Are there any issues migrating to non-Verisign code signing certificate after verisign cert expires?
My multi-year Verisign code signing cert expired, so we have to renew it. Verisign wants $499 for one year, I can get a Comodo code signing cert for $99. Financially, this is a no-brainer.
However, way back when I remember there was issue with installshield and creating vista distributions that the code signing cert had to be issued by verisign, so I am concerned that that there may be some compatibility issues that might make it better in long run to pay the extra $400.
Questions
1. For code already running at end-users that was signed with the old cert before it expired, will those executables be affected in any way if we don't renew with verisign? Will they still be able to install code on new machines that we digitally signed months and years ago using the old cert?
2. Will my app have problems installing on unpatched vista, Win7, Win2k3/8 O/S, or does Verisign still have some monopoly in the MSFT core that prevents any other non-verisign signed app to run unless system is patched/updated?
3. Anything else I need to know, like will the signcode.exe or any other MSDN utility have issues I need to be aware of.
Thanks. P.S. i am not married to Comodo as a code signing cert authority, I just don't want to throw money away on verisign's cert if I can effectively get the same thing for a fraction of the cost elsewhere. Suggestions on another
However, way back when I remember there was issue with installshield and creating vista distributions that the code signing cert had to be issued by verisign, so I am concerned that that there may be some compatibility issues that might make it better in long run to pay the extra $400.
Questions
1. For code already running at end-users that was signed with the old cert before it expired, will those executables be affected in any way if we don't renew with verisign? Will they still be able to install code on new machines that we digitally signed months and years ago using the old cert?
2. Will my app have problems installing on unpatched vista, Win7, Win2k3/8 O/S, or does Verisign still have some monopoly in the MSFT core that prevents any other non-verisign signed app to run unless system is patched/updated?
3. Anything else I need to know, like will the signcode.exe or any other MSDN utility have issues I need to be aware of.
Thanks. P.S. i am not married to Comodo as a code signing cert authority, I just don't want to throw money away on verisign's cert if I can effectively get the same thing for a fraction of the cost elsewhere. Suggestions on another
ASKER
Thank you vadimrapp1, I really need to get some confirmation, something other than a reasonable theory.
I hope you understand. Don't want to burn 10,000 CDs and find out that the activation doesn't work. Will try to get moderator or somebody to put this in other groups to get answer.
I hope you understand. Don't want to burn 10,000 CDs and find out that the activation doesn't work. Will try to get moderator or somebody to put this in other groups to get answer.
If you have 10K CD's, I think you will need to run some test anyways, even if you get very definite answer from someone. The best answer would be probably from comodo itself - they have "live chat", so I would explain the situation and see what they say; if they claim it will work, then buy the certificate and try how it works on Vista etc; if it does not work, then take your money back.
ASKER
The problem is that I have sold over 250,000 CDs over the years, and plan on burning a new master soon. I know there will be no issue with the legacy code in the future if people re-install or install on a fresh computer since they were all time stamped, even if verisign cert expires, since I did time-stamp the installshield and the executables with that verisign DLL link they spec out.
There is really no way to test installing in the future due to the embedded URL for the verisign time stamp, nor testing installing after the digital certificate has expired. I have no doubt it can sign code. I want to test signed code as if I was a year or so in the future to see if it runs and validates OK.
I found this link that compares code signing certs, looks like if I go thawte, I am still using verisign, just at half the price. I will just do that after I have a chat with them and report back
http://qualapps.blogspot.com/2008/05/cheap-code-signing-certificates.html
There is really no way to test installing in the future due to the embedded URL for the verisign time stamp, nor testing installing after the digital certificate has expired. I have no doubt it can sign code. I want to test signed code as if I was a year or so in the future to see if it runs and validates OK.
I found this link that compares code signing certs, looks like if I go thawte, I am still using verisign, just at half the price. I will just do that after I have a chat with them and report back
http://qualapps.blogspot.com/2008/05/cheap-code-signing-certificates.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well, I saw some conflicting information relating about needing a verisign cert for an application to meet winqual for Windows 7. That was the bad news. The good news in researching this on the microsoft site was that I found a promotional link to get a 1-year Verisign authenticode cert for $99 instead of the regular $499 price! So needless to say, that is the path I went down.
It probably violates the rules if I post discount codes, but if you go to winqual.microsoft.com you can find it without too much trouble :)
It probably violates the rules if I post discount codes, but if you go to winqual.microsoft.com you can find it without too much trouble :)
ASKER
I never got a black & white answer, but question is closed as I was able to get a verisign cert for $99 instead of $499 via a promotional link on MSFT web site, so problem is moot. I would not have found the link if it hadn't have been for your advice and done some more searching in MSFT.
Thanks
Thanks
I think it still would be wise to try another certificate - now that you have enough time until this one will expire again - and observe what happens.
1. This depends on whether the cetificate has been timestamped. See explanation at http://www.instantssl.com/code-signing/code-signing-technical.html. Timestamped certificate will be always valid. I just checked it on my computer by setting the date several years ahead and then checking timestamped certificate of an executable downloaded from downloads.com - it said "valid" even though it has expired. You can check the same with your own signed code.
2. This depends on what's called "trusted root certification authorities". If the signing authority you are using is in the list, then it will be trusted. You can run certmgr.msc and see who is in that list. You can also ask the CA directly if they are in the list that comes with Vista etc.
*) Because if I understand correctly, certificate does not assert that the intentions are good. Any hacker can write the worst malicious virus and code-sign it. The only practical fact that is asserted by certificate is that you paid money to the CA, nothing else. IMHO, this whole public certificate business is one big racket that nobody completely understands, but everybody pretends that it protects from something.