Jump to content

Best Code Signing Certificate authority that will not trigger AV/Malware?


Recommended Posts

I'm an honest software engineer (they do exist believe it or not) working my own small business so funds are tight.  I produce and create software (stand alone desktop software).  I'm researching Certificate Authorities and trying to decide which one is best in terms of NOT trigger AV software.  Three I've looked at so far are:

DigiCert $500-$700/yr

Comodo $80-300/yr

Code Signing Store $83/yr

As you can see the cost range is somewhat "odd" and does indeed raise my "trust" level.  I know EV code signing certificates are less likely to trigger AV/Malware ... but I'm not coding a website, these is for standalone exe/dll distributed via download links.

I figured this might be a good place to ask this questions since I've been a long term MalwareBytes customer.

Cheers, Rob.

Link to post
Share on other sites
  • Staff

Have you taken a look at Keybase.io?

Keybase might be a fit, though I can't confirm if it’ll trigger AV/Malware.  Considering it was just bought by zoom, carries XLR and is widely recognized it shouldn’t.

Though there is some footwork there on the way to getting your key trusted.

Edited by heptagon
Link to post
Share on other sites

I wasn't able to find any "Code Signing Certificate" information from Verisign nor Keybase.io?

I have used Verisign before but that was for Web Application Development with TLS/SSL data encryption.  I'm looking for "Code Signing Certificates" which go thru a similar process as SSL certs with of verification of who I am and my company.  BUT, Code Signing Certs are generated differently and incorporated into MS Visual Studio IDE via a file that I specify for my application (usually a key file once CA approves and provides) which is stand alone desktop app not a web app.  

What I'm trying to avoid are AV products (like Norton, MalwareBytes, etc.) that will prevent my .EXE file from downloading because they can't find a legit CA certificate (digital signature attached as part of my EXE) ... this is more a support issue but also provides end users with more confidence my software is legit.

Cheers, Rob.

 

Link to post
Share on other sites

Then I would suggest the parent of Verisign, DigiCert (acquired from Symantec).  While I do not have recent information, I know that in the past malicious actors have digitally signed malware with Comodo Certs.

 

 

Link to post
Share on other sites
  • Staff
15 minutes ago, David H. Lipman said:

I know that in the past malicious actors have digitally signed malware with Comodo Certs.

Yes, because COMODO wasn't as selective or cautious about vetting their customers, unfortunately.  I've no idea what their current status is, but I do know that in the past, this was a major issue.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.