Hunter in the Woods

Noobs guide to getting a Code Signing Certificate.

I've just completed my first code signed Windows App, Style for Windows and found the process to be a bit of a nightmare for the uninitiated.

In many cases I found it was presumed that you already have a certificate, but no one told me what I actually needed to do to get to this point - so this is a write up how to become eligible for a certificate and get one onto your computer.

I won't be covering how to actually use the cert as this is usually specific to your needs and there are many tutorials online that already that address this.

Assumptions

I'll assume that you know why you need a cert (some good reading about certificates and terminology here), you have registered your business and have built or building an App that you're ready to unleash upon the unsuspecting masses.

Step 1: List your business in globally recognised indexes

This is the step that I wish I had focused on earlier but didn't realise how long it would actually take. It took me about a month and a bit to fit all the pieces together, so ideally you would want to start this process long before your software is finished. Naturally I assume you're only reading this at the point you actually need it - so you're going to need grit your teeth, pick up the phone and practice the art of Zen.

Sign up for and list your business on the following services:

  • Companies House or your countries equivalent (Mandatory)
    • You should have this already from when you set up your Company - but make sure that your address, phone number and email match your company details exactly for all government services (IRD, etc) and the following services below. If they are miss-matched, your going to have a bad time because they cross check each other and you have to get them to all match before you can move forwards.
  • Google Business (Easy)
    • Go to: https://www.google.com/business and register your business
    • They will send you a postcard with a code on it to validate you are a legit company - usually takes 2-3 weeks.
  • Duns and Bradstreet (Medium)
    • Go to your country's Duns and Bradstreet website and register your company with them. I would recommend trying to call them directly as their online presences is a labyrinth of cul-de-sacs and broken links. When I first saw them I had to ask my certificate provider to validate they were real because their websites are so broken and the UX/UI is so shit (at the time of writing anyway). Turns out they have been around forever and kind of a big deal in the “validating businesses are real” space. The irony of this won't be lost on you I'm sure…
    • As they have many different websites that gets confusing real quick - if you're in the US, here is a good place to start: https://iupdate.dnb.com. If your from one of those other countries, you'll have to find your local office in your favorite search engine.
    • Completing this processes will also give you a DUNS number which you can provide later and use to validate your company with other businesses.

I think you only need two of these - however I think since your doing this already, just do the lot and be done with it so your set up for the future.

Step 2: Choose a provider and certificate type

Ok so while step one registrations are in and taking forever, you can now do some research into what kind of cert you want to get and from whom.

Certificate Types:

Cert Types for Code signing really only come in two flavours for digital software:

  • Code Signing Certificates (Digitally Signed Software):

  • Code signing certificates are used to digitally sign a program to prove that it has not been altered or compromised by a third party. This will:

    • Protect your code
    • Prevent warning messages on installation
    • Increase user confidence and security
    • Make you look like a legit outfit
  • EV Code Signing Certificates (Digitally Sign Software with Extended Validation):

    • An EV certificate gives you everything above, but takes it a lot further - building more trust, reducing warning messages and creating a deluxe security reputation. It will also:
    • Help establish reputation with Microsoft SmartScreen
    • Two-factor authentication
    • Extended validation verification
    • Comprehensive OS & browser trust
    • Support for Hardware Security Modules (HSM)
    • Usually has 24-hour technical support

Note: In terms of actual security, I don;t think there is very much difference between them and as far as I'm aware, no one buys ev's anymore - which tells you pretty much everything you need to know.

Providers:

Lots of companies provide code signing certs and to some extent, the end product is the same regardless of who you pick - So it really just comes down to how much support you want and how “trustworthy” you need to appear.

I can tell you from my own experience that buying a super cheap cert from Comodo is “fine”, but the process can be really painful and the “help desk” is severely lacking/stright up confusing. Whereas the process of buying one from Digicert is really easy and the helpdesk is excellent. They also don't charge you until the end of the process unlike my Comodo trial by fire. If you're going for a bargain and buying via a third-party - normal third party caution should apply (A refund? Communication? Service? What is that? etc).

I can't vouch for the rest, but I would recommend not hitting the very cheapest (cough Comodo) if this is your first time or even your fourth. Here are some of the major players to start you on this journey (lots of good info and a wide range of prices):

  • Comodo
  • Digicert
  • Geotrust
  • Globalsign
  • Symantec
  • Thawte
  • Verisign

And many more… just search for them :)

Step 3: Provider Requirements

You're not out of the woods yet, your provider is going to need more urine samples and fingerprints to check you are who you say you are - so get ready the following data:

  • URL to your Companies House listing
  • Your website
  • Pick at least one:
    • Url to your verified Google Business
    • Your DUNS number from Duns and Bradstreet.
  • A copy of one of the following ( with address, dated within the last 6 months ):
    • A recent company bank statement (you may blacken out the Account Number) OR
    • A recent company phone bill ( Fixed Land line) OR
    • A recent major utility bill of the company (i.e. power bill, water bill, etc.) or current lease agreement for the company OR
    • Your Registration documents ( with address )
  • Callback
    • Once all of this has been approved they will give you a call to make sure your legit - can be automated in some cases

NOTE: I have only ever brought Code Signing Certificate's, not EV certs. But I believe more might be required for one. Your provider should tell you what these are however.

Step 4: Download and install your shiny new Certificate

Ok, you have made it through and you should have an email from your provider saying congrats, click here to get your certificate. This will most likely just be a link to their website which will generate a cert for you.

Follow their instructions provided but in essence you will be:

  1. Generating the cert on the provider's website
  2. Installing it into a browser
    • Make sure it's on your dev machine, in the right OS
  3. Saving the cert to your desktop.
    • There are a few different file types you can use which will be defined by the use you want to put it to and which programs you're using. So look this up first. Lots of tutorials / stack overflows on all this.
  4. Signing your application code with it

Wrap up

So you made and hopefully installed your cert into your application. Here are a few things that I ran into once I have signed my App:

  • Still got installation warnings? Yup… =_=
    • If you have got just a Code Signing Certificate (not EV) and you're still getting MS SmartScreen warnings, fair not wary traveler! Microsoft are just testing that you are indeed a upstanding citizen and once a few people have installed your App without catching any viruses, you get white listed and this goes away.
  • Reap the glory that no one sees
    • That's right, you're basically doing a lot of work to make sure folks don't see warnings and are safe - which some might argue, no one pays much attention to anyway. AKA the “Just. Keep. Clicking. Yes…. I have no idea how that got on there?” method. So if you're giving a small free App away from your website, you could consider not bothering with a cert until you need to. Or you can release your App before this process is complete and add a note saying you're in the process of getting code signed near your download link - I did this and still got a few hundred downloads so don't let this stop you from moving forwards.

Goood luck!

Made with since 2015