My Adventure of Getting a Code Signing Certificate

It was a surprisingly strange procedure to get a Code Signing Certificate. Which I decided to obtain in order to make the nasty ones of the browsers like Internet Explorer stop complaining when downloading installers for the software I develop.

Finally, I now have one. If you should decided to get one too, one day, read here what I had to go through:

• On the CA's website, I had to enter the type of certificate I wanted, for how many signing processes and for what type of software. The website left me completely in the dark how much this would cost at all. So assuming my selections would influence the price of such a certificate, I selected the smallest possible options which were ok for me.


• Then, I had to write down lots of details about me and my company. Still, no price was written anywhere.


• Then, they wanted my credit card details, for paying for the certificate. Still no price shown, anywhere.


• After I had entered my payment details, they finally presented me with a price of 99$. Isn't this a bit shady practice? And a bit expensive for a simple database entry? But I accepted.


• I was sent an automatic mail that I would have to send them a scanned-in proof of identity, and a signed form. Which must have been certified by a notary.
  
  
  Side node: A notary in the US might be something casual, but here in Austria,
  having a license to be a notrary is basically a license for gold digging. They get 1% of every real esate deal, have protected areas of business and usually have huge, expensive offices and lots of staff, because they can. That's also why they take quite some money for certifying a document, and are cumbersome in giving you an appointment, if it is not a property deal you have for them to work on.
  
  
  


• Anyway, I was lucky, and was able to arrange an appointment at our local friendly notary for the next day. Hurray. Signing that
  document would 'only' cost 30 euro. OK.


• The next day, while approaching the notaries office, a woman from the CA called me. She had to verify my ID, and gave my a quiz in which
  I had to answer some questions. Questions which anybody could have answered, like:
  What is the city I'm living in? What's the zipcode? Not sure how this would verify my id at all.Then she told me that she
  will send me a mail with a form which I had to sign and then would have to be certified by a notary. Telling her that this is what I am
  currently doing, standing right in front of the notaries office, confused her completely. I wondered if there was a second form I would
  have to get certified, but I decided for "let's handle this later, if at all". The woman at the phone wasn't able to help me at all. Later
  this day, I found out that the second form they sent me was the same as the first one. So I ignored that.


• About a week after I had sent the signed form to the CA, I received a phone call, this time from a woman who interestingly spoke
  German (with a very unusual accent, sounded strange). She told me that it wasn't possible to give me the code signing certificate, because I
  hadn't included a copy of a valid Id document on the form. But I had. There was this single page form, and right in the middle, there was
  this big, big copy of that document. So the discussion went like this:
  
  
  
  • Me: Hm, I had included a copy of it on that form. I'm sure.
    It's right there, in the middle.
  
  
  • Woman: No, you hadn't. This is not the type of Id we need. We
    need <other type of id>
  
  
  • Me: But this is exactly it. It is <other type of id>
  
  
  • Woman: No it isn't.
  
  
  • Me: Yes it is. Look at the document.
  
  
  • Woman: No it isn't.
  
  
  • Me: Have you looked at the form?
  
  
  • Woman: Ah, I see now. Everything is ok. We'll send you the
    certificate witin the next few days.
  
  
  
  Not sure what was going on there. After the call had ended, I think everybody in the office could see actual big WTF letters hovering over my head.
  


• A few days later, I finally received a link to the certificate to 'pick up'. However, it is apparently only possible to do this with Internet Explorer. And to make this work, you seem to need to reconfigure quite a lot of options, deep, deep down in the internet settings of Internet Explorer. There are instructions on the CA's website on how to do this. For IE 7, 8 and 9. If you have IE 11 - like me - then you are probably out of luck. And if you would guess, it also didn't work. It failed miserably with an obscure error message, and I had no idea what to do. So after thinking and looking through the settings again, and failing at googling for help, I finally did
  the last desparate attempt: Simply clicking the same link again. Then it worked. Yay, I finally had my certificate!

After having read quite a few times now that hackers and malware programmers apparently are able to easily sign their software with false certificates, I wonder if all this was it worth at all. And since the certificate is only valid for one year, I hope I won't have to do this again in 2016.

The process of getting this was costly (from the perspective of an indie developer) and quite complicated - and this although mostly everything went well. Imagine something would have gone wrong. I think this might also be the reason why code isn't signed that often.