The current state of code signing certificates seems really dire...

[athenian200]

So, I started looking into this a little bit, prompted by a post in this thread:

viewtopic.php?f=61&t=30300#p243559

But since I don't want to further derail Basilisk-Dev's release thread, I'm just posting here.

I just figured I would try seeing what's involved in buying a code signing certificate, without actually hitting the final "buy" button, to get an idea of what it entails. And honestly, it's even worse than I thought...

codesigning.png

The first thing to note is that the code certificates require some kind of FIPS-compliant hardware module as of May 2023. These are not cheap, and if you don't already have one, that's another $90 on top of the already rather pricy cost.

But, the real deal breaker, that is going to ensure this probably won't happen even after I get a job... is this screen:

codesigning2.png

Read it carefully. If I'm understanding this correctly, the only way the code signing certificate would actually do anything about the SmartScreen warnings, is if I were to buy an EV certificate. It's not that much more, if I were to pay that amount of money anyway... what's another $68 a year at that point? The problem isn't even the money, the problem is that... I literally cannot buy an EV certificate without being part of an organization. Even if I could afford it, I cannot do that as an individual developer. They won't sell it to me. They'll only sell me an inferior code signing certificate that is not even guaranteed to make the SmartScreen warnings go away.

So in order to get the full benefit of an EV certificate and achieve the goal of making my software trusted, I would need to create an LLC for Epyrus, and pay for an EV code signing certificate. Now, would having a lesser certificate help mitigate some of those SmartScreen warnings, maybe be a factor in making it not seen as malware? Sure, but that's an awful lot of money to spend to still potentially have this problem, and if I were at the point of investing hundreds of dollars into Epyrus and figuring out code signing, I might as well go ahead and pay to setup an LLC while I'm at it. Not to say I will be able to do any of this any time soon, but I just want to reiterate that this is being made out to be much cheaper and more reasonable a process than it actually is by a lot of folks. If it were just a matter of paying $100 to make the problem go away, I would find a way to make it happen eventually... that's not what this is. Code signing of this caliber is basically weeding out hobbyist developers who are not making money off their software. It seems like just a few years ago this may not have been the case, and maybe some people with established applications are grandfathered into a better deal or something, but things are really dire if you want to start doing this nowadays.

[Pentium4User]

That's the sh** that comes with Windows.
Another thins is that malicious software also gets signed, think about all the adware that comes with certain applications.

[Moonchild]

I think you may have gone down a few wrong paths on Comodo's site. (then again in retrospect maybe not?)
You don't need an EV certificate unless you want the high per-incident insurance that comes with it (primarily there for financial institutions who need to have their website insured for damages in case of a breach, etc.).
You don't need an EV-backed code-signing certificate if you're not signing system drivers that operate at system level.
I do not have an EV cert and Windows is happy with it. Telling you you need to upgrade to EV for smartscreen is BS.

What you want is an OV (Organisation Validated) code signing certificate (if they don't offer class 2 individual validation, that is). OV certs are also given out to individuals, and don't require a hardware key as far as I know. Does seem hardware/smart card is required now.
I'm shocked at the Comodo prices though. last time I renewed my code cert this was NOT this expensive, now even OV wants $250+/year?... The requirement for an HSM does NOT warrant a 300-400% price increase on certs! I think this is the last time I've gone with them for my certs, then. Paying that much for a code cert for FOSS is totally ludicrous. Even through K-software which I normally used, there isn't much of a discount now so yes it's a sorry state and looks like CAs are using their almost monopoly position to squeeze money out of people.
As a side note: seems K-software is getting abandoned as a result too since their TLS cert has expired start of this month and apparently nobody has noticed...

At least one CA I'm aware of has special deals for open source which might be your go-to: https://shop.certum.eu/data-safety/code ... cates.html
Open Source signing cert is €25, and they also sell card readers (€30 or so) and smart cards (about the same), so they have a one-stop solution if you want to go that route.
I just hope they won't get strong-armed out of the market like StartCOM if more people flock to them with these prices.

[athenian200]

You don't need an EV-backed code-signing certificate if you're not signing system drivers that operate at system level.
I do not have an EV cert and Windows is happy with it. Telling you you need to upgrade to EV for smartscreen is BS.

This part does seem to be correct, though. I was looking at the CA/Browser forum meeting minutes and I saw this:

https://cabforum.org/2023/06/06/minutes ... wg-6-june/

• EV certificates removal or merging EV/OV into one policy (Ian/Bruce)
• Ian (Microsoft rep) – normal OV cert works just fine , no different that EV cert. no difference in smart screen or defender
• Nick (Sectigo rep) – Microsoft documentation states that there was a difference between EV and OV.
• https://learn.microsoft.com/en-gb/archi ... rtificates
• can we move OV to EV

So in other words, Microsoft is straight-up telling the CA authorities that there is no difference between an OV and an EV certificate for this purpose, and presumably with the implication that they should stop saying this. In fact, the proposal has been made to simply eliminate the EV category and just have the standard for OV be the standard. Looking over their minutes, the reason for this apparently, is that this new hardware HSM requirement effectively eliminated the main practical difference between an OV and an EV, to the point that there's no longer a good reason to make a distinction between the two.