Cheap Code Signing Certificate for $75,-

May 20th, 2010 by Arend Leave a reply »

lockFor an Adobe AIR program I wanted an official code signing certificate to get rid of the big fat “publisher: UNKNOWN” warning clients face while installing my software.

Visiting verisign.com you will see a one year Code Signing Certificate will set you back  US $ 499,-

According to Adobe’s Flash Builder documentation only Certificates from the big four CA’s are trusted:

A developer can use any class-3, high-assurance certificate provided by any CA to sign an Adobe AIR application. However, only ChosenSecurity, GlobalSign, Thwarte, and VeriSign come pre-installed on most end user’s machines (Mac OS X or Windows) and are trusted by the operating systems.

These companies ask an amazing amount of money for a certificate, luckily there are better alternatives. The one I got was available for $75,- a year. This of course raises the question whether this certificate will be accepted, but I did found a couple of blog posts that reassured me this shouldn’t be a problem.

Hop over to author.tucows.com, register for an account and you will be able to purchase a Comodo Certificate through tucows.
The process will take some time. You will have to email documents to proof  your business/person identity and they probably call you as well. After receiving the certificate and signing the AIR package I was able to install my signed software successfully on:

  • Windows 7
  • Windows Vista
  • Windows XP
  • Mac OS X (10.6).

Unfortunately Ubuntu Linux 10.04 fails to recognize/trust the certificate out of the box (thanks to Jaap for testing this)

Before:
unknown publisher

After:

Trusted Publisher

14 comments

  1. Jaap says:

    Thanks Arend!
    Did you encounter any problems with other OS’s?

  2. Arend says:

    Works on:
    Mac OS X Leopard
    Windows Vista
    Windows 7

    I’m booting XP to see if that works too.

  3. Arend says:

    No problems in XP.
    Not sure about Linux as I don’t have a Linux X environment ready.

  4. Jaap says:

    Great. I can test it for you on linux if you give me a link to a signed app.

  5. Arend says:

    http://www.arenddeboer.com/pub/testApp.air
    It’s a new project without any modifications, just signed.

    • Jaap says:

      alas, doesn’t work on Ubuntu 10.04 out of the box. UNKNOWN publisher.
      I guess it a matter of reaching that 1% of users vs. 100-200 bucks extra cost :)

  6. Arend says:

    Indeed.
    I ordered a certificate because I was under the impression it was a requirement for using the Adobe AIR Update Framework. Turns out it is not. Even though it looks nice, I’m not sure if I’m going to extend it next year.

    • Jaap says:

      For personal use you don’t need it, but to avoid scaring regular users away with a red cross and a big ‘UNKNOWN’ is important to me though. Guess I have to pay for that.

      • Arend says:

        My applications are almost always company specific, used by only a few people. I can understand it becomes more important when you have a large user base / many installs.

  7. Taphy says:

    I know it is old topic, but it is the only place with relevant information I was able to find quickly :)
    so, great thanks for pointing a proper direction!

    some tips (just for ref) on how to make it work with linux.
    example for DigiCert
    1) wget required root crt from vendor site,
    2) cd /opt/Adobe\ AIR/Versions/1.0/Resources/
    # ./aucm -a -f /home/taphy/CRT/DigiCertAssuredIDRootCA.crt
    Certificate added with name: 69105f4f.0.
    # ./aucm -a -f /home/taphy/CRT/DigiCertAssuredIDCodeSigningCA-1.crt
    Certificate added with name: a58f3482.0.

    3) Marking a certificate as trust anchor
    # ./aucm -n 69105f4f.0 -A true
    Certificate Found, processing…
    Property changed.

    # ./aucm -n a58f3482.0 -A true
    Certificate Found, processing…
    Property changed.

    4) Marking a certificate as trusted
    # ./aucm -n 69105f4f.0 -c true
    Certificate Found, processing…
    Property changed.

    # ./aucm -n a58f3482.0 -c true
    Certificate Found, processing…
    Property changed.

    that is it.

  8. Francois says:

    Hello Arend,
    Thank you for sharing this cheap alternative.

    I have 2 questions for which you might have answers:

    1. With the $75/year certificate, can you sign as many applications as you want ? Or is it limited to a single application…

    2. What happens if your certificate expires ? Let’s say you have an AIR app, you won’t update it anymore, you signed its latest version before the expiration date the certificate. Past the expiration date what will the user see before installing: UNKOWN or certified?

    Thank you for your response.

    • Arend says:

      Hello Francois,

      1: You can sign as many applications as you want.
      2: When I try to install my app signed with an expired key, I still get the “Publisher Identity: VERIFIED” response. So it appears to still work. Not sure about signing with the expired cert though.

  9. Lars says:

    Found a really good deal here:
    https://www.sslpoint.com/code-signing-certificates/

    Ordered the Comodo Code Signing certificate – it was issued within 3 days and works perfectly !

Leave a Reply


four + = 11