Code signing: consolidation, monopolies, and price hikes

[Moonchild]

Since Pale Moon's code signing certificate is about to run out (2026-03-20) in terms of validity, I've looked at renewing it.
It seems, however, that K-Software is no longer in operation, and their suggestion to go to Sectigo/Comodo directly is really not affordable. Code signing certificates now start at around $220/year (which is now marketed as "cheap"...) regardless of CA and only go up from there up to $500/year+. All the good options for smaller open source projects have been discontinued entirely (like K-Software that I used before) or consolidated in the few big CAs (Digicert, Sectigo/Comodo and Certera) and those seem to have set agreed prices among themselves, being around €200 or $225 per year, pretty much making it a monopoly.

This kind of price hike is unaffordable for me or the project - and throwing that kind of money at a CA (with the cheapest options not even offering assurance coverage you'd pay for justifying the higher price of code signing over SSL) is frankly ridiculous. Unless someone knows of a proper alternative that doesn't involve signing the binaries by a third party or with a cert that doesn't identify the actual code owner (me personally or Moonchild Productions as an organisation), it looks like I'll have to drop code-signing altogether.

[jobbautista9]

What about SSL.com? Their code signing cert can be OV and IV, and it costs at most (not counting the eSigner and Yubikey) 129 USD per year: https://www.ssl.com/certificates/code-signing/

I'm not sure if you can bring your own Yubikey there though (I don't know how code signing even works tbh). SSL Corp requires either using their eSigner cloud code signing service which has its own subscription, or a FIPS-compliant USB token.

[Moonchild]

What about SSL.com? Their code signing cert can be OV and IV, and it costs at most (not counting the eSigner and Yubikey) 129 USD per year: https://www.ssl.com/certificates/code-signing/

No, it costs a lot more.
eSigner is limited cloud based signing, and is expensive. ($100/month... for 10 signings max...), and they require an EV cert for cloud signing.
Yubikey from them is also expensive.
They don't outright tell you all the hidden costs until you go into the ordering process.

[Bilbo47]

Supposedly the code signing resold by https://cheapsslsecurity.com is the most affordable.
Have to buy it before March 1 (?) when bad things happen:
- the cert duration reduces, from like three years to one?
- signing by USB dongle is stopped, in favor of cloud-only aka third party signing?
Supposedly after the cutoff date there will be no options for self-signing using a cert file / non-dongle / non-cloud?
Apparently per Micro$lop there is zero advantage to EV certs; not sure if that is for web and code or for web only.

One blue-sky conjecture was that huge repos like Git(la)|(hu)b would sell lower-cost signing services, where something beyond just currency-cost might be shared among projects.

Reference Security Now podcast page 6

[RealityRipple]

Been looking for decent open-source-friendly code signing for years; there's nothing. I finally gave up and did the self-signing thing, and made everything expire in 2074, kinda in protest of the "time = security" paradigm everyone's been adopting. Almost as bad as the "money = security" one.

[Moonchild]

I'm currently in touch with the people of OSSign to see if there are any options that fit and are affordable for a project like ours.

[Moonchild]

@realityripple maybe you can give me a run-down how to do the self-signing thing so I can at least authenticate the binaries with a signature with limited verifiability instead of unsigned?

So far I've run into nothing but dead ends.

Microsoft Azure cloud-signing would be an option but they are now almost a month in possession of all documentation to verify my org but it's just sitting there, so I can't get anywhere (and reach a human at their support dept is literally impossible).
Sectigo contacted all former K-software clients to try and sell code-signing directly, including me, but expect those people to literally pay 10x what they did before for the same certs with $0 liability coverage at $571/year...
Other services are all charging eye-watering monthly "service" fees or outright a minimum of $220/year "discounted/cheap" certificates.

So I'm about ready to give up and throw in the towel.

[RealityRipple]

The way I set my signing up follows the same structure as the big guys - a root certificate, intermediate software/email/tls/timestamp certificate authorities, and then the regular certs, all with regularly updated revocation lists. I'll omit the email, tls, and timestamp for this.

First off, I've attached a basic file structure for organizing all this (very important for later), which requires some initial notes:

• The ./etc/ folder is where all the important configuration stuff is, so first go to ./etc/ca/root.conf and change the following values:
  • base_url
  • everything in the [ ca_dn ] group
  • default_startdate, default_enddate, and default_crl_days inside [ ca_root ]
  • default_md if you don't want to use SHA-512
• Then do the same for ./etc/ca/software.conf, for the intermediate Software CA.
• After that, edit the .pwd files in ./etc/ca/software/pwd/ to make passwords for these CAs. Personally, I just use 512 randomly generated characters.
• You can safely ignore ./etc/cert/software.conf, unless you want to change default_md.

Next up is kinda dumb, but you can choose what serial numbers to use for your certificates -
Go to ./ca/root/db/ and edit crt.srl to set the Root CA's serial number (hexadecimal). Edit crl.srl if you want to set the start point of the CA revocation lists.
Then do the same for ./ca/software/db/crt.srl for the Software CA's serial number, and crl.srl for the start point of the software certificate revocation lists.

---

Now that the files are all ready to go, it's time for OpenSSL to do its thing. (Note that these commands use some Windows batch functions, not Linux ones, so replace as applicable)

Generating your Root CA:

Code: Select all

openssl req -new -config etc/ca/root.conf -out ca/root/request.csr -keyout ca/root/private/priv.key -passout file:etc/ca/pwd/root.pwd
openssl ca -selfsign -config etc/ca/root.conf -in ca/root/request.csr -out ca/root/pub.crt -extensions root_ca_ext -passin file:etc/ca/pwd/root.pwd
openssl x509 -in ca/root/pub.crt -out ca/ca-root.cer -outform der
openssl ca -gencrl -config etc/ca/root.conf -out crl/ca-root.crl -passin file:etc/ca/pwd/root.pwd
openssl crl -in crl/ca-root.crl -out crl/ca-root.crl -outform der

Generating your Software CA:

Code: Select all

openssl req -new -config etc/ca/software.conf -out ca/software/request.csr -keyout ca/software/private/priv.key -passout file:etc/ca/pwd/software.pwd
openssl ca -config etc/ca/root.conf -in ca/software/request.csr -out ca/software/pub.crt -extensions signing_ca_ext -passin file:etc/ca/pwd/root.pwd
openssl x509 -in ca/software/pub.crt -out ca/ca-software.cer -outform der
openssl ca -gencrl -config etc/ca/software.conf -out crl/ca-software.crl -passin file:etc/ca/pwd/software.pwd
openssl crl -in crl/ca-software.crl -out crl/ca-software.crl -outform der
type ca\software\pub.crt >> ca\ca-software-chain.pem
type ca\root\pub.crt >> ca\ca-software-chain.pem

(The chained pem file may not be needed for your particular use-case)

These will generate the root and software CA cer and pem files in the ./ca folder, crt files in the appropriate subfolders, and key files in the private subfolders of those subfolders. The software CA's pem will also be stored in the root folder's archive subfolder (by serial number).

Generating your Code Signing Certificate:

Code: Select all

set /p UFILE=Enter a Filename:
set /p UNAME=Enter a Common Name:
set /p UPASS=Enter a Password:

openssl req -new -config etc/cert/software.conf -out certs/software/%UFILE%.csr -keyout certs/software/private/%UFILE%.key -passout env:UPASS
openssl ca -config etc/ca/software.conf -in certs/software/%UFILE%.csr -out certs/software/%UFILE%.crt -extensions codesign_ext -passin file:etc/ca/pwd/software.pwd
openssl pkcs12 -export -name "%UNAME%" -caname "Courage Code Signing CA" -caname "Courage Root CA" -inkey certs/software/private/%UFILE%.key -in certs/software/%UFILE%.crt -certfile ca/ca-software-chain.pem -out certs/software-%UFILE%.p12 -passout env:UPASS -passin env:UPASS

(Of course, here, you'll need to change the CA names passed to match the commonName values from ./etc/ca/root.conf and software.conf)

This will prompt you to enter details, unlike the CAs, so you can generate other certificates as need-be, just in case. In your case, this probably won't be necessary unless you want to really dive into self-cert hosting and make public extension signing or what have you...
When openssl has generated the Code Signing certificate, the result should be in the ./certs folder - the p12 file should have the public and private key, encrypted using the password set above, and the public key and private key separately should be available in the ./certs/software and ./certs/software/private folders respectively, should you need them. Additionally, ./ca/software/archive should have a PEM of the generated certificate, named after its serial number.


Lastly, revoking a certificate from the Software CA level:

Code: Select all

openssl ca -config etc/ca/software.conf -revoke ca/software/archive/%SERIAL%.pem -passin file:etc/ca/pwd/software.pwd

(where %SERIAL% is the serial number of the code signing certificate to revoke)


And then you need to regularly build CRLs:

Code: Select all

openssl ca gencrl -config etc/ca/root.conf -out crl/ca-root.crl -passin file:etc/ca/pwd/root.pwd
openssl crl -in crl/ca-root.crl -out crl/ca-root.crl -outform der

openssl ca gencrl -config etc/ca/software.conf -out crl/ca-root.crl -passin file:etc/ca/pwd/software.pwd
openssl crl -in crl/ca-software.crl -out crl/ca-software.crl -outform der

(converted to binary "der" format, for size and compatibility)

These should be built and uploaded every "n" days, as set by default_crl_days in the root and software.conf files. I use 2 days for root and 1 for software, just because the likeliness of a Certificate Authority ever being revoked seems less likely than code signing certificates.

The CER and CRL files should be uploaded to the address described in the aia_url and crl_url conf settings, so make sure to set those correctly.

[Moonchild]

Thanks for the detailed write-up! That's.. a lot of extra stuff to deal with; I'm trying one more channel to try and get an official code signing cert first before going this route. Seems some resellers might still have options to get Sectigo code-signing certs at normal prices even if not advertised or discoverable, at least this month... fingers crossed I didn't just waste money