In the past I used a variety of code-signing CAs. But for a few years now I am using Certums affordable offer for Open Source developers.
Let’s assume you already have their latest hardware and merely want to renew or get a new certificate1. There was a swap to smartcards (and respective readers) in 2021, which allows for bigger key sizes on the card. So if you used the old clunky card reader for them, the new one looks slicker, offers more and is necessary to get a renewal or a new certificate from them. The offer comes in two flavors:
- Card reader plus code-signing certificate
- Just the certificate
Now the process of getting a certificate is a bit finicky, albeit no comparison to the utterly stupid treatment I received from Sectigo!
Here I am going to explain a little how it worked for me.
So let’s recall what code signing is and what it’s needed for. Code-signing is used to establish a trust chain between you (the developer or company) and the person receiving your software. The certificate authority (CA) — here Certum — is the trust anchor that comes usually preinstalled2 on the user’s system in a so-called trust store.
Now clearly there’s a gap here. Between you and the CA. And I’ll get to that in a moment.
But for now we have to get a little technical. The code-signing from the technical point of view works by you having a certificate and a secret key3 key, but the public key is no secret and you can tell anyone about it 😉. The secret key is usually also protected by a passphrase4 or PIN. With Certum the key pair is generated and stored on a smartcard. This little device looks just like one of those SIM cards (the biggest form factor of SIM cards) and comes right inside the card reader you purchase from them. Access to the card is controlled by a PIN and PUK you can change via their proCertum CardManager software5.
So how do we fill that gap between you and the CA? Two things:
- you send a Certificate Signing Request (CSR) to the CA in which you enter personal details identifying you along with information about your key pair (the public key), signed by you using the private key
- the CA duly checks the identity details against documents they will request from you
To send a CSR you first purchase the product and pay for it. After that you have a spare CSR, so to speak. Which you can only send — at least for the Open Source code-signing flavor — via a browser. And this is where it gets a bit involved and finicky.
Firefox did not work for me. So I used MS Edge, given in the past many CAs simply required Internet Explorer6. However, in order to get this to work you need to download something called the Certum Crypto Agent from Certum’s website. And that is a Java WebStart Applet (.jnlp file). And as we all know Java integration into the browser isn’t what it once was. Since all options more or less suck, I opted for OpenWebStart. You can install it using winget via winget install --id karakun.OpenWebStart. Easy. Of course you also need a Java Runtime Environment for which I used Eclipse Adoptium Temurin JRE, which can be installed via winget install --id EclipseAdoptium.Temurin.19.JRE. Hah! Now start the Certum Crypto Agent and make sure proCertum CardManager is running, too. The agent acts as an intermediary between the website (likely via web sockets or some such) and the CardManager.
So what do we have when we start?
- Card reader (from Certum)
- Smartcard (bundled with the reader)
- proCertum CardManager
- Certum Crypto Agent
You can then select the spare CSR from the list on the website and walk through the steps. For the key size I prefer to use 4096, but YMMV. This should kick off a key generation step on the smartcard via the agent and CardManager. Once done, the smartcard will hold the new key pair (secured by the card and your PIN) and Certum will have received your CSR, signed with the newly generated key pair.
Now comes the validation phase during which Certum will request documentation about your identity from you7.
Assuming all checked out — there can be a little back and forth –, you will hear back from Certum and your newly issued certificate will wait for you on their website. That certificate has been signed by Certum to affirm that the public key you mentioned in your CSR belongs to a key pair which you own.
Simply download the certificate and import it onto the card via the proCertum CardManager.
You’re done. You now have:
- Card reader (from Certum)
- Smartcard (bundled with the reader)
- Key pair (private + public)
- Imported certificate (signed by Certum)
- Smartcard (bundled with the reader)
- proCertum CardManager
Certum Crypto Agent(only needed while sending CSR)
From this point on you can use signtool.exe or similar software to sign your code.
// Oliver
PS: keep reading if you want to know some of the more technical aspects, because time and time again people seem to confuse terminology.
What do you need to sign? The certificate? Yes, but that’s not enough. You need the certificate and the matching private key.
When you sign code for Windows, the signing happens by taking parts from the PE file and hashing those8. The result is a few bytes long and contains a cryptographic hash over the relevant parts of the PE file. That’s what is going to get signed.
And when you sign it, you use you private key — in case of the above method on the smart card and protected by an additional PIN, in the past often in a PFX file and protected by a passphrase.
But your signature with the private key can be verified based on your public key! And so while signing you practically enclose the certificate you received from the CA alongside the signature.
Now the certificate, as you may remember, contains your public key and some information about you. But the certificate is also signed by Certum. And that’s the missing link.
The user’s system will in all likelihood know about the Certum CA and so can check the signature on the enclosed certificate. And because the CA is meant to ensure that the identity of someone receiving such a certificate has been duly checked before it gets issued, this closes the gap between you and the CA.
Now whoever wants to check the signature will first formally check the signature against a computed hash of the PE file contents. If it checks out it will proceed to validate the enclosed certificate and verify that the public key of the signature matches the public key from the certificate. Then it can use the so-called trust store9 to establish a connection to a trusted CA. And if that succeeds your signature was successfully verified.
There are a lot more details that I could dwell on, but this small treatise should even give laypeople a grasp of what code-signing is all about and what’s involved.
- These instructions are in all likelihood also true for their offers which aren’t limited to Open Source signing. [↩]
- … on account of the used operating system, such as Windows [↩]
- … technically you have a key pair of public and private ((also secret key [↩]
- … this was most common when people used PFX files which contained both the certificate and the key [↩]
- As a side-note, I cannot recommend the Linux version of their software. I tried it and aside from providing only an unclean uninstallation, it also didn’t work. [↩]
- … I know … I know 😉 [↩]
- In my case they wanted my government ID which I had to present, along with a video capture of my face to match ID and face. Additionally they wanted a document showing my name with the address, e.g. a utility bill and last but not least the URL to the Open Source project which should list you in plain to make the connection. The last part is due to the offer being considerably cheaper than commercial code-signing certificates, so they want to make sure you’re not cheating their conditions. Also Extended Validation (EV) certificates usually require more documentation, that you have an incorporated company in whose name the certificate is issued and even a notary to affirm that you are you. [↩]
- Sysinternals’ sigcheck calls it the PE hash, e.g. PESHA1 and PE256 [↩]
- … which is where the system stores the knowledge about the CA certificates [↩]