2011-11-01

Free code signing certificate for Open-Source Developers

After seeing a few "John Doe - Open Source Developer" authentication certificates pop up when installing Open Source packages on Windows, and investigating their origin, I was pleasantly surprised to find that Certum, which is a Certification Authority based in Poland, currently offers free Windows Authenticode signing certificates for Open Source Developers.

This means that, as an Free or Open Source Developer on Windows, you now have means to sign your applications and turn the following:

into the much nicer:

Obviously, this is great news for anyone dabbling into FOSS development, as it means we can now provide end users with Windows applications that they will see as trustworthy, without having to subscribe to the whole "your trustworthiness is only as big as your checkbook" scam.

To obtain your free code signing certificate then, you should follow the instructions provided here or go directly to the registration form.

Once you have submitted the form, you should receive an e-mail (in about a day) that takes you through the key generation process. This is one of the 2 steps you will need to complete to obtain the signing credentials, the other being the provision of some proof of your identity and FOSS involvement to Certum.
Also, be mindful that this first step results in the credential's private key being generated in your browser's store (rather than on Certum's servers, which is definitely a good thing), so you must ensure that, when you retrieve the final Authenticode credentials, you will do so using the same browser and the same machine as the one you used when completing this step. Else, you will not be able to export your credentials, which includes the private key, for SignTool.

The other step you will also need to complete is the provision of a proof of identity (copy of your passport, etc.) as a FOSS developer, since an Authenticode certificate is really an identity verification process.
While the Certum documentaion states that your proof of identity should be counter-signed by an official third party, I found it wasn't necessary. However, you should make sure that your proof of identity can be linked to your participation in public FOSS projects, so that Certum can confirm the validity of your request.

In all, it took about 2 days to obtain my Authenticode certificate, and I can't thank Certum enough for going against their obvious commercial interests in order to help the FOSS community. If you or your employer ever needs to purchase a commercial certificate, I hope you'll consider using Certum, as a reward for their efforts.

Now, one last hurdle you may face, after you've completed the whole process, is how to obtain of the full credential, i.e. private key + public key certificate, in the form of a p12 or pfx file, so that you can use it with SignTool.

As you will find, the default web interface ("Save binary" / "Save plain") only provides a download link for the public key certificate, which is useless for signing applications as access to the private key is also required. Thus you need to be able to export the private key along with the certificate, in a package that SignTool can consume. To do that, you first need to click on the "Install" button, to get the whole credential imported onto your browser security store (if prompted, make sure you mark the private key as exportable). Then, once in your store, your browser should provide the option to export it along with the private key, either as a p12 or pfx (and prompt you for a password to secure private key access). But please remember that, because of the private key generation mechanism, you must use the same browser as the one you conducted step 1 with, else you will not be able to import the final Authenticode credentials.

Addon: If you ever find that, even though you properly signed an executable requiring elevated access, the icon of the application does not display during the UAC prompt, please remember that the SYSTEM account needs to be have read access to your executable, to be able to display its icon => check out the Security tab in your files properties. If you don't see SYSTEM listed in "Group or user names", you need to add it manually.

16 comments:

  1. hello,

    The checkbox you have to check in order to be able to submit the form says

    "Wyrażam zgodę na przetwarzanie moich danych osobowych, przez Unizeto Technologies S.A. z siedzibą w Szczecinie przy ul. Królowej Korony Polskiej 21. Dane osobowe będą przetwarzane w celu przekazywania ofert marketingowych."

    translated to English that would be something like:

    "I agree to have my personal data processed by unizeto based in Szczesin Poland and shall be processed in order to communicate marketing offers"

    Said in other words "i give you permission to send me spam"

    No thanks i'll toss in some money and get a real certificate.

    ReplyDelete
  2. Thanks for the info. I have had my certificate for a few months now, and haven't seen any SPAM that seems to originate from the unizeto services, but that's good to know.

    ReplyDelete
  3. Hello,

    How are you getting "Pete Batard - Open Source Developer?" Every time I submit the form it appends "Open Source Developer," no matter what.

    ReplyDelete
  4. Not sure I understand your question. If "Open Source Developer" is appended, and "John Doe - Open Source Developer" is what you want, then what is the issue?

    ReplyDelete
  5. I think he meant that it's not " - Open Source Developer " what was appended, It's always "Open Source Developer,". I'm facing this issue as well

    ReplyDelete
  6. If that's the case, then you should contact Certum support to ask them about the issue. I don't remember doing anything special to get " - Open Source Developer" when I requested my signing credentials.

    ReplyDelete
    Replies
    1. Sadly support has told me that's just how it will be and they actually issued me a certificate with the common name: "Open Source Developer,Daniel Sage". It's pretty sad, I was really looking forward to this offer but don't want to use the certificate if that will show on ever program.

      Delete
    2. Well, you do realize that you are getting something that you are supposed to pay for, for free, so obviously there will be a trade off. If you don't want "Open Source Developer" to appear, you will have to pay for a non-free certificate.

      Delete
    3. It's not that I don't want to it show "Open Source Developer" but rather how they display it, regardless I appreciate the free certificate.

      Delete
  7. Thanks for the info on how to get a pfx file from the store. That was really helpful. Seriously people, if you don't like it saying open source developer, then why are you getting a cert from them under the pretense that your are an OSD. @Daniel, it only shows when the people verify the signing (such as the user accounts control window, or using signtool verify.). It is not a big deal, the whole point of the certs is to make sure the information is not modified, and any issues (viruses, etc.) can be tied to an actual, legal entity.

    Thanks for the article, Pete.
    ~techdude

    ReplyDelete
  8. can you share file .pfx, .cer, .pvk

    thanks hi

    ReplyDelete
    Replies
    1. Are you crazy?

      You cannot share a *PRIVATE* signing key, ever. Please read http://en.wikipedia.org/wiki/Public-key_infrastructure and realize that asking someone to share their .pfx and .pvk is pretty much the same thing as asking someone to provide their credit card and PIN. There's no way anyone would do that, even more so with the first newcomer.

      Delete
    2. This comment has been removed by a blog administrator.

      Delete
  9. hi pete,
    Thanks for this article, saved me a lot of grief when I first installed these keys. Now I am at the renew stage and wondering if you have any tips or is it essentially the same process all over again.
    greg

    ReplyDelete
    Replies
    1. I'm afraid I never figured out how to renew, as I ended up buying a certificate elsewhere.

      Delete
  10. It's showing>> "Awaiting for submission...."

    ReplyDelete