9

I am getting a code signing certificate for my open source projects. I have a couple of questions about them:

  1. Being a unregistered company that develops open source projects, is there a way to get passed the verification process?
  2. If I register the code signing certificate under my personal name, are there any risks involved (for example, stolen identity and stalking)?
Edward Brey
  • 40,302
  • 20
  • 199
  • 253
SameOldNick
  • 2,397
  • 24
  • 33
  • 1
    Related: [Code signing certificate for open-source projects?](http://stackoverflow.com/q/1177552/145173) – Edward Brey Sep 23 '13 at 10:25
  • Possible duplicate of [Code signing certificate for open-source projects?](https://stackoverflow.com/questions/1177552/code-signing-certificate-for-open-source-projects) – rsjaffe Aug 01 '18 at 13:19

2 Answers2

9

Certum (http://www.certum.pl) offers free code certificates for open source projects. I know the TortoiseSVN and AnkhSVN projects use certificates from them for their distributions.

The problems with signatures expiring when the certicate does is not specific to a certificate provider but on how you sign the certificate. To keep the signature valid you should also sign a timestamp. See the FAQ of your certificate provider.

Bert Huijben
  • 19,525
  • 4
  • 57
  • 73
  • 1
    I already tried signing up for Certum but I still haven't heard back. Too bad I already signed my software because I didn't add the timestamp to it. I guess I could re-release the software but its alot of work... – SameOldNick Jul 03 '12 at 04:52
  • 1
    You should be able to re-sign your existing software. At least for the MSI-s that I use that is a relative simple operation. I don't sign my .Net code itself with this certificate. – Bert Huijben Jul 09 '12 at 10:44
  • I had a certum certificate for the last few years. (Must be renewed within the next two weeks) – Bert Huijben Jun 18 '13 at 22:54
  • 7
    It looks like Certum is no longer free. I got notice that my certificate is going to expire and I now get sent to a purchase page. It's under $20 after US conversion, but their product page also doesn't say how long the cert is good for. The price may be right, but if I'm going to start shelling out money for a pet project, I want to know a little more clearly what I'm getting. – HotN Feb 24 '16 at 04:30
  • "Lifetime signing" is a Extended Key Usage OID that limits the signature to the lifetime of the cert -- timestamping doesn't change that. – Peter Torr - MSFT Mar 13 '19 at 22:48
0

You can obtain a certificate as an individual. See Code signing certificate for open-source projects? for issuers.

When you obtain a code signing certificate as an individual, you have to prove your identity. This involves providing identifying information such as a drivers license or passport to the issuing company. However, the only identifying information that gets put into the certificate (and therefore becomes public when you publish an app signed with that certificate) is your name and email address.

Community
  • 1
  • 1
Edward Brey
  • 40,302
  • 20
  • 199
  • 253