Code signing certificate for open-source projects?
Open SourceCode Signing-CertificateOpen Source Problem Overview
I want to publish one of my applications as open-source and want to digitally sign the binaries I've created with my own certificate. (Of course, anyone else can just download the code and build it themselves with their own certificate.) I want to do this so anyone can check that this build was made by me, not by someone else. I also want to create a secure website with a valid SSL certificate so visitors can create their own accounts in a secure way so they can contribute to this project.
I could create a self-signed certificate, but I don't really like that option. Or I could pay Verisign a few gold pieces to get the certificates that would be valid for just a few years. I don't like that option either, since my treasury is valuable to me.
So, are there any other options? For example, a provider that supports open-source projects by offering certificates for a reduced price? It doesn't have to be free, just a lot less expensive than Verisign...
(The Project is created in C# with Visual Studio 2008. Plus an additional project in ASP.NET that wants SSL.)
Open Source Solutions
Solution 1 - Open Source
For open source developers, Certum provides code signing certificates for free*
Just enter "open source developer" in the "company" field when you request the certificate. That's it.
Link to open source code signing certificates is here
[*] Starting 2016, the Open Source Code Signing certificate is no longer available for free. It is now a paid only service.
Solution 2 - Open Source
Update: No longer free, now €105.78 (as of 19 Feb 2017). The cost is less if you already own their crypto hardware. FWIW, following are the previous instructions.
The get a free code signing certificate from Certum/Unizeto for yourself as an individual, follow these steps. Use Internet Explorer or Safari, since they support the key exchange mechanism.
-
Browse to Test ID and OpenSource Code Signing certificates, and submit the form.
-
The certificate will appear under Activate Certificates. Click Activate.
-
Go through the activation wizard. For Organization enter Open Source Developer. For Organizational Unit, enter Software Publishing.
-
You'll get an email asking for proof of identity. Reply with a link to the open source project and an image of your driver's license (or another accepted document). To protect your privacy, you should encrypt the reply.* The way to encrypt varies by email client. For Outlook, ensure you have an email certificate (freely available), and turn on encryption.
-
Within a day or so, you should receive an email with a link to collect your certificate. You have to open the link from the same computer and browser you used to start the process.
* Although the verification email from Certum says to send the proof to [email protected], Certum also accepts proof sent to the reply address [email protected], to which you can send encrypted email.
Solution 3 - Open Source
2016 update: StartCom has been acquired by WoSign under questionable circumstances. I wouldn't trust StartCom/WoSign. Consider the below text as a historical note on how good StartCom was up to early 2015.
> I've got a code signing certificate from [StartCom][1] (StartSSL). I'm very satisfied with their service: Their customer service is very fast, and their prices are very reasonable.
>
Getting the code-signing certificate
>
Getting a code signing certificate requires [Class 2 Identity Validation][2]. StartCom guides you through the whole process (with excellent response rates, usually within ten minutes in my experience).
If you want to get the details right at once, read [this blog post][3]. I was validated within an hour (for a fee of 59.90 $, via Paypal).
> After being validated, generate a new private key, and a Certificate Signing Request (CSR). Note that all fields except for the public key are ignored. All information in the certificate is inferred from the information you provide during identity validation, not from your CSR.
# Create key and CSR (key must be at least 2048 bit, per Policy Statement)
openssl req -nodes -newkey rsa:2048 -keyout codesigning.key -out codesigning.csr
# Add pass phrase to key (optional, but highly recommended)
openssl rsa -in codesigning.key -des3 -out codesigning2.key && \
mv codesigning2.key codesigning.key
> Submit this via the web interface and you'll quickly get a new certificate that's valid for two years (I got mine within an hour).
>
Issue: Lifetime Signing OID
> StartCom's class 2 certificates have the Lifetime Signing OID set. Because of this bit, the signature of signed code will become invalid after the certificate expires, even when it's timestamped.
> When I asked Eddy Nigg (COO/CTO of StartCom) for the reason of this OID, he replied:
>> It requires from us to keep the CRLs operating for up to 20 years after the certificates already expired. This is something we can do for EV level certs (much lower volume, different payment terms) but would increase the price for Class 2 just for this benefit (where code signing is only part of the options in this level).
> Timestamping is thus only available after Extended Validation (EV), which is [only available to legally established organizations][4] and costs 199.90 $. So, individual developers cannot use timestamping with a code signing certificate from StartCom.
> For a long time, I considered this limitation as a big issue. Recently, I changed my mind: It only happens once every two years, security-minded users might be more inclined to get the latest version of my software, and old versions of the software will still work (for those who want to use it; though without a verified signature).
> Note: Always timestamp your code, even when the Lifetime signing flag is set! Timestamped signatures will remain valid until the expiry date of the certificate, even when the certificate has been revoked (obviously, only if the signature was created before the certificate was revoked).
>
Practical use of certificate
> At StartCom, you only pay for validation. The identity validation is valid for 350 days, and during this period, you can request code signing certificates for free. You can only have one valid code signing certificate, and it can be used to sign any code (MSI, DLL, XPI, ...) but not driver code (this requires EV).
> To change an attribute on the certificate, the previous certificate must be revoked an a new one requested. Revocation of a certificate costs 29.90 $. Though when I changed my email a day after getting a code signing certificate, they exceptionally revoked my certificate without fee (I was positively surprised)!
>
Expiration
> When your certificate is about to expire (after almost two years), you get a notification (two weeks in advance). If your verified identity is still valid (recall that validations expire after 350 days; then you have to confirm your identity again for 59.90$), you can request a new certificate without revoking the previous one. Do not forget to publish a new release of your software that's signed with this new code signing certificate, because the previous releases will soon show "(not verified)" or something similar.
>
OCSP
> When I received my certificate, I signed my Firefox add-on. However, it still showed "(Author not verified)", even though my XPI file was correctly signed. It turned out that Firefox did not get the current certificate status when it queried the OCSP servers of StartCom for the revocation status of my new certificate. [possibly relevant forum topic][5]
> After about a half day, my certificate was known to the OCSP servers, and my name showed up as expected. Lesson learnt: When you've got a new certificate, wait about a day before publishing your software with the new signature.
[1]: http://www.startssl.com/?app=40 "StartSSL™ Comparison Chart" [2]: https://www.startssl.com/?app=34 "How to Enroll: Class 2 Identity Validation (StartSSL™ Verified)" [3]: http://www.muchtall.com/2013/05/22/pitfall-free-howto-guide-to-startcom-startssl-class-2-organization-validation-certification/ "Pitfall-Free Howto/Guide to StartCom/StartSSL Class 2 Organization Validation/Certification" [4]: https://www.startssl.com/?app=30 "StartSSL™ Extended Validation" [5]: https://forum.startcom.org/viewtopic.php?f=15&t=2654 "Certificate OCSP Validation Failiure in Firefox" [6]: https://www.sslshopper.com/startcom-certificate-authority-reviews.html [7]: https://bugzilla.mozilla.org/show_bug.cgi?id=647959#c0 "Firefox's bug tracker: Bug 647959 - Add Honest Achmed's root certificate" [8]: http://www.startssl.com/?app=25#90 "StartCom FAQ" [9]: https://adblockplus.org/blog/trying-to-get-rid-of-author-not-verified-or-signing-extensions-with-sitecom-certificate#c002615 [10]: https://bugzilla.mozilla.org/show_bug.cgi?id=470897 [11]: http://www.startssl.com/?app=26 "Certification Policies, Practice Statements & Resources"
Solution 4 - Open Source
The Linux Foundation, in partnership with Red Hat, Google and Purdue University has launched the sigstore project. Sigstore bills it's self as 'A non-profit, public good software signing & transparency service'.
It doesn't look like it's ready for general use yet, but looks promising.
Solution 5 - Open Source
You could have a look the StartSSL product.
Note StartSSL has now closed and is no longer issuing certs.
Solution 6 - Open Source
Solution 7 - Open Source
You can try CAcert. With this you get certified by other CAcert-users. CAcert has a reputation-based system, so if you are certified often enough your certificate is counted as valid.
You may have to add CAcert as a trusted authority on the target system. Self signing your executable should be a sufficient option but you will need to provide the public certificate. Using a known authority can help verify the file but I think it is over kill in this case use a checksum or sha2 hash of the file in combination with your self signed certificate. You could set up a linux box as a CA however they will need to trust your public certificate.
Solution 8 - Open Source
You will need to buy a code signing certificate. The cheapest ones are from Comodo. I have published source code and binaries, like you plan, and signed the binaries. See Date & time batch changer for photos and other files.
Solution 9 - Open Source
I use the Comodo Individual Code Signing Certificate. It's $71 per year and doesn't require any special hardware.
I wrote a blog post that walks through the installation and use of the certificate. One important note is that they will put your street address on the public certificate unless you ask them to leave it off.