Split costs for EV code signing cert #155
Comments
|
I'm looking into getting a certificate through an Austrian company, that process has been started. One major annoyance with the certificate is that its provided on a hardware dongle so it can not be easily shared. About a website, I already have one https://xanasoft.com just very not finished at the moment. |
|
I sent you 51 Euro, via Paypal to help. |
|
@DavidXanatos If somehow you don't suceed with the Austrian company, there's still Sectigo that makes cheap certs https://www.gogetssl.com/code-signing-ssl/code-signing-ssl/ |
|
@deajan The product you linked is a non-EV code signing cert. Microsoft requires an EV certificate which is sold for $350 on that website too. You also need to be a company and have your address and phone number listed in a public directory to get the EV cert. |
|
@NavinF Indeed, forgot about the EV stuff... I myself bought them for my company with thawte for a fairly high price. This is just in case the Austrian SSL stuff won't work. |
|
here is a list of accepted EV certificate providers: https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate |
|
They state to accept sectigo EV certificates, sold 300$ on gogetssl ;) |
|
Ah I see gogetssl is just a reseller...
So you would get the cert on your name and send the HW token with it to me? |
|
@DavidXanatos Sectigo does not provide a HW token, it's just a PKCS12 certificate, and yes, my company can be a "name holder" on request, as long as that certificate won't be used outside of Sandboxie (or more generally speaking Xanasoft). |
|
@deajan Ok thanks for the offer will keep that in mind just in case 👍 This Sectigo page https://sectigo.com/ssl-certificates-tls/code-signing says "Protects private key from theft via hardware token and PIN" and when you look through the perches options for the EV cert you must pick a delivery option for the token. It does not look to me as it would be possible to get the EV cert in a copyable form. I also remember to have read that while it is not formally required to provide EV certs on a token, all the CA's offering EV certs supposedly only provide them on/to a token. So would you offer still stand in the scenario that the cert would be on a token? |
|
Hmm if I buy the cert, I can't mail the USB token to you. I'd rather give you ssh and rdp access to a machine in my data center that always has the USB token plugged in. |
|
First one would have to clarify if the token needs any sort of user interaction to operate, usually such devices require eider a pin or at least a single button press to confirm physical presence. Of cause that could be mitigated using a remotely controlled robot finger, muhahahahahaha.... |
|
Strange, I bought my thawte certificate that runs without any HW dongle on gogetssl reseller 6 months ago. @NavinF I'm already donating every month on Patreon since the beginning, but I happily throw in another 50$ |
|
Had a quick chat with gogetssl reps yesterday, indeed, all sectigo (also includes gogetssl brand itself) provided EV certificates are bound to a hardware dongle. I am not against shipping you that HW dongle, as long as I can revoke the certificate in case of piracy (need to keep my company's name clear in case of trouble), and we sign a usage agreement. |
Ok cool :) Cheers |
I can buy an EV code signing cert under my company name and sign release binaries. That way, normal users can install and use Sandboxie without jumping through hoops (#95)
$349.00 is the cheapest I could find. Would anyone be willing to split the cost 50/50? If so, I'll go ahead and buy the cert.
I'd also like to make a website to host releases (github is confusing for normal users), but that can wait until we have binaries that work out of the box :)
The text was updated successfully, but these errors were encountered: