Do you normally take note of the security warning messages when you run a file on your Windows computer or when it prompts you to allow the program to make changes from the User Account Control window? To be honest I have never cared about them because I know that the file will be safe as long as I download it from the official website. For example, I download Firefox web browser from www.mozilla.com and not from some free file hosting websites such as mediafire where the uploader is able to tamper the file with some malicious code.
While I was looking to purchase SSL certificates few weeks ago, I noticed another certificate called code signing. Basically code signing certificate are meant for software to proof that the software comes from the author and not tampered or modified. If you use a hex editor or resource editor to change anything on a signed file, it would instantly lose the digital signature. There are two ways to see if the file is digitally signed or not.
First is to right click on the file and select Properties. You should see an additional “Digital Signatures” tab that shows the validity of the certificate.
Secondly if you run the file, the Security Warning window will show Unknown Publisher with the message “The publisher could not be verified. Are you sure you want to run this software?” with a red X at the bottom saying that it does not have a valid digital signature.
A file with a valid digital signature is slightly better as it shows the publisher name together with a short message “Do you want to run this file?” and a yellow exclamation mark saying that this file type can potentially harm your computer. Take note that it said “file type” and not this file.
If the software requires User Account Control elevation to make changes on your computer, the warning is more visible because of the color.
This warning window definitely looks scarier because of the color!
For software publisher to avoid scaring their users, they would have to purchase a digital code signing certificate from VeriSign, Thawte, Comodo, GoDaddy, DigiCert and etc. These digital code signing certificate don’t come cheap as some of the most trusted brand such as VeriSign cost few hundred a year. Normally the cheapest code signing you can find is from Tucows where you have to register an account and publish your software at their website (not exclusively) and they cost $75 a year, $140 for 2 years and $195 for 3 years.
However, currently you can get a much cheaper price from K Software by using a discount coupon. Their published price are $95 for 1 year, $175 for 2 years, $245 for 3 years, $310 for 4 years and $365 for 5 years and you can get as cheap as $54.75 per year if you sign up for 5 years with the partner coupon CPN25.
I’ve purchased a 5 year code signing certificate from K Software to be used on X-Ray and here is the walkthrough.
1. Pay upfront
Before getting anything, you have to pay the full amount to K Software. No need to worry about this because they offer 100% refunds if for some reason your application has been rejected by Comodo.
2. Send documents to Comodo
After successfully paying, you will receive an email from Comodo asking for necessary scanned documents. If you want your name to appear on the publisher name, simply send them a scanned copy of your drivers license or passport. If you prefer to show a company or trading name, then you will need to submit business license. Remember to quote your order number in the email.
3. Domain validation
Once you’ve submitted the document, Comodo will perform a domain validation to match the domain ownership information with the document. If it is different, log in to the domain registrar and make the necessary changes. If you use Domains by Proxy service to hide your domain’s whois information, there are actually 3 solutions to this problem. You can temporarily disable Domains by Proxy service, or pay $15 to request Domains by Proxy to create an authorization letter to Comodo, or upload a specific HTML file that is provided by Comodo to the root of the domain. I went with the third option.
The final step is to confirm your phone number with Comodo and let them know the business time to call you. They will call up the number and ask you a couple of question such as whether you’ve bought the code signing, tell them your address to match the document and etc.
I instantly received an email from Comodo containing a link to collect my code signing certificate after hanging up the phone. I typed in the Collection Code provided by Comodo in the email, clicked the Collect Certificate button and the certificate is installed to my Firefox web browser.
Now that I’ve got the certificate installed on my web browser, I will have to export it out to a .PFX file so that it can be used to sign X-Ray. Click on the Firefox button at the top left and select Options. Click on the Advanced icon, go to Encryption tab and click the View Certificates button. At “Your Certificates” tab, you should see a certificate name “COMODO CA Limited”. Click on it and followed by clicking on the Backup button. Browse to the location where you want to save the certificate to and specify a password.
The certificate that you’ve just backed up will be in .p12 extension. Simply rename the extension to .pfx and you can use it with any of the code signing tools. One of the easiest code signing tool that you can use is kSign developed by K Software. After install, run kSign, browse your .pfx file, specify the password, add the files that you want to digitally sign and click the Sign button.
Using kSign to sign X-Ray files with Comodo Code Signing certificate. Expect X-Ray to be released before Christmas!