Powered by WordPress

February 28, 2010

Tucows/Comodo Code Signing Certificates

Filed under: Development Ramblings — admin @ 6:24 PM

We recently purchased a Comodo code signing certificate from Tucows, who provides Comodo certificates at a reduced price.  Some of you may be wondering what code signing certificates are and why they are needed.    I won’t cover that here, as there are some good articles which discuss these questions.  What I want to discuss here, is our own experience of purchasing a code signing certificate from Tucows/Comodo.

The Comodo code signing certificate cost 75.00 when purchasing from Tucows.   Tucows and Comodo must have an agreement which allows Tucows to offer CSC’s to software vendors at a reduced price compared to purchasing from Comodo direct.  First, some of you may be wondering why we decided to purchase a Comodo certificate when it’s possible to purchase them from other vendors for about half the price.  First of all, 75.00 is not a lot of money to begin with, considering the value of having your application properly code signed.  I figured if we were going to spend the money and go through the trouble, we might as well get a CSC from a reputable vendor like Comodo, as Comodo happens to be one of the top trusted vendors for code certificates.  Plus, I have heard stories of other software vendors who have purchased one of these ‘bargain’ certificates from a site which isn’t as reputable, who have had problems with their certificate.  So, I figured that spending a few extra bucks was worth getting the certificate from a very reputable source like Comodo.

Before purchasing a CSC at Tucows, you must have an Tucows author account.  Since most software vendors already have an account with Tucows, this isn’t really an issue.  Once logged into the Tucows author account, there is an option to purchase a code signing certificate.  The purchase procedure is pretty strait forward, but there were some choices to make regarding the CSC which are a little daunting, which I’ll mention below.

There is  a choice to purchase a one, two or three year certificate.  You can then enter an optional email address to be associated with your certificate.  Next, are the Advanced Private Key Options.  Being new to the code signing procedure, I wasn’t sure at first what to choose for these options, and quickly did some research on the web so I’d make the correct decisions.  After doing a little research, I decided to use the default options, except for the Key Storage. I’ll mention these options below.

  • CSP:  This is the cryptographic service provider, and I decided to leave this at the default value of Microsoft Enhanced Cryptographic Provider v1.0.
  • Key Storage:  You have two choices here.  The first is to store the key in the certificate itself, or in a separate *.pvk file.  After doing a little research I found that most vendors use the separate pvk file.
  • Key Size:   You have a few choices here, but the default key size is 2048.
  • Exportable: This should be checked.
  • User Protected: This should be unchecked.

Some of the values I used above are those which are mentioned on Tech-Pro, a very helpful site which explains which explains which values to use.

After making your selections for the CSC above, clicking next takes you to a page where you’ll enter your company details.   After filling in the info and clicking Agree & Continue, you’ll go through the process of paying for the certificate by using your account settings or a credit card.

After completing the process, we received some emails, some which are from Comodo’s validation team.  I was a little scared at first, when I read the email from Comodo’s validation tech, which listed the acceptable documents we would need in order to prove we are a trusted software vendor.  Being a small start up, it seemed like the acceptable documents were those which only large corporations would be able to furnished.  However, after emailing Comodo’s validation team with information about our company, we received an actual call from a member of their team.  It seems that Comodo does not take issuing CSCs lightly, and they do want to insure we are a valid software vendor before issuing a CSC.  This also makes us feel good about our decision to go with Comodo for our CSC.  The techs at Comodo went as far as calling the secretary of state of Nebraska to verify our company status with the state, and everything went pretty smoothly after that.  So, if you’re thinking about purchasing a CSC through Comodo, it may be worth your while to call one of their reps and discuss the documents you’ll need to be eligible for the CSC.

After the validation process, which took about one day, we received our CSC.  The documentation on Comodo’s site regarding the code signing process give a pretty good general idea on how to code sign your needed files.  For a more descriptive explanation, I found Tech-Pro’s site to be indispensable.

Having all of our installation and program files properly code signed is very relieving, although the process of obtaining the certificate and performing the code signing for the first time was a little unnerving.   We’re very happy with the results, however, and are glad we decided to purchase a trusted Comodo CSC, and with the price we paid by purchasing it through Tucows.

Popularity: 5% [?]