Powered by WordPress

February 28, 2010

Tucows/Comodo Code Signing Certificates

Filed under: Development Ramblings — admin @ 6:24 PM

We recently purchased a Comodo code signing certificate from Tucows, who provides Comodo certificates at a reduced price.  Some of you may be wondering what code signing certificates are and why they are needed.    I won’t cover that here, as there are some good articles which discuss these questions.  What I want to discuss here, is our own experience of purchasing a code signing certificate from Tucows/Comodo.

The Comodo code signing certificate cost 75.00 when purchasing from Tucows.   Tucows and Comodo must have an agreement which allows Tucows to offer CSC’s to software vendors at a reduced price compared to purchasing from Comodo direct.  First, some of you may be wondering why we decided to purchase a Comodo certificate when it’s possible to purchase them from other vendors for about half the price.  First of all, 75.00 is not a lot of money to begin with, considering the value of having your application properly code signed.  I figured if we were going to spend the money and go through the trouble, we might as well get a CSC from a reputable vendor like Comodo, as Comodo happens to be one of the top trusted vendors for code certificates.  Plus, I have heard stories of other software vendors who have purchased one of these ‘bargain’ certificates from a site which isn’t as reputable, who have had problems with their certificate.  So, I figured that spending a few extra bucks was worth getting the certificate from a very reputable source like Comodo.

Before purchasing a CSC at Tucows, you must have an Tucows author account.  Since most software vendors already have an account with Tucows, this isn’t really an issue.  Once logged into the Tucows author account, there is an option to purchase a code signing certificate.  The purchase procedure is pretty strait forward, but there were some choices to make regarding the CSC which are a little daunting, which I’ll mention below.

There is  a choice to purchase a one, two or three year certificate.  You can then enter an optional email address to be associated with your certificate.  Next, are the Advanced Private Key Options.  Being new to the code signing procedure, I wasn’t sure at first what to choose for these options, and quickly did some research on the web so I’d make the correct decisions.  After doing a little research, I decided to use the default options, except for the Key Storage. I’ll mention these options below.

  • CSP:  This is the cryptographic service provider, and I decided to leave this at the default value of Microsoft Enhanced Cryptographic Provider v1.0.
  • Key Storage:  You have two choices here.  The first is to store the key in the certificate itself, or in a separate *.pvk file.  After doing a little research I found that most vendors use the separate pvk file.
  • Key Size:   You have a few choices here, but the default key size is 2048.
  • Exportable: This should be checked.
  • User Protected: This should be unchecked.

Some of the values I used above are those which are mentioned on Tech-Pro, a very helpful site which explains which explains which values to use.

After making your selections for the CSC above, clicking next takes you to a page where you’ll enter your company details.   After filling in the info and clicking Agree & Continue, you’ll go through the process of paying for the certificate by using your account settings or a credit card.

After completing the process, we received some emails, some which are from Comodo’s validation team.  I was a little scared at first, when I read the email from Comodo’s validation tech, which listed the acceptable documents we would need in order to prove we are a trusted software vendor.  Being a small start up, it seemed like the acceptable documents were those which only large corporations would be able to furnished.  However, after emailing Comodo’s validation team with information about our company, we received an actual call from a member of their team.  It seems that Comodo does not take issuing CSCs lightly, and they do want to insure we are a valid software vendor before issuing a CSC.  This also makes us feel good about our decision to go with Comodo for our CSC.  The techs at Comodo went as far as calling the secretary of state of Nebraska to verify our company status with the state, and everything went pretty smoothly after that.  So, if you’re thinking about purchasing a CSC through Comodo, it may be worth your while to call one of their reps and discuss the documents you’ll need to be eligible for the CSC.

After the validation process, which took about one day, we received our CSC.  The documentation on Comodo’s site regarding the code signing process give a pretty good general idea on how to code sign your needed files.  For a more descriptive explanation, I found Tech-Pro’s site to be indispensable.

Having all of our installation and program files properly code signed is very relieving, although the process of obtaining the certificate and performing the code signing for the first time was a little unnerving.   We’re very happy with the results, however, and are glad we decided to purchase a trusted Comodo CSC, and with the price we paid by purchasing it through Tucows.

Popularity: 5% [?]

Share and Enjoy:
  • Print
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • Blogplay
  • Faves

5 Comments

  1. Thanks a lot for the article!

    When I used the certificate request form that Tucows redirected to after the purchase of the certificate, the browser (IE9 with https://secure.comodo.net in trusted sites) doesn’t prompt me to save a private key to a file. What could be wrong?

    Comment by Mili — April 29, 2013 @ 2:22 AM

  2. It could be that you may need to wait a while longer until your payment is finalized, Mili. You can contact Comodo if you are having any kind of issues. I contacted them a few times, and they were always able to give me help. I believe that they also have a pretty good support page, at https://support.comodo.com/ which may help.

    Comment by admin — April 29, 2013 @ 5:05 AM

  3. Thanks. The private key is generated after validation.

    Comment by Mili — May 28, 2013 @ 9:39 AM

  4. Where does one start describing the experience of buying a code signing certificate from Comodo? I would say that it is like pulling teeth from a dragon.
    40 days it took from the day of payment to the day it was grudgingly sent to me. This is after 33 emails (16 me to them, 17 them to me), yes 33 !
    To list the main specific complaints:
    1. I chose Comodo because they were the cheapest. Nowhere do they say that you are going to have to spend far more money than the purchase price, and the purchase price is just a beginning. This is DISHONEST in the extreme and I would say FRAUDULENT. The purchase cost me $71, and ended up costing a total of $321 !

    2. After the purchase they give out links to download the quite complicated forms. These involve getting a notary to certify copies of passport, bank and utility documents and to certify that you are you – fair enough, they have to be proper copies. In Australia the police are licenced for the notarization of certified copies, and that’s who I got to do it. You then have to fax Comodo a copy, and then mail them the copy. Apparently they do not understand that every one used email these days!

    3. After chasing them up a 2 weeks later, they claimed that they did not receive the fax (I had seen the confirmation page that the fax was sent successfully), and claimed they did not receive the letter. What bad luck, or was it just LIES?

    4. I emailed a copy of the documents as an attachment, and they replied that the “the documents which you have provided seems to be damaged one”. Not that the file was corrupted, or unreadable, but the documents were “damaged” (one). This is despite copying myself at a different address, and there was no “damage” in the file. Was this another LIE? In the email they asked the “documnet” be sent again.

    5. I re-faxed, re-posted, re-emailed the documents, and then they introduced the brand new requirement that the Notary had listed to be on a page that they could search on the Internet. This had never been mentioned before. Of course the individual Police Officer who had notarized it was not listed on a specific page, so Comodo did not accept him. You could fair say enough – but only if this was all specified previously, not after the job is done!

    6. So I had to find a notary that was listed on a webpage they had (the email said “please get sign from registered notary public”). The prices these guys charged ranged from $250 to $400! Nowhere on the Comodo site does it even hint that you will have to pay extra for a Notary. So I go through this trouble and $250 expense and the documents are faxed and mailed off again. I also emailed a copy which might have quickened things a little because it was only a week later that they ask me what is the best time for them to ring up the notary to check that he is really a notary! Not only do they want a notary to check that I am me, and that my documents are my documents, and that he is a notary, and that they can see he is a notary by sitting on their bums and checking the internet, but they want to ring him up and ask him if he really notarized it! And they want me to ring him up to arrange a time, rather than them ringing him up to arrange a time! Remember, this is another brand new requirement, not mentioned before.

    7. So I tell them to call him between 11am and 3pm Melbourne Australia time GMT +11hr, on weekdays. Comodo also wanted a time to call me (yet ANOTHER new requirement which had not been specified at any time earlier). I stated 6pm to 10pm Melbourne Australia time GMT +11hr. I offered to calculate the local time that would be for them, but not knowing where they were I could not. Two days later I chase them up. They say that they called the Notary but he “refused to confirm the signature”. I ring up the Notary, and he says that this is a LIE, and they have never called him or his secretary. As he takes his job very seriously, he in fact is very cross that these people are lying about him. I email Comodo back with this allegation and their STORY changes to “We made a call to the notary but he left for the day” (I have no information on why the secretary did not support this latest claim, but you might guess).

    8. After four more days and I chase them, and they say they called the Notary. Hoorah!!! Now they want to know what time they could call me to verify that I am me (apparently they did not trust the passport, the bank statement, and utility bill, that I am in the White Pages phone directory, the Notary, the notary being on a website, or what the Notary told them in a phone conversation). I naturally pointed out that I have already told them the time to call (6pm to 10pm Melbourne Australia time GMT +11hr). They said that they had tried to call me twice, but there was no answer. Another LIE – I am sure as I was home every evening that week, and no one rang.

    9. The next day my wife rang me up to say that these people, who she could barely understand, called me at home at 12 noon. Obviously I was at work, not home. They were Comodo people, from which country, and what intelligence I cannot say. I immediately emailed Comodo and pointed out (a little sarcastically) that for the third time they could ring 6pm to 10pm Melbourne Australia time GMT +11hr.

    10. This is just about the end, after exactly 40 days, I was rung up at the right time, struggled to understand the English spoken (approximately), stated I was me, and the code signing certificate was finally delivered.

    All I can say is never again, and I would never suggest people use any company that charges $71 and doesn’t tell you upfront about the other $250 you will have to spend. Fraudulent, incompetent, illiterate and dishonest.

    Naturally I will post this in all review sites.

    Comment by Garry — February 23, 2014 @ 11:08 PM

  5. I’m sorry that you had this experience obtaining your code sign certificate.
    Maybe the rules have changed since I purchased mine.
    I do remember needing to speak with their escalation personnel regarding my specific case, in proving that I was a legitimate business. In there defence, they need to be careful granting a certificate, to insure the safety of the public.

    Comment by admin — February 24, 2014 @ 6:05 AM

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.