Code signing certificate for open-source projects?

Question

I want to publish one of my applications as open-source and want to digitally sign the binaries I\'ve created with my own certificate. (Of course, anyone else can just downl

Answer 1

For open source developers, Certum provides code signing certificates for free*

Just enter "open source developer" in the "company" field when you request the certificate. That's it.

Link to open source code signing certificates is here

[*] Starting 2016, the Open Source Code Signing certificate is no longer available for free. It is now a paid only service.

Answer 2

You could have a look the StartSSL product.

Note StartSSL has now closed and is no longer issuing certs.

Answer 3

You will need to buy a code signing certificate. The cheapest ones are from Comodo. I have published source code and binaries, like you plan, and signed the binaries. See Date & time batch changer for photos and other files.

Answer 4

You can try CAcert. With this you get certified by other CAcert-users. CAcert has a reputation-based system, so if you are certified often enough your certificate is counted as valid.

You may have to add CAcert as a trusted authority on the target system. Self signing your executable should be a sufficient option but you will need to provide the public certificate. Using a known authority can help verify the file but I think it is over kill in this case use a checksum or sha2 hash of the file in combination with your self signed certificate. You could set up a linux box as a CA however they will need to trust your public certificate.

Answer 5

You can also check out KSoftware. They resell Comodo code signing certificates for US$99/ year.

Answer 6

2016 update: StartCom has been acquired by WoSign under questionable circumstances. I wouldn't trust StartCom/WoSign. Consider the below text as a historical note on how good StartCom was up to early 2015.

I've got a code signing certificate from StartCom (StartSSL). I'm very satisfied with their service: Their customer service is very fast, and their prices are very reasonable.

Getting the code-signing certificate

Getting a code signing certificate requires Class 2 Identity Validation. StartCom guides you through the whole process (with excellent response rates, usually within ten minutes in my experience).
If you want to get the details right at once, read this blog post. I was validated within an hour (for a fee of 59.90 $, via Paypal).

After being validated, generate a new private key, and a Certificate Signing Request (CSR). Note that all fields except for the public key are ignored. All information in the certificate is inferred from the information you provide during identity validation, not from your CSR.

# Create key and CSR (key must be at least 2048 bit, per Policy Statement)
openssl req -nodes -newkey rsa:2048 -keyout codesigning.key -out codesigning.csr
# Add pass phrase to key (optional, but highly recommended)
openssl rsa -in codesigning.key -des3 -out codesigning2.key && \
    mv codesigning2.key codesigning.key

Submit this via the web interface and you'll quickly get a new certificate that's valid for two years (I got mine within an hour).

Issue: Lifetime Signing OID

StartCom's class 2 certificates have the Lifetime Signing OID set. Because of this bit, the signature of signed code will become invalid after the certificate expires, even when it's timestamped.

When I asked Eddy Nigg (COO/CTO of StartCom) for the reason of this OID, he replied:

It requires from us to keep the CRLs operating for up to 20 years after the certificates already expired. This is something we can do for EV level certs (much lower volume, different payment terms) but would increase the price for Class 2 just for this benefit (where code signing is only part of the options in this level).

Timestamping is thus only available after Extended Validation (EV), which is only available to legally established organizations and costs 199.90 $. So, individual developers cannot use timestamping with a code signing certificate from StartCom.

For a long time, I considered this limitation as a big issue. Recently, I changed my mind: It only happens once every two years, security-minded users might be more inclined to get the latest version of my software, and old versions of the software will still work (for those who want to use it; though without a verified signature).

Note: Always timestamp your code, even when the Lifetime signing flag is set! Timestamped signatures will remain valid until the expiry date of the certificate, even when the certificate has been revoked (obviously, only if the signature was created before the certificate was revoked).

Practical use of certificate

At StartCom, you only pay for validation. The identity validation is valid for 350 days, and during this period, you can request code signing certificates for free. You can only have one valid code signing certificate, and it can be used to sign any code (MSI, DLL, XPI, ...) but not driver code (this requires EV).

To change an attribute on the certificate, the previous certificate must be revoked an a new one requested. Revocation of a certificate costs 29.90 $. Though when I changed my email a day after getting a code signing certificate, they exceptionally revoked my certificate without fee (I was positively surprised)!

Expiration

When your certificate is about to expire (after almost two years), you get a notification (two weeks in advance). If your verified identity is still valid (recall that validations expire after 350 days; then you have to confirm your identity again for 59.90$), you can request a new certificate without revoking the previous one. Do not forget to publish a new release of your software that's signed with this new code signing certificate, because the previous releases will soon show "(not verified)" or something similar.

OCSP

When I received my certificate, I signed my Firefox add-on. However, it still showed "(Author not verified)", even though my XPI file was correctly signed. It turned out that Firefox did not get the current certificate status when it queried the OCSP servers of StartCom for the revocation status of my new certificate. ^{possibly relevant forum topic}

After about a half day, my certificate was known to the OCSP servers, and my name showed up as expected. Lesson learnt: When you've got a new certificate, wait about a day before publishing your software with the new signature.