Why are code signing certificates so expensive?
-
Here's a radical idea: somebody thought it would be a good idea to monetize it. Someone won't like me to say this, but in my opinion, it's a scam, and the whole certificate structure is just so-much nonsense that has zero-utility as it essentially does nothing except to add a placebo effect of software safety.
Story as old as government maybe? Make something required by law, hard to compete in because of regulation/approval, and then jack the price up. It's basically how we ended up with insane insulin prices. They'll literally kill people to make a bit more money. Inconveniencing a business or individual for some hokey false sense of security? That's kiddie stuff.
-
I understand that there were changes to minimum key size for code signing certificates that increased from a minimum 2048 bits to a new minimum 3072 bits on June 1, 2021, and a need to put the certificate/token on a compliant hardware device (such as a USB stick). The sites I visited ask anywhere from USD$90 to $USD$299 for the USB stick (which sots about USD$3 or less). Does it cost that much to make batches of USB sticks compliant? I cannot imagine that. In past years, I paid less than USD$100 for a 2-year code signing certificate (I use them on my NuGet packages). Now it is USD$300 or more. Per year. And if I opt for multi-year to lower that price by a little, they don't bill once a year for the committed amount. They bill for every year up front. For an individual developer putting out open-source binaries (like NuGet packages or some other app), that is prohibitively expensive. If anyone has more insight on why the huge price jump for just making the key length longer and providing a cheap USB stick, I'd love to hear it. Thanks
It's the work they do to verify your (enterprise) identity. That's what is meant by EV ("Enterprise Validation") certs. As opposed to DV ("Domain Validation") certs, which are freely available and commonly used for SSL/TLS on the web. I really wish Windows would support DV certs, for code-signing. I get that it's not as strong, but it seems like 90% of games apps and tools out there don't have any signing at all.. surely DV signing would be better than nothing. :/
-
I looked on that site, and I appreciate that you took the time to look and post it. But you either pay $20/month extra, or $249 for a USB stick. So, the lower certificate price is offset by the cost of the delivery method.
OK, thanks. I thought there might be a catch. I think the USB stick is something you only have to pay for once though (so when you renew, it should be cheaper). Currently, I use ksoftware. I think they probably offer the cheapest way to buy outright.
Paul Sanders. If I had more time, I would have written a shorter letter - Blaise Pascal. Some of my best work is in the undo buffer.
-
I understand that there were changes to minimum key size for code signing certificates that increased from a minimum 2048 bits to a new minimum 3072 bits on June 1, 2021, and a need to put the certificate/token on a compliant hardware device (such as a USB stick). The sites I visited ask anywhere from USD$90 to $USD$299 for the USB stick (which sots about USD$3 or less). Does it cost that much to make batches of USB sticks compliant? I cannot imagine that. In past years, I paid less than USD$100 for a 2-year code signing certificate (I use them on my NuGet packages). Now it is USD$300 or more. Per year. And if I opt for multi-year to lower that price by a little, they don't bill once a year for the committed amount. They bill for every year up front. For an individual developer putting out open-source binaries (like NuGet packages or some other app), that is prohibitively expensive. If anyone has more insight on why the huge price jump for just making the key length longer and providing a cheap USB stick, I'd love to hear it. Thanks
If you have a business identity, the new Azure Code signing service is a viable alternative. A single CLI command and it signs your code. No certs on USB stick craziness. Azure Code Signing, democratizing trust for developers and consumers - Microsoft Community Hub[^]
Lance => Microsoft MVP | https://dvlup.com
-
The verification part is quite extensive, if done properly. My previous employer had code signing certificates: The issuer demanded lots of official documentation as a proof that the company was the one it claimed to be, it required phone numbers that they could call to specific persons and ask them for a secret password etc. etc. Lots of this verification could not be automated, but required a lot of manual work. You are not paying for the USB stick, but for the work of verification that you are you. (They may have been doing a lot of checks that you never noticed or knew about.) Maybe there are certificate authorities that are a lot more sloppy/lenient in their verifications. But as an authority, they have a great responsibility, comparable to that of a passport office. Your passport is a proof of your identity, guaranteed by the passport office. The code signing is a proof of the code's source, guaranteed by the certificate authority. An email certificate doesn't prove much: It proves that the mail originates from one who received the certificated sent to address someone@somedoma.in. Nothing about the person, organization etc, only the mail address, which is implicitly verified by the certificate being sent to this email address. All can be done automatically, with no manual operations. So an email encryption certificate should be very cheap, or free.
-
I understand that there were changes to minimum key size for code signing certificates that increased from a minimum 2048 bits to a new minimum 3072 bits on June 1, 2021, and a need to put the certificate/token on a compliant hardware device (such as a USB stick). The sites I visited ask anywhere from USD$90 to $USD$299 for the USB stick (which sots about USD$3 or less). Does it cost that much to make batches of USB sticks compliant? I cannot imagine that. In past years, I paid less than USD$100 for a 2-year code signing certificate (I use them on my NuGet packages). Now it is USD$300 or more. Per year. And if I opt for multi-year to lower that price by a little, they don't bill once a year for the committed amount. They bill for every year up front. For an individual developer putting out open-source binaries (like NuGet packages or some other app), that is prohibitively expensive. If anyone has more insight on why the huge price jump for just making the key length longer and providing a cheap USB stick, I'd love to hear it. Thanks
Probably includes insurance to cover some amount of damage made.