• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 853
  • Last Modified:

Are there any issues migrating to non-Verisign code signing certificate after verisign cert expires?

My multi-year Verisign code signing cert expired, so we have to renew it.  Verisign wants $499 for one year, I can get a Comodo code signing cert for $99.   Financially, this is a no-brainer.

However, way back when I remember there was issue with installshield and creating vista distributions that the code signing cert had to be issued by verisign, so I am concerned that that there may be some compatibility issues that might make it better in long run to pay the extra $400.

Questions
 1. For code already running at end-users that was signed with the old cert before it expired, will those executables be affected in any way if we don't renew with verisign?  Will they still be able to install code on new machines that we digitally signed months and years ago using the old cert?

2. Will my app have problems installing on unpatched vista, Win7, Win2k3/8 O/S, or does Verisign still have some monopoly in the MSFT core that prevents any other non-verisign signed app to run unless system is patched/updated?

3. Anything else I need to know, like will the signcode.exe or any other MSDN utility have issues I need to be aware of.

Thanks. P.S. i am not married to Comodo as a code signing cert authority, I just don't want to throw money away on verisign's cert if I can effectively get the same thing for a fraction of the cost elsewhere. Suggestions on another
0
David
Asked:
David
  • 4
  • 4
1 Solution
 
Vadim RappCommented:
I don't have my own hands-on experience with code signing using certificated from 3rd parties*, so the following is only theory:

1. This depends on whether the cetificate has been timestamped. See explanation at http://www.instantssl.com/code-signing/code-signing-technical.html. Timestamped certificate will be always valid. I just checked it on my computer by setting the date several years ahead and then checking timestamped certificate of an executable downloaded from downloads.com - it said "valid" even though it has expired. You can check the same with your own signed code.

2. This depends on what's called "trusted root certification authorities". If the signing authority you are using is in the list, then it will be trusted. You can run certmgr.msc and see who is in that list.  You can also ask the CA directly if they are in the list that comes with Vista etc.


*) Because if I understand correctly, certificate does not assert that the intentions are good. Any hacker can write the worst malicious virus and code-sign it.  The only practical fact that is asserted by certificate is that you paid money to the CA, nothing else. IMHO, this whole public certificate business is one big racket that nobody completely understands, but everybody pretends that it protects from something.
0
 
DavidAuthor Commented:
Thank you vadimrapp1, I really need to get some confirmation, something other than a reasonable theory.

I hope you understand.  Don't want to burn 10,000 CDs and find out that the activation doesn't work.   Will try to get moderator or somebody to put this in other groups to get answer.
0
 
Vadim RappCommented:
If you have 10K CD's, I think you will need to run some test anyways, even if you get very definite answer from someone. The best answer would be probably from comodo itself - they have "live chat", so I would explain the situation and see what they say; if they claim it will work, then buy the certificate and try how it works on Vista etc; if it does not work, then take your money back.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
DavidAuthor Commented:
The problem is that I have sold over  250,000 CDs over the years, and plan on burning a new master soon.  I know there will be no issue with the legacy code in the future if people re-install or install on a fresh computer since they were all time stamped, even if verisign cert expires, since I did time-stamp the installshield and the executables with that verisign DLL link they spec out.

There is really no way to test installing in the future due to the embedded URL for the verisign time stamp, nor testing installing after the digital certificate has expired. I have no doubt it can sign code.   I want to test signed code as if I was a year or so in the future to see if it runs and validates OK.  

I found this link that compares code signing certs, looks like if I go thawte, I am still using verisign, just at half the price.  I will just do that after I have a chat with them and report back

http://qualapps.blogspot.com/2008/05/cheap-code-signing-certificates.html
0
 
Vadim RappCommented:
I started reading the link, and in 10 seconds read the sentence that actually is 100% confirmation of what I said - don't trust anybody, testing with your specific program is the only way.

"Second, something breaks every other time we renew."

The theory says that what's tested for validity is that the certificate has not expired at the time when you signed the code (not at the time of installation).  But it's theory.

Ironically, I think, what makes most sense is signing the product in such a way that the prompt to the user "Do you trust XXX?" will be presented - from the security standpoint, this is surely more sound than relying on the list of trusted providers compiled by Microsoft and shipped with o/s - because the real question is, who does the user trust, not Microsoft. Thus, self-signed. (I do realize that you won't really do it).
0
 
DavidAuthor Commented:
Well, I saw some conflicting information relating about needing a verisign cert for an application to meet winqual for Windows 7.  That was the bad news. The good news in researching this on the microsoft site was that I found a promotional link to get a 1-year Verisign authenticode cert for $99 instead of the regular $499 price!   So needless to say, that is the path I went down.

It probably violates the rules if I post discount codes, but if you go to winqual.microsoft.com you can find it without too much trouble :)
0
 
DavidAuthor Commented:
I never got a black & white answer, but question is closed as I was able to get a verisign cert for $99 instead of $499 via  a promotional link on MSFT web site, so problem is moot.  I would not have found the link if it hadn't have been for your advice and done some more searching in MSFT.

Thanks
0
 
Vadim RappCommented:
I think it still would be wise to try another certificate - now that you have enough time until this one will expire again - and observe what happens.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now