Re: Open Source development and authenticode

[Corneliu I. Tusnea]

Comodo: $166.95
http://www.comodo.com/business-security/code-signing-certificates/code-signing.php

But I bought mine through Ksoftware which is a reseller of comodo:
http://codesigning.ksoftware.net/

$95/year ..

Corneliu.



On Mon, Apr 15, 2013 at 5:11 PM, Greg Keogh g...@mira.net wrote:

 I received a free code signing certificate from Thawte a few years ago,
 valid for 2 years, valued around $600US. I can't remember all the details
 now, but there was a bit of misery involved in getting it installed and
 working and I had to make some delicate adjustments to my build processes
 to use the certificate. I remember receiving incoprehensible problems that
 drove me nearly insane (again) when importing and managing the certificate
 and using the signtool.exe utility. It was fun to see a signed app finally
 come out, but the extra work was not worth for my case where I don't
 publish my own commercial software. I publish lots of free demo apps and
 code, but there no use in signing that sort of thing, in fact you have to
 keep your certificate private and secret and not give it to other
 developers. Then the person installing the signed software has to go
 through steps (that I've forgotten) to say they trust your certficate and
 it's not a magically simple as you expect. So overall, as a single
 contractor developer, I found a real certificate is of little practical use
 and lots of suffering.

 Greg Keogh

 P.S. I just found some of my old batch files that run makecert and
 signtool. They used to work of course years ago, but now I'm getting The
 signer's certificate is not valid for signing even though it all looks
 good when viewed in certmgr.msc. Lord knows, I give up immediately as I
 have enough outstanding problems.




 On 15 April 2013 15:16, Katherine Moss katherine.m...@gordon.edu wrote:

 Hi guys,
 I've been arguing with myself about this for a while.  I'm progressing in
 my .net development learning with C#, and I'm pretty dang sure I'm going to
 be catching on soon.  I had some ideas for the open source community,
 clearly both for the experience, for the privilege of working with people
 who develop for the sheer fun of it while producing quality software at the
 same time.  And with that comes authenticode issues; where to get a
 certificate that's not $10,000.  Because I know that even in the free and
 open source world trust is still an issue, however there are no open source
 or community-based certification authorities, or at least none that offer
 code signing.  I've noticed a lot that most open source projects don't
 actually have a cert issued by a trusted publisher, and that hasn't stopped
 me from running the application (most of these have come from the CodePlex
 forge, and I cannot remember which ones they are), and I will even bravely
 add self-signed certificates to my root store for those Windows 8 Modern
 apps that people want to keep away from the Draconian, super-restricted
 environment that Microsoft's Tiled World has become.   So, is it that
 important?  I mean, how seriously do you take the warnings about
 self-signed certificates?  How worth is paying inordinate amounts of money
 for a code signing certificate in an open source project when you can
 easily make one and get your users and loyal followers to trust you
 directly instead of some ding dong head that is getting paid to say, yes,
 this software is issued and signed by so and so?  Anyway, opinions would be
 good; I'd love to hear what real developers have to say about this.

Re: Open Source development and authenticode

[Corneliu I. Tusnea]

Katherine,

I'm used to be pragmatic and use the technology that delivers at time the
fastest result in the shortest time. Yes, powershell would have been just
given I would have the experience. Right now all my bat does is copy few
files around and call the signtool.exe and mage.exe tool several times with
a bunch of parameters. I doubt powershell would have any added benefit or
would have made the file any shorter :)

The image was just a screenshot of the Certification Path for the
certificate:
USERTrust  COMODO Code Signing CS2  OneSaas's COMODO CA Limited ID




On Tue, Apr 16, 2013 at 11:16 AM, Katherine Moss
katherine.m...@gordon.eduwrote:

  Why use a bat file when you could accomplish the same thing with a
 PowerShell script or at least use the newer .cmd extension?  It’s not 2000
 anymore LOL.  And remember, you have to describe in words what an image is
 for me since I cannot see them, remember?  

 ** **

 *From:* ozdotnet-boun...@ozdotnet.com [mailto:
 ozdotnet-boun...@ozdottnet.com] *On Behalf Of *Corneliu I. Tusnea
 *Sent:* Monday, April 15, 2013 7:31 PM

 *To:* ozDotNet
 *Subject:* Re: Open Source development and authenticode

 ** **

 You need to install an intermediary certificate on your box but not on the
 target machine. The installation is straight forward.

 This is the chain for my cert

 [image: Inline image 1]

 I think it's an easy process once you get the hang of it. I now have a
 .bat file that signs my published files. Took 1/2 day to build it but it's
 done and it works ...

 ** **

 ** **

 ** **

 On Mon, Apr 15, 2013 at 9:42 PM, Greg Keogh g...@mira.net wrote:

  Comodo: $166.95


 http://www.comodo.com/business-security/code-signing-certificates/code-signing.php
 But I bought mine through Ksoftware which is a reseller of comodo:

 http://codesigning.ksoftware.net/
 $95/year ..

   

 But did you have trouble getting the certificates recognised? I remember
 at some point I had to import some extra root certificates into Windows to
 get my Thawte Premium Server CA cert recognised, which wasted a bit of time
 and meant that other users would unpredictably have the problem.

  

 Greg K

 ** **

image001.png