I'm looking for companies (besides Verisign) that offer digital signatures for applications.

I actually had a user ask me about my lack of digital signature today, and I've decided to just get rid of the question.

Thanks.

-David

You can get it from Comodo (http://instantssl.com/code-signing/code-signing.html?currency=USD&region=North%20America&country=US) for a pretty low price.

I'm afraid Comodo were entirely incompetent and useless. I spent about 3 days and 10 emails in discussion with their tech support trying to get them to send me a certificate in the correct format (they use some dicky webform that only works in IE). In the end I am going to have to ask for a refund from them as they have simply failed to perform this easy task.

Cas :)

I believe the reputable alternative to verisign is Thawte (http://www.thawte.com/)

Thawte can be a bit of a pain if you do not have a phone number in the name of the company. You will need a notarized letter with your company logo... So I just gave up and went with Comodo.

Unlike the experience of Cas, their support was quick and helpful for me. And the code signing works just fine.

I believe the reputable alternative to verisign is Thawte (http://www.thawte.com/)

Verisign and Thawte are actually the same company: http://www.internetnews.com/bus-news/article.php/266911

They refused to take an ordinary certificate request by email, like all the other providers, after their web-based mockery of a CSR generator failed to work.

Cas :)

They refused to take an ordinary certificate request by email, like all the other providers, after their web-based mockery of a CSR generator failed to work.

Cas :)They're probably getting so many orders since the release of sp2 that they simply can't be bothered to dick around with special requests. :)

They refused to take an ordinary certificate request by email, like all the other providers, after their web-based mockery of a CSR generator failed to work.

Cas :)
Why didn't you just use IE?

Thanks, everyone.

Comodo seems to have processed my request snappy-like.

Now to figure out what to do with this thing... ;)

A question I have is: Do you sign the installation program *and* the application itself? Or just one or the other?

Thanks.

-David

You just need to run that signcode thingie on the installer.... SP2 doesn't cry about the actual app.

But you need to pay the fee for every patch and new version you release?

That could get yucky.

But you need to pay the fee for every patch and new version you release?

That could get yucky.

My understanding is that it's on a time basis (one year) and not a per product basis. In other words you can sign as many EXEs and other files as you want during that year. You just pay that $99 once (each year).

My understanding is that it's on a time basis (one year) and not a per product basis. In other words you can sign as many EXEs and other files as you want during that year. You just pay that $99 once (each year).

That's what my research is showing, yup.

There is the issue of "timestamping" EXE's too, so that the EXE remains "signed" even after the digital signature has expired.

Only the installer, eh? Very cool. That simplifies life considerably.

-David

Only one option is missed there - you can't change the name and contact info of the company. You'd be able to sign up the files for all of us guys... ;)

Why didn't you just use IE?

I did, and the keys are generated in a format that I can't use with Java's keytool. Normally one would produce the cert. request using the Java keytool and then just send it to the cert. authority and they'd send you back an X.509 certificate chain containing their certificates and yours, signed, which you then associate with the private key that you genererated the cert. request for.

It's not rocket science but their tech support simply refused to do it.

Cas :)