open source developers, Certum provides code signing certificates for free*
Just enter "open source developer" in the "company" field when you request the certificate. That's it.
Link to open source code signing certificates is here
[*] Starting 2016, the Open Source Code Signing certificate is no longer available for free. It is now a paid only service.
Update: No longer free, now €105.78 (as of 19 Feb 2017). The cost is less if you already own their crypto hardware. FWIW, following are the previous instructions.
The get a free code signing certificate from Certum/Unizeto for yourself as an individual, follow these steps. Use Internet Explorer or Safari, since they support the key exchange mechanism.
Browse to Test ID and OpenSource Code Signing certificates, and submit the form.
The certificate will appear under Activate Certificates. Click Activate.
Go through the activation wizard. For Organization enter Open Source Developer. For Organizational Unit, enter Software Publishing.
You'll get an email asking for proof of identity. Reply with a link to the open source project and an image of your driver's license (or another accepted document). To protect your privacy, you should encrypt the reply.* The way to encrypt varies by email client. For Outlook, ensure you have an email certificate (freely available), and turn on encryption.
Within a day or so, you should receive an email with a link to collect your certificate. You have to open the link from the same computer and browser you used to start the process.
* Although the verification email from Certum says to send the proof to [email protected], Certum also accepts proof sent to the reply address [email protected], to which you can send encrypted email.
2016 update: StartCom has been acquired by WoSign under questionable circumstances. I wouldn't trust StartCom/WoSign. Consider the below text as a historical note on how good StartCom was up to early 2015.
I've got a code signing certificate from StartCom (StartSSL). I'm very satisfied with their service: Their customer service is very fast, and their prices are very reasonable.
Getting the code-signing certificate
Getting a code signing certificate requires Class 2 Identity Validation. StartCom guides you through the whole process (with excellent response rates, usually within ten minutes in my experience).
If you want to get the details right at once, read this blog post. I was validated within an hour (for a fee of 59.90 $, via Paypal).After being validated, generate a new private key, and a Certificate Signing Request (CSR). Note that all fields except for the public key are ignored. All information in the certificate is inferred from the information you provide during identity validation, not from your CSR.
# Create key and CSR (key must be at least 2048 bit, per Policy Statement)
openssl req -nodes -newkey rsa:2048 -keyout codesigning.key -out codesigning.csr
# Add pass phrase to key (optional, but highly recommended)
openssl rsa -in codesigning.key -des3 -out codesigning2.key && \
mv codesigning2.key codesigning.key
Submit this via the web interface and you'll quickly get a new certificate that's valid for two years (I got mine within an hour).
Issue: Lifetime Signing OID
StartCom's class 2 certificates have the Lifetime Signing OID set. Because of this bit, the signature of signed code will become invalid after the certificate expires, even when it's timestamped.
When I asked Eddy Nigg (COO/CTO of StartCom) for the reason of this OID, he replied:
It requires from us to keep the CRLs operating for up to 20 years after the certificates already expired. This is something we can do for EV level certs (much lower volume, different payment terms) but would increase the price for Class 2 just for this benefit (where code signing is only part of the options in this level).
Timestamping is thus only available after Extended Validation (EV), which is only available to legally established organizations and costs 199.90 $. So, individual developers cannot use timestamping with a code signing certificate from StartCom.
For a long time, I considered this limitation as a big issue. Recently, I changed my mind: It only happens once every two years, security-minded users might be more inclined to get the latest version of my software, and old versions of the software will still work (for those who want to use it; though without a verified signature).
Note: Always timestamp your code, even when the Lifetime signing flag is set! Timestamped signatures will remain valid until the expiry date of the certificate, even when the certificate has been revoked (obviously, only if the signature was created before the certificate was revoked).
Practical use of certificate
At StartCom, you only pay for validation. The identity validation is valid for 350 days, and during this period, you can request code signing certificates for free. You can only have one valid code signing certificate, and it can be used to sign any code (MSI, DLL, XPI, ...) but not driver code (this requires EV).
To change an attribute on the certificate, the previous certificate must be revoked an a new one requested. Revocation of a certificate costs 29.90 $. Though when I changed my email a day after getting a code signing certificate, they exceptionally revoked my certificate without fee (I was positively surprised)!
Expiration
When your certificate is about to expire (after almost two years), you get a notification (two weeks in advance). If your verified identity is still valid (recall that validations expire after 350 days; then you have to confirm your identity again for 59.90$), you can request a new certificate without revoking the previous one. Do not forget to publish a new release of your software that's signed with this new code signing certificate, because the previous releases will soon show "(not verified)" or something similar.
OCSP
When I received my certificate, I signed my Firefox add-on. However, it still showed "(Author not verified)", even though my XPI file was correctly signed. It turned out that Firefox did not get the current certificate status when it queried the OCSP servers of StartCom for the revocation status of my new certificate. possibly relevant forum topic
After about a half day, my certificate was known to the OCSP servers, and my name showed up as expected. Lesson learnt: When you've got a new certificate, wait about a day before publishing your software with the new signature.
The Linux Foundation, in partnership with Red Hat, Google and Purdue University has launched the sigstore project. Sigstore bills it's self as 'A non-profit, public good software signing & transparency service'.
It doesn't look like it's ready for general use yet, but looks promising.
You can also check out KSoftware. They resell Comodo code signing certificates for US$99/ year.
You could have a look the StartSSL product.
Note StartSSL has now closed and is no longer issuing certs.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With