Codesigning on Windows - OV certificate prices (yes, that old chestnut)

[stam]

Hi all,

I renewed a K-Software OV certificate last year but didn't act on it immediately. I'm now waiting no-so-patiently for K-Software to iron some kinks out (for the life of me can't remember which browser/machine was used and if the CSR was generated on a work machine that has long since been replaced, there's no chance of me generating a new .pfx file. I now have to wait for K-Software to re-issue - this was the answer I got from Sectigo, who do provide timely customer support (K-Software resells their certs)).

Having just looked at the price of getting a code signing OV certificate direct from Sectigo:

I'm not sure how this in any way differs from K-Software:

well I guess it's $1.35 cheaper.

Has pricing changed? I seem to have a recollection that K-Software was much cheaper - or perhaps Sectigo has lowered its prices? Or am I misremembering?

Not that any of this is cheap, especially if used with non-profit apps (and for those that moan that Apple demand payment to deploy apps, this is the equivalent. Only Apple charges less that half this and you get much more than just a codesigning certificate). And I now have to codesign our apps as my hospital's IT has finally made changes on their latest deployment of Win10 that put up big bright warnings for any software that isn't code signed, causing a lot of consternation and in some cases stopping things from working...

Anyway, I was just struck at the pricing that suggests there is no difference between the two and wondered what others think....

S.

[stam]

To answer my own question - yes, there is a change in pricing.
There was thread in 2021 clarifying that K-Sofware's pricing was less than half that of Sectigo's: https://forums.livecode.com/viewtopic.p ... 15#p208403

That's no longer the case unless my reading comprehension is failing.
Actually, OV prices are nearly as high as EV certificate prices, which may be the point - it would be nice to be rid of the silly 'reputation system' on Windows as the EV certificate allows to you essentially buy reputation, but that's a much bigger hit on our wallets and independent devs will be hit hardest...

Starting in May 2023, new industry requirements from the CA/B Forum require that all code signing certificate keys are stored on an HSM or compliant hardware token. As part of implementing these changes, Sectigo has increased code signing certificate prices.

I'm guessing this is one of the reasons for these pricing changes - but not sure now if I'll require an HSM as well? Anyone know?

S.

[jmk_phd]

Stam –

Thanks for alerting us to this issue. Having initiated the 2021 thread to which you referred, I agree that this is a *really* serious issue.

In June 2022 I did a two-year renewal of my Sectigo certificate via ksoft at a cost of $143 (approx. $72/yr). That was a good deal, inasmuch as Apple charges us $99/yr. I should be okay for 39 months (until Sept 2025), but I share your concern that as independent developers we are being priced out of supporting secure distribution of our apps.

A quick internet search confirms your impression that even the least expensive annual Windows OV certificate has more than doubled recently in price.

Although this may not be a big deal for LC commercial publishers, the cost of publishing my apps – including my LC license, Apple developer license, and OV license (not even counting web-hosting) – is already well over five times as much as what I expect to earn over the coming year. This is not sustainable.

jeff k

[stam]

Well, searching for other providers does yield cheaper prices - but it's always tricky to differentiate these from fraudulent websites.

For example: https://cheapsslsecurity.com/fastssl/co ... GYQAvD_BwE

Literally half the price K-Software & Sectigo - but who knows if it's real?

[jmk_phd]

As regards the hardware security module (HRM) issue, it’s my impression that if one does not have such a device, Sectigo (or KSoft) will provide the certificate on a FIPS-compliant hardware “token” – which from the graphic on the Sectigo website looks to me like a USB thumb drive – shipped to one’s mailing address.

This makes comparing Sectigo and KSoft pricing a bit more complicated: Sectigo includes the cost of the token (apparently $50) in its pricing, but does still charge $40 to ship it to a U.S. address, whereas KSoft adds an additional $90 (presumably $50 for the device plus $40 for shipping) to the price of the certificate.

When using their respective shopping carts to price the total cost for a 3-year OV certificate, here’s what I found:

Sectigo: $798 (including token) + $40 shipping = $838
KSoft: $657 + $90 (token + shipping) = $747

So if this is to be believed, KSoft is significantly less, but still insanely more expensive than just a year ago.

One consequence of the new hardware requirement is that the extra cost of the token and shipping really adds up if one only renews a certificate for one year at a time.

For now at least, code-signing Apple apps is suddenly a real bargain. But I’ve got to wonder whether even this will change soon.

jeff k

[stam]

Well, for me codesigning certification on Windows has always been a bit suspect... take the Windows 'reputation' racket for example - similar to any game nowadays you can 'grind' reputation, or just pay them to buy it! Yup, not suspect at all...

But joking aside, I think if you have a hardware token, you can store additional certificates on the same token, if I understood Sectigo's site properly.
If that's true then the difference of $91 is only on first purchase, subsequent renewals would be pretty identical. And I can't imagine one would have to have multiple hardware tokens for all the certificates, that would be an exact recipe for problems.

But whichever it is, it looks like codesigning on Windows is going to be increasingly expensive to the detriment of solo developers.
Not a great state of affairs...

[stam]

Sectigo: $798 (including token) + $40 shipping = $838
KSoft: $657 + $90 (token + shipping) = $747

Well, not sure where you got that Sectigo pricing from... this is what I see when I choose token+delivery to US:

In other words no difference... well, if you want to be picky $0.65 difference.

There has to be a more sensible way of codesigning sofware on Windows... this I a pure racket if you consider it's pretty much the same price as paying an LC subscription - when you considered what each of these offer that's bonkers...

[stam]

On that note, I been searching for lower prices. This tidbit from one of the websites entertained me:

There are no free Code Signing SSL certificates for you to use to protect your software. The process of getting a certificate code signing in place takes a fair bit of effort from Certificate Authorities, and you should be suspicious of anyone offering this manner of security for free.

LOL, yeah, I'm sure a 'fair bit of effort' goes into generating a certificate and it's not just a fully automated process.
Seems legit...

[jmk_phd]

Perhaps at some point a forum member who knows more about this than either of us can weigh in and enlighten us regarding these Windows certificate changes.

I can accept that this involves some additional overhead on the part of Microsoft-sanctioned Certificate Authorities, but hard to believe that it justifies tripling or quadrupling the cost, inasmuch as they *are* charging for providing and shipping the hardware token.

The increase may be just pocket-change to corporate software producers, but it’s an incredibly huge hit to small-time independent programmers, and possibly fatal to the secure distribution of freeware apps.

In my case, I’d planned to go public by end of this month with my one commercial app, which currently employs a perpetual license key designed to unlock both the Mac and Windows versions. Now I’m thinking that I must either drop future support for Windows (probably 80+ percent of the target market) or rewrite the license code right away to be platform-specific, so I can charge more for the Windows version in the future to cover the extra cost. Until I decide what to do, my project is dead in the water.

This issue will never be addressed here in the U.S., but perhaps regulators in the EU can be persuaded to examine whether this new Certificate pricing suppresses the distribution of free and low-cost software in the name of security.

jeff k

[stam]

Part of the problem lies with the OS Vendors’ role in verifying developers. It’s not like the web is where a site read by any browser, hosted on any provider, on any platform can be “certified” with SSL and a green padlock.

There is no equivalent for desktop software, but arguably it’s no different. It’s just a cryptographic document that proves that the person/organisation who says they authored the app is actually the person/organisation who authored the app. So really this should be as cheap as getting an SSL certificate for a website and platform independent.

The rest, like SmartScreen Reputation is meaningless drivel created to extract more money from developers and software companies, since you can just buy reputation.

The fact that this not only hasn’t been addressed in a platform independent manner yet, but has quadrupled in price on the Windows side is sadly telling. We’re being extorted, OS vendors are complicit and there is nothing really we can do about it. The EU hasn’t regulated this by now, so is unlikely in the next few years…

If only I could use my Apple certificate to codesign Windows apps….

Meh….

[stam]

More on this: I had a chat with Mitchell Vincent of K-Software over the phone today (if you've been trying to contact K-Software do use the phone on their website instead of email tickets).

Seems like the change in certification has been Microsoft trying to push everyone to an EV certificate (the actual price difference between OV and EV is now a fraction of what it used to be).

That means both massive increase in price for OV and that even OV certificates need to be delivered on a hardware token, like EV certificates. If you use a certificate that was generated after these changes were made but with no hardware token, it will invalidate the codesigning for all your signed software even if codesigning predated this, in other words historical purchases.
Those with existing certificates will be fine for now, but as I think 3 years is the longest you can renew, 2025 is going to be a bombshell for many...

To put it politely it sounds like a 'dogs dinner' as we say in the UK (actually the the word that went through my head when he was describing this was 'clusterf...'), driven by Microsoft. Mitchell was talking about some kind of Azure based platform that will be offered by MS and will provide certification as a service being possibly more cost-effective, but that's some way off still as I understood it.

My particular issue was that for a number of reasons I didn't collect the certificate issued last autumn but as was valid through 2025 I just left it till later; this now presents a real problem as my certificate can now no longer be retrieved in any way and very likely I'll have to re-purchase, although Mitchell is looking at ways to soften the blow. My personal worry is what happens after 2025 though. Unless something changes it's going to actually be unaffordable to release codesigned Windows software...

What a ridiculous state of affairs :-/
Particularly when you consider that the OV certicate now costs more than a fairly decent laptop does... how can that possibly be justified...

[jmk_phd]

Stam --

Thanks for the update on your phone chat with Mitchell Vincent of K-Software. I suppose the bottom-line is that Microsoft's push to require EV certificates -- which in turn is driving up how Windows Certificate Authorities price their products -- will mark an end to the era in which independent programmers could afford to distribute code-signed freeware and low-cost commercial software for Windows.

As regards distributing freeware, my own experience is that the additional cost cannot be supported with requests for donations. As far as I can tell, one of my freeware apps has been downloaded a few hundred times over the past two years, with a total of $28 across two donations. (Of course, it might be that it's simply worth nothing to the folks who've downloaded it, but I'd like to believe that this isn't the case.) I suppose that switching to some sort of shareware or trial-period model might do better, but I've already promised my client that it always would be available free of charge.

jeff

[stam]

I've already promised my client that it always would be available free of charge.

Well, as long as you don’t update the software after your current OV certificate expires, you should be OK. But otherwise… ouch….