Code signing certificate rip OFF!

Its coming up to renewal time for the Codematic code signing certificate. I have been with Thawte the past few years – but that is going to change!

When I bought the last one 2 years ago it was 320 USD

Exactly the same thing today costs 500 USD

Thats over 50% inflation over 2 years!!

Now I know the price of cattle feed has shot up, fuel has shot up and real inflation for most people is in double figures, but what source material has caused this price hike?

Oh, I know, is it because we are being forced more and more into using them so more people need them? Basic economics right? increased demand = increased price. For scarce resources maybe, this just looks like blatant profiteering to me and abuse of market dominance (Thawte is now owned by Verisign). Have you got any better suggestions for what is going on?

I can live with paying 250 quid, but I hate being shafted and thats just what this feels like. So I’m on the hunt for a decent code signing certificate supplier, any ideas/recommendations?

Does eveyone else sign their code?



21 Responses to “Code signing certificate rip OFF!”

  1. jonpeltier Says:

    >>Does everyone else sign their code?


  2. Ken Puls Says:

    No, although I use SelfCert for my own stuff.

  3. Marcus Says:

    No – don’t sign my code either

  4. Stephen Bullen Says:

    Does ANYone else sign their code? I got caught up with the whole code-signing thing when it started, but found it much more hassle than it’s worth and I’ve never had anyone complain about my code not being signed now!

  5. Bob Phillips Says:

    I’m with the majority Simon, I don’t sign my code.

  6. Ross Says:

    You and Dennis, and one bloke form Micosoft.

  7. Henrik Dürr Says:

    Hi Simon,

    What kind of code are you about to sign?

    If you are looking for a cert. that can be used for signing .exe, .dll, .class, .cab, .ocx (ActiveX) files for Windows, I can offer you a 2-year cert. for UDS 320.

    Just drop me an email, and I will send you the link where you can apply for the cert.


    Henrik –

  8. Simon Says:

    Stephen – most of the stuff on codematic is signed with a cert that expired in 2006 and I’ve never had a complaint either. (1 person questioned it actually) (and some of it says its signed but isn’t and warns people to get in touch if their download is not signed – no one ever does)

    In fact signing so rare I think people are scared when they see the ‘do you trust this publisher’ dialog as they have never seen it before.

    I thought the whole Vista thing was encouraging us to sign stuff? (having tried it for 2 mins and finding it almost as annoying as Excel 2007 I obviously don’t use Vista myself)

    I know the Excel world is really not interested in security, I just can’t decide whether to go with the flow or push it.

    Thanks for the offer Henrik

    Ross I bet you are right about the single bloke at MS I reckon you would have to jump through some serious hoops to get a shot of their cert.

  9. Nick Hebb Says:

    I do. Yes, it’s a racket but I since sell a downloadable COM add-in for Excel, I think it’s important. In fact, I sign both the DLL and the setup file.

    I use a Comodo cert, which are cheaper ($99/yr):

  10. Biggus Dickus Says:

    With Trusted Locations in O2007 I have even more reasons never to sign my code :-) …… Never have. Waste of time. If they want it signed they better call some other anal retentive developer.


  11. Simon Says:

    Can you import those Comodo certs to sign VBA from within the VBAIDE?
    does it come as a .pvk and .spc?
    Even if not I think that sounds like the one for me.

    Dick are you sending me all your anally retentive potential customers?
    (I’ve had some funny calls recently!)

  12. Nick Hebb Says:

    Simon – just to clarify, I’ve never signed VBA files, only DLL’s and EXE’s.

    IIRC you have to create a pfx file first. Then download pvkimprt from MS and use that to import the private key into the certificate store. After that the cert file can be selected within the VBAIDE.

  13. Simon Says:

    Cheers Nick
    So I’m the only one here who signs their xlas?

    But even if I drop into line on that I’ll still want to sign xlls – its looking like comodo at the mo.

  14. JP Says:

    I sign my stuff, but usually only for myself (to avoid the security prompts). But if I write code for someone else, I’ll have them self-sign it on their own computer so it won’t prompt them when they run it on their own.

    I’m not familiar with the laws in your country, but can’t you write off the code signing cert as a business expense?


  15. Simon Says:

    Oh yeah its a business expense no bother there, and I am happy to have one and use it. I just don’t like feeling like I’m being ripped off. And that is exactly what is happening here.

    For a new sign up they have to validate you are who you say you are – that takes time and effort. Fair enough. For a renewal they are just collecting from the same credit card so their cost/effort is minimal (checking I still am who I said I was last time). Why would it go up from 320 to 500 on renewal except they are screwing devs over?

    Anyway Comodo seems to offer the exact same thing for a much more realistic cost so I’ll go with them from now on

  16. Dennis Wallentin Says:

    Simon – Let us know how it goes with Comodo.

    Ross – You’re right ;)

    Kind regards,

  17. John Walkenbach Says:

    I sell a commercial add-in. For a period of about one year, I signed my code. Then I realized that it’s a big scam and stopped doing it.

    I haven’t received a single complaint about being “untrusted.”

  18. Mike Danese Says:

    FYI to all,
    Common scenario – you have an unsigned applet(java) or unsigned activex plugin served from a http/https url. Client browsers will get an ominous waring regarding potentially malicious code – no way around this. Now, maybe you have just a few clients and can therefore request that they ignore the warning since the warning will include a reference to you/your-company and they know and trust you(eg: John W. herein). Most would agree, this is not a great solution.

    I do agree code-signing certs are a rip-off.

    One alternative I have been watching for several years, but have not followed up on with active
    A great idea here. Needs mass adoption to succeed, but it just might.

  19. fxp Says:

    Don’t sign my stuff since I work for clients and they don’ t care. Signing is for anonymous developers who clients don’t know. Signing could have been a good thing, but its implementation is a rip-off. You are right about the cost, it is all profit after the first year for Thawte. They should develop a tiered pricing scheme based on volume or revenues and cut developers a break.

  20. Leo Says:

    I’m a Mac developer but now forced to get a code signing certificate for a non-Apple project. Apple charges $99/yr for the entire developer program which includes their certificate.

    As I look at the pricing of all those ‘authorities’ now (VeriSign, Comodo etc.) – they’re the biggest bunch of parasites and extortioners ever. We, developers, should really boycott those scoundrels. A one-time fee of $30 is the best they deserve for their ‘services’, if even.

  21. Dave Wain Says:

    Code signing merely requires managing a public-private key pair, which should not cost any more than standard SSL. Yes another Java rip-off…

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: