Ask HN: Experience with code signing Windows apps
Preparing to code sign a Windows app, coming from signing Mac apps it's a breeze, Windows not so much.
What is everybody's goto place for code signing a Windows app?
Also have you been able to do this on a Mac as well? I've been code signing Windows apps for 15+ years. The process has gotten more and more convoluted over the years. Prices vary from seller to seller, but most sellers are really re-sellers, selling certs from one or two providers. This is where I buy the cert, as it's proven to be consistently the cheapest (no affiliation): https://www.ksoftware.net/code-signing-certificates/ The OV cert is usually sufficient. I've never seen a reason to go with the EV cert. Before you buy the cert, read ALL the instructions very carefully on the website, as once you apply you can't easily change things. Things you need to have set up correctly in advance: - A business name, not a personal name - A website and email address for the business name - Whois information that matches the website address / phone number to the website businesses physical address and phone number. Don't hide your Whois information! - A landline phone number (VOIP works) - An entry in some sort of recognised telephone directory so that the landline phone number's connection to the business can be externally validated This all looks like overkill and many of them are illogical, but if any of these things are amiss your order will fail the basic validation, putting you getting the cert in doubt. These 'security' steps are all meant to prevent dodgy individuals or fake business getting code signing certs, but they make it a real hassle for small businesses or one man shops to get a cert. For this reason, always buy a cert for as many years as possible -- this isn't a process you want to be doing every year. There's no single goto place. I bought mine from comodo, which is now sectigo.com Indeed, an OV is sufficient, Sectigo is pretty fast at this -- you will need proof of business (phone number + proof to see that the business is still running), and that's about it. Another "fun" fact - when you start signing, every browser will flag your app as "this application is not commonly downloaded", and this will go on for a while (2-3 weeks, sometimes even more). This might also happen for Antiviruses -- yeah, it's really fucked, I could say. A few years back Microsoft came up with another type of code signing certificate (don't remember the name), that doesn't have the problems I outlined above. However, it usually costs 4-5x as much, and personally I don't think it's worth it. What do you mean by "goto place"? You buy a cert and then call the signtool with it, that's it at least for the usual case. > You buy a cert- Where though? This is what I mean by place, I would like to know the best place people get this certificate. Again, coming from Mac, I go to Apple, for Windows where do I go? I can't find a good page from Microsoft listing acceptable CAs for regular certificates, but the driver signing page has a list for EV certificates: https://docs.microsoft.com/en-us/windows-hardware/drivers/da... I would buy a non-EV code signing cert from any of those. Look for discount codes, I know DigiCert used to have a pretty nice discount code, although it still cost a bunch of money; OTOH, DigiCert was very flexible in my experience, even when I was just a small customer; I think we had a maximum of 5 wildcard certificates at once, plus one code signing certificate, but they would issue all sorts of 'custom duplicates' and let me 'rename' a wildcard to a totally different domain to avoid buying a new wildcard, and were helpful with adjusting expirations for the sha-1 cert sunset. If the price isn't a huge barrier, I think they're cool; but I also understand if the price is a barrier. I don't think it particularly matters, any of the major CAs offers codesigning certs (worth shopping around a bit for prices and promotions though, the prices vary massively with little obvious reason why they should) https://github.com/mtrojnar/osslsigncode should be able to sign windows executables on a mac, but I haven't tried that personally