Switching to an Inexpensive Code Signing Certificate

July 19, 2012

For the last few years I’ve been using a code signing certificate from Thawte. At the time I just wanted to get my app out the door and some quick research turned up Thawte as a popular choice and a trusted certificate authority on every OS version I was targeting. The $275 a year fee always annoyed me a bit though and with the introduction of Gatekeeper meaning that I’ll only be using the certificate to silence scary warnings on Windows I decided to look into less expensive options.

The reason certificate prices vary so widely is a combination of reputation and OS support. By purchasing a certificate you are linking yourself to the certificate authority’s good name, so if they have a more widely known name supposedly that is better for you. In practice very few people care what CA your code signing certificate comes from as long as it works. OS support is also not likely to be an issue. CAs that have been around for a long time are trusted by default on more operating systems, with the big names going all the way back to Windows 95. There is a slim chance this matters to you for an SSL certificate, but for code signing you only care about the CA being trusted on the oldest OS your software supports. In my case that’s Windows XP and this opens the door to other options, namely Comodo and any of its resellers. Comodo’s direct price is $170 a year but from a reseller you can get that down to $90 a year or less.

After some searching I decided to buy from K Software. There are slightly cheaper options out there but K Software has a great site, documentation to guide you through the whole process, and a lot of positive mentions on developer blogs. I pulled the trigger and after responding to a couple requests from Comodo I had my new cert a few hours later.

Certificate Chain for K Software Code Signing Certificate

The certificate you receive comes directly from Comodo and doesn’t involve the reseller in the certificate chain in any way. This means that you can renew through any other reseller or directly from Comodo in the future, and anyone looking at the certificate won’t know who you actually bought it from.

To double-check OS compatibility I signed my app with the new certificate and tested it on Windows 7 and an up-to-date version of XP. Then I fired up a virtual machine running a clean install of XP from a 2002 retail disk. Without any updates or service packs applied the app’s signature verified just fine, and if it works there it will work anywhere.

I was initially on the fence about buying from a reseller because the price difference kept making me wonder what the catch was. But after looking into why the difference exists and seeing the results for myself I can’t see any reason why you wouldn’t go for the best deal that supports your oldest target OS. The next time you’re in the market for a code signing certificate I highly recommend giving the inexpensive options a look.