Code Signing with a Certum certificate

6
votes

I want to sign a static .exe build of one of my Open Source programs so that it will be executable in a "normal" manner to a "normal" Windows user.

I bought an Open Source Code Signing Certificate from certum.eu to be able to do this.

After some searching on the internet, I tried to sign the exe file using osslsigncode 1.7.1 on my Linux maching using

osslsigncode sign -pkcs12 cert.p12 -pass "..." -h sha2 -t http://timestamp.verisign.com/scripts/timstamp.dll -in some.exe -out some-signed.exe

Having somebody testing it on Windows 10, a rough warning pops up: "Windows protected your PC. Windows SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk."

So I tried to use the native Windows tool signtool.exe to sign it. I installed it in my old virtual Windows XP (where I also compiled the program; I don't have access to any other Windows machine) and signed the exe file with

"C:\Programme\Microsoft SDKs\Windows\v7.1\Bin\signtool.exe" sign /f C:\cert.p12 /p "..." /t http://timestamp.verisign.com/scripts/timstamp.dll C:\some.exe

This tool also said everything was okay, but still, the very same warning pops up.

This way, the certificate is simply useless, as the "signed" exe file does produce the very same warning as the unsigned one. I would greatly appreciate help about this.

1
windowscode-signingcode-signing-certificatesigntool
May I ask you, do you use your Certum cert with a smart card, if so, what model of smart card? I have tried to buy and use one, but the only way I saw was to buy their smart card and then the price became too high for me. Is there a way to use Certum open code cert without smartcard or with non-certum's smartcard?vinsa
I bought it at the time one could simply download the cert via a browser. I think they changed it shortly after.Tobias Leupold
@vinsa, did you eventually buy the Certum certificate and, if so, was it with or without card and reader? I'm trying to understand what this card and reader is for and whether it's really needed, as it's not mentioned anywhere else on the internet (this is so weird, I can find zero information about this).laurent
@this.lau_ I have paid for open code sign certificate by Certum, but without the reader and smartcard kit, and I was unable to use it, so in order to use their certificate, you have to buy the kit. I tried to use my own card reader and a cryptographic smartcard which I had but it was not working, so I had wanted a money refund. Btw I had to open a Paypal disput in order to get my money back, it is not easy. It will be more cheap with Comodo, they don't require to buy cardreader and smartcard there are resellers like comodosslstore.com where the price is really lowvinsa
@vinsa, thanks a lot for the information, it's good to know. Altogether the Certum certificate with card/read and shipping fees was around 130 EUR which is surprisingly high for what's supposed to be a cheap open source certificate. Based on your comment I've searched for a cheap Comodo certificate in my country and found one for £62 here.laurent

1 Answers

3
votes

enter image description here

Short answer: Wait a couple of days and the problem will disappear.

I had the same issue with my Certum certificate earlier this year. And a few years ago, I had a commercial certificate I got from Comodo and it initially had the same issue as well.

The bottom line is that your new certificate and signed binaries needs some time to gain trust and auto-verified by Microsoft's code-signing reputation service.

Start distributing your signed exe to as many PC as you can and do the "advanced" option to force the exe to run anyway. That might help bump the reputation up faster.