This means that, as an Free or Open Source Developer on Windows, you now have means to sign your applications and turn the following:
Obviously, this is great news for anyone dabbling into FOSS development, as it means we can now provide end users with Windows applications that they will see as trustworthy, without having to subscribe to the whole "your trustworthiness is only as big as your checkbook" scam.
To obtain your free code signing certificate then, you should follow the instructions provided here or go directly to the registration form.
Once you have submitted the form, you should receive an e-mail (in about a day) that takes you through the key generation process. This is one of the 2 steps you will need to complete to obtain the signing credentials, the other being the provision of some proof of your identity and FOSS involvement to Certum.
Also, be mindful that this first step results in the credential's private key being generated in your browser's store (rather than on Certum's servers, which is definitely a good thing), so you must ensure that, when you retrieve the final Authenticode credentials, you will do so using the same browser and the same machine as the one you used when completing this step. Else, you will not be able to export your credentials, which includes the private key, for SignTool.
The other step you will also need to complete is the provision of a proof of identity (copy of your passport, etc.) as a FOSS developer, since an Authenticode certificate is really an identity verification process.
While the Certum documentaion states that your proof of identity should be counter-signed by an official third party, I found it wasn't necessary. However, you should make sure that your proof of identity can be linked to your participation in public FOSS projects, so that Certum can confirm the validity of your request.
In all, it took about 2 days to obtain my Authenticode certificate, and I can't thank Certum enough for going against their obvious commercial interests in order to help the FOSS community. If you or your employer ever needs to purchase a commercial certificate, I hope you'll consider using Certum, as a reward for their efforts.
Now, one last hurdle you may face, after you've completed the whole process, is how to obtain of the full credential, i.e. private key + public key certificate, in the form of a p12 or pfx file, so that you can use it with SignTool.
As you will find, the default web interface ("Save binary" / "Save plain") only provides a download link for the public key certificate, which is useless for signing applications as access to the private key is also required. Thus you need to be able to export the private key along with the certificate, in a package that SignTool can consume. To do that, you first need to click on the "Install" button, to get the whole credential imported onto your browser security store (if prompted, make sure you mark the private key as exportable). Then, once in your store, your browser should provide the option to export it along with the private key, either as a p12 or pfx (and prompt you for a password to secure private key access). But please remember that, because of the private key generation mechanism, you must use the same browser as the one you conducted step 1 with, else you will not be able to import the final Authenticode credentials.
Addon: If you ever find that, even though you properly signed an executable requiring elevated access, the icon of the application does not display during the UAC prompt, please remember that the SYSTEM account needs to be have read access to your executable, to be able to display its icon => check out the Security tab in your files properties. If you don't see SYSTEM listed in "Group or user names", you need to add it manually.
Posts
hello,
ReplyDeleteThe checkbox you have to check in order to be able to submit the form says
"Wyrażam zgodę na przetwarzanie moich danych osobowych, przez Unizeto Technologies S.A. z siedzibą w Szczecinie przy ul. Królowej Korony Polskiej 21. Dane osobowe będą przetwarzane w celu przekazywania ofert marketingowych."
translated to English that would be something like:
"I agree to have my personal data processed by unizeto based in Szczesin Poland and shall be processed in order to communicate marketing offers"
Said in other words "i give you permission to send me spam"
No thanks i'll toss in some money and get a real certificate.
Thanks for the info. I have had my certificate for a few months now, and haven't seen any SPAM that seems to originate from the unizeto services, but that's good to know.
ReplyDeleteHello,
ReplyDeleteHow are you getting "Pete Batard - Open Source Developer?" Every time I submit the form it appends "Open Source Developer," no matter what.
Not sure I understand your question. If "Open Source Developer" is appended, and "John Doe - Open Source Developer" is what you want, then what is the issue?
ReplyDeleteI think he meant that it's not " - Open Source Developer " what was appended, It's always "Open Source Developer,". I'm facing this issue as well
ReplyDeleteIf that's the case, then you should contact Certum support to ask them about the issue. I don't remember doing anything special to get " - Open Source Developer" when I requested my signing credentials.
ReplyDeleteSadly support has told me that's just how it will be and they actually issued me a certificate with the common name: "Open Source Developer,Daniel Sage". It's pretty sad, I was really looking forward to this offer but don't want to use the certificate if that will show on ever program.
DeleteWell, you do realize that you are getting something that you are supposed to pay for, for free, so obviously there will be a trade off. If you don't want "Open Source Developer" to appear, you will have to pay for a non-free certificate.
DeleteIt's not that I don't want to it show "Open Source Developer" but rather how they display it, regardless I appreciate the free certificate.
Delete