Comments on: Getting started with code signing for under $100

By: Ciank

Ciank — Thu, 30 Jun 2011 11:17:00 +0000

Can you use the same cert to sign Adobe Air and Java Jar files?

By: Mitchell Vincent

Mitchell Vincent — Mon, 27 Jun 2011 23:16:00 +0000

Hi Erik – I’m not sure how it works on others but on my order page (codesigning.ksoftware.net) the keys are generated on your computer using Javascript and the private key never leaves your machine.

By: Creating your First Silverlight Client Application: Twitter and COM, of course - Pete Brown's 10rem.net

Fri, 28 May 2010 23:02:21 +0000

[...] next thing you should do is sign your XAP. We won't do that here, but there is a great walkthrough on XAP signing for elevated trust apps here. The walkthrough also shows what the various install dialogs look [...]

By: Kevin H

Kevin H — Tue, 25 May 2010 19:59:42 +0000

Thanks for the great article. It really helped me get through the weeds!

Kevin

By: John

John — Sun, 04 Apr 2010 01:31:55 +0000

Excellent job in making this simple and straight forward.

Thank you much

By: Jim Bush

Jim Bush — Thu, 01 Apr 2010 18:54:10 +0000

Yeah ksoftware are great. As described above its much easier than b4 – you used to have to install openssl to convert key files and a whole lot of pain.

Comodo are sticklers for the documentation so make sure you’ve got your ducks in a row first – eg. if you use a POBOX, have your bank statement and utility bill sent there. Comodo reps do not seem to use any discretion, so even if you have the ‘right’ address in one place and not another, they wont like it. You can’t “prove” it’s OK, you just have to give them what they want….

By: Kevin S.

Kevin S. — Thu, 01 Apr 2010 13:52:31 +0000

Wow, Jeff, this is a terrific blog. I had run across the KSoftware sign while looking for the cheapest CA I could use to sign my jars, but I was leary of them because it sounded too good to be true.

Thanks for all the details about the process, it sounds like a bit of pain but no too bad.

Carl (above) mentioned startssl.com, but didn’t see a CA with that name in my Java cacerts file, so it might not be of value. Comodo is defiinitely there.

By: Christophe

Christophe — Fri, 26 Mar 2010 19:13:20 +0000

Also bought a certificate, a quick and painless process. Kudos to Comodo and K Software.

@Erik: the private key doesn’t leave your browser. As Rupert said, only the public key is sent to Comodo. That’s why you have to download the signed certificate from the same browser that generated the key.

By: Rupert

Rupert — Thu, 25 Mar 2010 16:44:08 +0000

Maybe I misunderstood, but AFAIK the issuing company *does not* have your private key. You generate the private key locally and send them only the public part to sign. That’s the reason you have to go back to the same PC to retrieve the certificate: that’s where the private portion is.

By: A guide to what has changed in the Silverlight 4 RC

A guide to what has changed in the Silverlight 4 RC — Mon, 15 Mar 2010 17:44:39 +0000

[...] You can also sign your XAP using self-signed certificates. If you do so, it is likely that you are not a trusted CA on machines and would have to instruct your users further. In my opinion, it is better to acquire a trusted CA cert for external applications. Take a look at Jeff Wilcox’s epic post on Code Signing 101. [...]

By: Philipp Winterberg

Philipp Winterberg — Fri, 12 Mar 2010 23:08:53 +0000

Thanks Jeff! Very helpful!

By: Mitchell Vincent

Mitchell Vincent — Fri, 12 Mar 2010 02:36:43 +0000

Thanks Jeff – an excellent article that covers everything I was sitting down to write tonight.

If anyone has any questions or concerns about ordering through K Software, please email me – support at ksoftware.net

Thanks again Jeff!

By: Notsotrusting

Notsotrusting — Sun, 07 Mar 2010 23:06:12 +0000

Oh, I forgot to say. Good article, thanks. One of the key points I took away from this was the “trusted publishers” bit. Really, signing is not so complicated. Getting the certificate and keep the keys secure are more of an issues, as is reliable timestamping for when certificates expire (IMO).

By: Notsotrusting

Notsotrusting — Sun, 07 Mar 2010 23:02:58 +0000

Yes, well Jack Bauer may work for them and Jack Bauer may one day get royally pissed off when they sack him and he may take a bagful, or two, of PKs with him to screw the man over.

By: Jeff Wilcox

Jeff Wilcox — Wed, 03 Mar 2010 16:17:50 +0000

@Erik,
Not sure I agree with your “Not only do you have to trust that company to never use your key, but you also have to trust them to keep it secret.” statement. We’re talking about some fairly large security firms here, whose job is keeping secrets and the trust of not only their customers, but also the Internet itself.

I doubt anybody at a root CA has any interest in signing anyone’s code – unless it’s all part of some action sequence with Jack Bauer in it.