Obtaining cheap EV/OV certificates & singing your application

You can publish your application on your website. However, the Microsoft Smart Screen will not like it at all if the application is not signed. This is how your application looks like when it is singed and un-signed:

EV OV certificate
EV OV certificate

Signing your application could cost as much as $800 per year, but if you do some research, you can find also cheaper sellers. I did the research for you and here are the cheapest sellers. The list shows the prices are for EV (Extended Validation) Code Signing Certificates unless otherwise specified, cheapest sellers on top:

SSL.com

https://www.ssl.com/certificates/ev-code-signing/buy/
$249/Year (3 years)

KSoftware.net
OV: $219/year (for 3 years)
EV: $285/year (for 3 years)
+$130 hidden fee (Under the pretext of USB stick shipping. Note that other companies ship this electronically).

LeaderSsl.de

https://www.leaderssl.de/en/lead/new?days=1095&product_id=42
EV: 3 years = 416 € (+19% VAT)
OV: 69 € +VAT

sklep.certum.pl

https://shop.certum.eu/certum-ev-code-sigining-code.html
EV: 3 years = 749 €
(seems to be for Poland users only)

Codesigning

https://codesigningstore.com/code-signing/gogetssl-ov-code-signing

EV: 3 years = $963+ shipping

OVL 3 years = $585+ shipping

Sectigo.com
1 Year $499 USD
3 Year $897 USD

GlobalSign.com
1 Year $410 total
2 Years $760 total
3 Years $950 total

Digicert.com
1 Year: $600 (it was $104)
3 Year: ?

Symantec.com
1 Year: $700
3 Years: ridiculous expensive

AboutSSL
They link to other providers, sometimes providing a fake discount.

Offers no OV certificates.

More prices here:
cheapsslsecurity.com CodeSigning EV
cheapsslsecurity.com SSL only!

If you find cheaper prices, let me know, and I will update the list!


EV vs OV

Purchasing an OV is much simpler and requires less documents/verification steps.

Of an EV, nine additional steps are required including verifying your business public phone number, length of time in business, registration number and jurisdiction, as well as a domain fraud check, contact blacklist check and a telephone call to authenticate the employment status of the requestor.

However, an EV certificate gives your application instant trust/authority, while with the OV certificate, your application will build this trust in time as more and more users will download your app. Some recommend submitting a program signed with OV to Microsoft to be checked with their antivirus in order to acquire that trust faster.

My purchase

I purchased from SSL.com an EV. Some years later I purchased an OV from KMsoftware. SSL and KmSoftware are only intermediary. In the end, you actually purchase from Comodo (Sectigo). Sectigo is veeeeerrry slow. The second time, the verification took two full months. The phone verification failed multiple times. Everything was cumbersome. The tech support didn’t have a clue about what is going on, probably just a guy in Pakistan reading through some script.

The first eToken was sent on a USB smart card/eTokenreader device. This was difficult to handle/use. So, stay away from sellers that forces you to buy a reader.

The second one was sent by email. No reader electronic device was needed to access this second certificate.

How to use the certificate?

To sign my exe files, I used MS signtool.exe. For this you will need to download the bloated MS Windows SDK which has a whooping 1GB. FORTUNATELY, you don’t have to install it. Just open the ISO and extract “Windows SDK Signing Tools-x86_en-us.msi”. It has a merely 400 KB.

Then I built this tiny script file:

prompt $
echo off
cls
copy "my.exe" "my.bak.exe"
"c:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\signtool.exe" sign /fd SHA256 /f MyCertificate.pfx /p MyPassword My.exe
pause

To check is the file was signed correctly use this script:

prompt $
echo off
cls
signtool.exe verify /pa MyExeFile.exe
if %ERRORLEVEL% GEQ 1 echo This file is not signed.
pause

which should return this:

Successfully verified: MyExeFile.exe

To check if your digital certificate is, right click the exe file and then choose Properties -> Digital signature.
You can also upload your exe file to Virus Total and check their analysis. It should say: “The file has authenticode/codesign signature information.”

What happened after signing my EXE file?

So, I finally signed my EXE file. What happened after that? Nothing… On Win10 I kept seeing the same “untrusted” window with the “Don’t run” button for a while. The “Continue” button was still invisible. My program had about 400 downloads per day. Later I downloaded my own program and I realized that Windows is not showing the warning anymore. Unfortunately, I haven’t monitored when that happened exactly.

Read more about this in my books.

Leave a Comment

Scroll to Top