upvote

points

by electroly1 days ago |
comments
upvoteby ComputerGuru1 days ago|
next
[-]
Thanks for sharing your experience. I have been code signing releases for over a decade as an indie publisher myself, until I found myself effectively iced out by the HSM requirement, the increased cost, and the shortened cert lifetimes, which, as someone with certain executive order dysfunctions, I already had a hard time being on top of with the old (multi-year) lifetimes.

I just migrated to MS artifact signing and, thank the lord, had an actually easier time getting verified than I did with the Sectigo and Comodo in the past. I’m sure I’m not representative of anyone else’s experience but having already had a developer account (with a different email and without an Azure account!) that I had already been using for the Microsoft Store might have helped, as well as the fact that I had a well-established business history (I’ve heard businesses younger than 3 years can’t get verified??), but reading all the comments here makes me very uneasy about the future.

It’s good to know the HSM route isn’t a complete non-starter. The main reason I panned it is that when I started looking into this I found that a number of companies that had previously offered the HSM route had done a bait and switch and were now keeping custody unless you were big enterprise (meaning willing to put up with 10k/yr fees). I did find a few that would allow OSS devs to sign their work, but read horror stories on Reddit and elsewhere about their freezing the account and issuing no refunds if you ask them to issue the cert in the name of your LLC or corporation instead of with your personal name (which I expressly did not want). Also, they actually were more expensive than Azure artifact signing even after the HSM cost was taken out.

reply
upvoteby electroly1 days ago|
parent|
next
[-]
I believe you. I also found that many CAs will not deal with a solo developer; that's real. But Sectigo continues to offer HSMs to solo developers. The link I used is [1], you buy the HSM along with your first certificate and they ship it to you. $300/year for the cert, $90 one-time for the HSM. That's not cheap but I think for specific developers looking for an escape from the store, it's a good price for freedom. The HSM is a USB stick with an LED on the back. The software is called "SafeNet Authentication Client" and it sets up the certificate access in your Windows Certificate Store so that signtool can use it. Prompts for the password every time (annoying).

[1] https://comodosslstore.com/code-signing/comodo-individual-co...

reply
upvoteby ComputerGuru18 hours ago|
parent|
next
[-]
For comparison, my code signing cert via Azure (no Microsoft store account required, can be used to self-publish binaries/installers the old fashion way) is $10/month, or about a third of the price Sectigo is charging you. I figured it was worth trying this route first, though I had to write my own basic tooling around it.
reply
upvoteby account4222 hours ago|
parent|
prev|
[-]
> it's a good price for freedom

For a freedom you didn't have to pay for at all? Why accept this absurdity?

reply
upvoteby rstupek1 days ago|
parent|
prev|
[-]
The sectigo HSM is just a USB stick they actually mail you, so it's not onerous.
reply
upvoteby Moni_Mac1 days ago|
prev|
[-]
I must say your experience is interesting. I am using https://signmycode.com/sectigo-code-signing, but I have chosen Install on Existing Token (Google Cloud KMS), and it's quite easy for me to handle the stuff. I am not scared of key storage or security issue nor password protection or forget issue.
reply