* The Business of Software

A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.

We're closed, folks!


» Business of Software FAQ
» The Business of Software Conference (held every fall, usually in Boston)
» Forum guidelines (Please read before posting!)


Andy Brice
Successful Software

Doug Nebeker ("Doug")

Jonathan Matthews
Creator of DeepTrawl, CloudTrawl, and LeapDoc

Nicholas Hebb
BreezeTree Software

Bob Walsh
host, Startup Success Podcast author of The Web Startup Success Guide and Micro-ISV: From Vision To Reality

Patrick McKenzie
Bingo Card Creator

Where to go for a code signing certificate?

I'm tired of Google and Microsoft reporting my product as Malware to my customers, so I think I'm going to have to bite the bullet and get my executables signed.

What are your recommendations?  I hear it used to be comodo but since they were compromised a certificate with them is still likely to flag you up as malware.

So who do you use now?
DanDan Send private email
Saturday, June 21, 2014
Yes, unless you're well known,, actually running the installer is now usually buried under 'other options' while deleting the file is the promoted choice.

What about explaining the situation in an easily understandable way to downloaders on your site before they hit the download button?

From a personal p.o.v there's nothing better than a syntactically correct explanation in plain english to reassure me that I'm not dealing with a scam site.
Drummer Send private email
Saturday, June 21, 2014
Codo code signing certs work well for us. Here are a couple of places to get them:



Not very expensive, and it solves a lot of problems (despite the heaps of bad advice out there that code signing certs are a scam).
Wyatt O'Day Send private email
Sunday, June 22, 2014
+1 for http://codesigning.ksoftware.net/. That is who I use, good service and much cheaper than buying direct from Comodo.

>heaps of bad advice out there that code signing certs are a scam

They aren't a scam. But the price some providers charge is a total ripoff. Essentially all the certificate providers are doing is verifying your identity and multiplying two large prime together. How can they possibly charge several hundred dollars per year for that with a clear conscience?

See also:
Andy Brice Send private email
Sunday, June 22, 2014
KSoft is probably as cheap as you can get on Windows without using a freebie OSS cert.

Digital signing on Apple comes as part of the $99 annual developer membership. Going with an outside cert is a waste of money. I'm a bit surprised that Microsoft doesn't offer something similar as part of MSDN.
Kevin Walzer Send private email
Sunday, June 22, 2014
Thank you for your advice.

I am glad I do not have to pay out $500.  I will probably go for the ksoft one.  It's reasonably priced enough to probably pay for itself making up for otherwise lost sales.  I do agree with your article Andy, it does seem to be a bit of a windows software tax.  I don't know why the prices would vary so wildly.
DanDan Send private email
Sunday, June 22, 2014
Both won't solve the problem on Windows 8. SmartScreen feature shows warning about all installers without Extended Validation Code Sign certificate. There are two problems with them though:
* There are just two companies issuing them and prices are high ($449+)
* They can be ordered by a legal entity only. You cannot get one as an individual.

Another option to remove warning is to apply for Windows Store as a desktop application. It's cheaper but still for legal entities only.

In other words, if you're an individual (not a company), don't bother about certificates. If you earn a lot, it's time to incorporate.

Based on official blog post: http://blogs.msdn.com/b/ie/archive/2012/08/14/microsoft-smartscreen-amp-extended-validation-ev-code-signing-certificates.aspx
Ivan Nikitin Send private email
Wednesday, June 25, 2014
And I was just beginning to think that I liked Microsoft more than Apple...
Andy Brice Send private email
Wednesday, June 25, 2014
From the article:

"Detractors may claim that SmartScreen is “forcing” developers to spend money on certificates. It should be stressed that EV code signing certificates are not required to build or maintain reputation with SmartScreen. Files signed with standard code signing certificates and even unsigned files continue to build reputation as they have since Application Reputation was introduced in IE9 last year. However, the presence of an EV code signing certificate is a strong indicator that the file was signed by an entity that has passed a rigorous validation process and was signed with hardware which allows our systems to establish reputation for that entity more quickly than unsigned or non-EV code signed programs."

In plain-English: companies with the newer more rigorous certificate get a little boost when customers download in IE9+. This shouldn't be a huge shocker for those of you who know how sloppy the Comodo and other cheap certs verification is (usually a short phone call by someone with no experience, in which it's exceedingly easy to lie).
Wyatt O'Day Send private email
Wednesday, June 25, 2014
> freebie OSS cert

Are you saying there's a way to sign for free?  If so, could you explain how, or point me in the right direction?  Thanks.
PSB136 Send private email
Thursday, July 17, 2014

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
Powered by FogBugz