Any reuptable free code-signing certificate authorities?

[Gizmo]

Apologies if this has been raised before (quick search showed mostly OSX related talk).

I would like to ship code-signed copies of my program. A few years back I did layout for a certificate from DigiCert, and I asked for £1.99 for each download of the code signed exe, and although I recouped the £200, just, it didn't feel right. And the following year, the price doubled, to nearly £400. As the program was intended to be distributed for free, I stopped using it and resorted to shipping unsigned exe.

I'm aware you can generate self-signed certificates using Kleopatra, but although that does sign it, it does not do so sufficiently for the OS (Windows) to treat it any differently from a trust perspective. AFAIK.

Lets Encrypt only do SSL certificates. And SigStore (which looks very promising https://www.linuxfoundation.org/en/press-release/linux-foundation-announces-free-sigstore-signing-service-to-confirm-origin-and-authenticity-of-software/) by the Linux Foundation is not available yet (https://github.com/sigstore/sigstore). But I am watching that space.

The question is : is there a "currently available way" of code-signing a release of our open source programs with no cost to us, as the developers? If not, how many of you distribute your projects as signed vs unsigned? Thanks

[Marc]

For the Lazarus ide itself we have been thinking about https://shop.certum.eu/open-source-code-signing-code.html

Not free, but cheaper than others

Marc

[Gizmo]

Thanks Marc. That is indeed something worth looking at. £35 for the card and £25 for the cert is a lot more affordable than the £400ish I was having to pay for Digicert I'll keep it in focus for my next release, if SigStore is is still in dev and not released by then.

Thank you .

[dbannon]

...... If not, how many of you distribute your projects as signed vs unsigned? Thanks

I don't sign the windows version of my app, just warn people that they will be told its risky.
I use a self signed cert to sign the RPMs because SUSE like that.
Even my MacOS ireleases are unsigned and I see a number of downloads.
Overall, I have not yet ever had an end user complain about lack of appropriate signing. Maybe that is because I mention it and they think I consider he matter 'closed', maybe my users consider themselves capable of making their own decisions.

Generally, if there was a free certificate available, I guess the bad guys would use it too.  In fact, there is probaly quite a lot to be made out of dodgy software, I am surprised the bad guys don't spend the $400 just so people trust them.

Davo

[Gizmo]

All valid stuff. And I have followed largely the same approach.

My problem is that a lot of my users enjoy the functionality of the program and would like to use it in more corporate settings. But often due to IT rules in the workplace, the lack of code-signing seems to be a barrier to adoption in some areas. So its not always a matter of making their own choices. It is sometimes a matter of trying to comply with business IT rules I think to ensure that software running on a system can have its roots back to a developer\vendor verified. 

[lucamar]

Generally, if there was a free certificate available, I guess the bad guys would use it too.  In fact, there is probaly quite a lot to be made out of dodgy software, I am surprised the bad guys don't spend the $400 just so people trust them.

Despite what most people seem to think, code-signing is not a question of security (at least not directly) but of accountability: it's meant to guarantee that a piece of code comes from where it says it comes, nothing more.

A bad (or a good or a neutral) guy/gal can sign his piece of malware however he wants and all that's going to tell is that it indeed comes from the bad (/good/neutral) guy. It's you who must decide whether you can place any trust on that source and follow on or abort the installation accordingly.

That also means that a signing certificate (or rather the identities of both the issuer and the signer) must be validated somehow, which is where part of their cost comes from.

[dbannon]

Despite what most people seem to think, code-signing is not a question of security (at least not directly) but of accountability: it's meant to guarantee that a piece of code comes from where it says it comes, nothing more.
A bad (or a good or a neutral) guy/gal can sign his piece of malware however he wants and all that's going to tell is that it indeed comes from the bad (/good/neutral) guy. It's you who must decide whether you can place any trust on that source and follow on or abort the installation accordingly.
That also means that a signing certificate (or rather the identities of both the issuer and the signer) must be validated somehow, which is where part of their cost comes from.

Well, there is a little more to it than that. I am not a Windows/Mac user so don't know exactly how they works. But I understand with the Mac at least its a case of paying an annual fee.  My experience was with Grid Computing where we had a structure of certificate issuing authorities, each agreeing to trust each other's certs.  But conditional on that trust was a process, at each site for issuing revocable certificates and ensuring they only went to people who were who they claimed to be. The Chain of Trust was quite fragile, a (national) site could be excluded for process breeches.

As I understand it, the only check being applied in this case is "have they paid their money" ?   So, if I was a Windows/Mac user, that would give me no confidence in the process at all !

Fortunately, I use Linux and no Linux user would every do anything malicious.   

Davo

[lucamar]

[...] conditional on that trust was a process, at each site for issuing revocable certificates and ensuring they only went to people who were who they claimed to be. The Chain of Trust was quite fragile, [...]

Exactly. That's what I meant: the certificate, if correctly issued, only assures the user that the code comes from whom it says it comes, nothing more, and it's only as sure as the chain of trust used to issue it. There is nothing more to it.

One has but to look closely at the practices of quite a lot of "trusted" Android software houses. Because code-signing you know the software comes from them but that doesn't mean that it's any more secure than your own "untrusted" program. I mean, there are quite serious "notepad" style programs or ebook readers or what not out there wanting to access your phone's GPS, take photos & videos, read your (and send their) email, ... Yeah, "secure"

[Aidex]

Hi!
I use this "OV Code Signing Certificate" for my commercial Windows software. The certificate costs around 80 euros per year.
https://www.ksoftware.net/code-signing-certificates/

Code signing is more than just identify the author: It guarantees that the file has not been modified since it was signed, i.e. that it wasn't infected by a virus and has not been manipulated e.g. on the webserver.
For my customers this is very important, because they are not allowed to download dubious files from the internet.

The certificate can be checked by the user with the right mouse button before starting the downloaded program the first time. It is a better alternative than e.g. MD5 checksums.
For an easy signing, KSoftware offers a freeware.

[440bx]

"have they paid their money" ?   So, if I was a Windows/Mac user, that would give me no confidence in the process at all !

capitalism... you got money ? ... if you give us some, we trust you!   (certificates for some reason remind me of Enron)