-
Code-signing certs: June 1 deadline reminder
It's Coming!!!
Sectigo is offering a "bargain" (not nearly as good as SetupBuilder's)
to help the transition to hardware key storage.
Even if your certificate still has some time left on it, it's worth
considering renewing it (with SetupBuilder prices) prior to the
hardware requirement that begins on June 1.
As if code-signing certs weren't already enough of a
pain-in-the-asterisk
The
"bargain"](https://sectigo.com/ssl-certificates...gning-campaign
)
From Sectigo's website:
>What is Changing?
>
> As of June 1, 2023, all Code Signing Certificates must comply with the new CA/B Forum regulations to ensure that the subscriber’s private key is generated, stored, and used in a suitable FIPS-compliant hardware.
>
> We recognize this requires customers to commit to a heavy lift. Between now and April 24, 2023, you can purchase Sectigo OV Code Signing certificates and lock-in the use of software-based Code Signing certificates for the next three years and will not be required to switch to a hardware-based token during that time. At the end of your 3-year certificate, Sectigo will ship a free FIPS-compliant token with an extra 12 months of OV Code Signing Certificate validity to you.
-
Re: Code-signing certs: June 1 deadline reminder
On 29 Mar 2023 18:26:04 -0400, Kelvin Chua wrote:
Hi, Kelvin,
I renewed mine in January. It was a REAL PAIN this time.
I was going to write up the experience; but because everything will
change in a couple of months decided it wasn't worth the effort.
I did, however, explain here what I needed to do:
https://clarionhub.com/t/codesigning...5802/16?u=jane
You should put in a ticket and push them. Things will not happen
automatically.
jf
>I placed my order with Comodo on Friday ,10 March ,2023-05:46:53 PM
>under discount offerred by SetupBuilder.
>
>Until today, I have not receive my certificates.
>
>Thanks.
>
>Kelvin Chua
>SINGAPORE
>
-
Re: Code-signing certs: June 1 deadline reminder
Hi Jane,
I submitted 3 tickets so far, no one responded at all.
I will try to purchase other certificates next time, it is really hell
to me; they simply don't bother at all.
Thanks.
Kelvin Chua
SINGAPORE
-
Re: Code-signing certs: June 1 deadline reminder
Kelvin,
Did you try telephoning them? I phoned them multiple times. Don't
try on weekends because you'll probably get somebody who can't do
anything.
I think this is the number I used:
International: +1 (914) SECTIGO (732-8446) and then press the option
for "order validation".
jf
-
Re: Code-signing certs: June 1 deadline reminder
Hi Jane,
Will try calling them tonight.
Thanks.
Kelvin Chua
SINGAPORE
-
Re: Code-signing certs: June 1 deadline reminder
Did you get your certificate, Kelvin?
Jane Fleming
-
Re: Code-signing certs: June 1 deadline reminder
Hi Jane,
On 3/29/2023 15:52 PM, Jane Fleming wrote:
> Sectigo is offering a "bargain" (not nearly as good as SetupBuilder's)
> to help the transition to hardware key storage.
Is that the $498 with up to 29% off with multi-year? And $40 for
"standard shipping"? So what does it take to start a code signing
certificate business? Most lucrative "business" on the planet these days!
Best regards,
--
Arnor Baldvinsson
Icetips Alta LLC
-
Re: Code-signing certs: June 1 deadline reminder
And... no one answer emails...no cost!
Kelvin Chua
-
Re: Code-signing certs: June 1 deadline reminder
So you bought the 4 year certificate at $798, is that correct?
And thanks for the info.
Ray Rippey
VMT Software
On 3/29/2023 1:52 PM, Jane Fleming wrote:
> FIPS-compliant hardware.
-
Re: Code-signing certs: June 1 deadline reminder
NO!!
I bought the $200 three-year SetupBuilder certificate in January (no
hardware token).
Just reminding people that the no-hardware option will shortly
disappear :-(
jf
-
Re: Code-signing certs: June 1 deadline reminder
On 05/04/2023 17:28, Lee White (Lodestar Software) wrote:
> Andre,
>
>> If what you listed is taking you five
>> years to develop, with respect, something is wrong somewhere.
>
> WOW! You don't have any ongoing projects?!
No bespoke projects here. But our main project is for the vertical
market that has been ongoing for 40 years with a new build each week
that includes new functionality. But it does not take five years to
include functionality that can take weeks or perhaps even days or hours.
And that was my point.
>> RDP protocol is a major security risk.
>
> I've done tons of work on client servers using RDP. Granted it was
> also across a VPN but who doesn't use one of those these days?
Folk who have moved on from this and now use web apps and native mobile
apps using soap and rest services. In many cases VPN's [also not secure
enough] have proved painfully slow and problematic - a last resort.
Really, the world at large has moved on from desktop ONLY. And count
yourself lucky if you have not yet had RDP or VPN hacked. It is a
favorite point of intrusion.
I still do client work on their servers using RDP and VPN but the
protocol should preferably not be used for end user access.
Andre Labuschagne
-
Re: Code-signing certs: June 1 deadline reminder
Andre,
> > WOW! You don't have any ongoing projects?!
>
> No bespoke projects here. But our main project is for the vertical
> market that has been ongoing for 40 years with a new build each week
> that includes new functionality. But it does not take five years to
> include functionality that can take weeks or perhaps even days or hours.
> And that was my point.
But you missed mine or else that project has taken over 40 years to
complete.
I've never ever seen a software project that was ever complete. If it
wasn't an ongoing process it would falter and become useless. This was
in reply to your reply to Arnor and the project he's still moving
forward even after 5 years.
> >> RDP protocol is a major security risk.
> >
> > I've done tons of work on client servers using RDP. Granted it was
> > also across a VPN but who doesn't use one of those these days?
>
> Folk who have moved on from this and now use web apps and native mobile
> apps using soap and rest services. In many cases VPN's [also not secure
> enough] have proved painfully slow and problematic - a last resort.
> Really, the world at large has moved on from desktop ONLY. And count
> yourself lucky if you have not yet had RDP or VPN hacked. It is a
> favorite point of intrusion.
>
> I still do client work on their servers using RDP and VPN but the
> protocol should preferably not be used for end user access.
You missed my point. I've worked on projects on a clients server where
they wanted everything to remain local during production. I, and many
other Clarion developers, working in tandem on the same project. Not
referring to a finished program running anywhere although that project
was for desktop use since their clients didn't need nor want anything
other than desktop.
The entire world has NOT moved away from desktop! Your customer base
may have but I do desktop only work and the lights are still on!<g>
--
Lee White
RPM Report Preview: http://www.cwaddons.com/products/rpm/
Creative Reporting: http://www.CreativeReporting.com
Hydrogen, the only CLEAN fuel and the future of clean air.
-
Re: Code-signing certs: June 1 deadline reminder
I don't understand the argument; it's like two brain surgeons
arguing who has the better tools. The solution is the advantage,
not the tools.
--
John de la Torre
CA, USA
"Lee White (Lodestar Software)" <svng_REMOVE_THI
S_@_AND_THIS_lodestarsoftware.com> Wrote in message:r
> Andre,> > WOW! You don't have any ongoing projects?!> > No bespoke projects here. But our main pr
-
Re: Code-signing certs: June 1 deadline reminder
John de la Torre,
> I don't understand the argument; it's like two brain surgeons
> arguing who has the better tools. The solution is the advantage,
> not the tools.
Andre mentioned 5 years to write a solution, I simply pointed out
that, knowing Arnor, it was an ongoing project being updated over a 5
year period, not that it took 5 years to complete.
Personally I don't have a preference what others use or how fast they
can create programs or what platform their products are aimed for. I
just know I have a preference for desktop applications which are the
preferred targets for the contracts I've had over the years. And, yes,
I prefer Clarion since it does everything I need and creating viable
programs is fast.
No arguments, just opinions between developers.
--
Lee White
RPM Report Preview: http://www.cwaddons.com/products/rpm/
Creative Reporting: http://www.CreativeReporting.com
Hydrogen, the only CLEAN fuel and the future of clean air.
-
Re: Code-signing certs: June 1 deadline reminder
I'm not sure what is happening. It made me change my password, then I
logged in. Then it only gives me an option for 3 years and is $519.00. I
must be missing something. Also I guess I have to get my certificate
using IE. I guess I'm not getting the discount.
Ray Rippey
VMT Software
-
Re: Code-signing certs: June 1 deadline reminder
On 05/04/2023 19:28, Lee White (Lodestar Software) wrote:
> The entire world has NOT moved away from desktop! Your customer base
> may have but I do desktop only work and the lights are still on!<g>
Present continuous tense - they are moving ever more off LANs and WANs
and into the cloud. Yes, there are some industries that are lagging but
in the end resistance is futile. The great thing about AS is that you
can write for the desktop and only serve the app in a browser. You get
the best of both worlds.
Projects are never complete. You are either in a bespoke or vertical
market. In either case the project is never complete. This applies to
all software including operating systems etc.
Andre Labuschagne
-
3 Attachment(s)
Re: Code-signing certs: June 1 deadline reminder
Hi Jane,
On 3/30/2023 14:36 PM, Jane Fleming wrote:
> Just reminding people that the no-hardware option will shortly
> disappear :-(
When I go via Lindersoft, it shows the price for 3 years at $200. But
when I log in, it shows the 3 years at $519. So I think that ship may
have sailed already. This is what I see on the Lindersoft site:
When I click on Order Now, I get this:
If I hit the order button there, using MS Edge, I get:
So, I think the ship of digital certificates has sailed at Sectigo (who
comes up with names like that - sounds like a bug!<g>)
Best regards,
--
Arnor Baldvinsson
Icetips Alta LLC
-
Re: Code-signing certs: June 1 deadline reminder
Hi Ray,
On 3/30/2023 16:01 PM, Ray Rippey wrote:
> I'm not sure what is happening. It made me change my password, then I
> logged in. Then it only gives me an option for 3 years and is $519.00.
> I must be missing something. Also I guess I have to get my certificate
> using IE. I guess I'm not getting the discount.
Same here. See my reply to Jane. I think this ship has sailed. I'm
good until November so I'll start saving up<g>
Best regards,
--
Arnor Baldvinsson
Icetips Alta LLC
-
Re: Code-signing certs: June 1 deadline reminder
These people say Sectigo raised prices on March 7:
https://www.thesslstore.com/blog/cod...0from%20%24179.
Jane Fleming
-
Re: Code-signing certs: June 1 deadline reminder
> Same here. See my reply to Jane. I think this ship has sailed. I'm
> good until November so I'll start saving up<g>
I think it is time to start delivering web apps that can run in a browser
or on a mobile device and just be done with desktop apps or app store/play
store apps.
One code base and none of the code signing, hardware BS, AV problems, etc.
Like the sage wisdom from "War Games" the only way to win is not to play!
Besides the next generation of computer users is not smart enough to know
the difference anyway!
:-)
Charles
--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ProDocument, ImageEx, ProScan, ProImage, ProPath
and other Clarion developer tools!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
-------------------------------------------------------------------------------------------------------
-
Re: Code-signing certs: June 1 deadline reminder
I still don't understand the benefits of certificates! Maybe
hackers can buy certicates, too. Or they can hack other valid
certificates. Is this some kind of legitimate extortion; an
extortionware?
--
John de la Torre
CA, USA
-
Re: Code-signing certs: June 1 deadline reminder
798/4 is 199.50, 519/3 is 173.00.. $26.50 difference per year. So I
think I'm going the $798 route for just a little more money, and I get
the hardware usb in year 4. My current certificate expires in August, so
might as well get it done now.
Not sure what the link is, but I did see where Sectigo bought ComodoCA.
Once they get a monopoly all bets are off and we get raked over the
coals with no place else to go I guess. Still, a couple hundred a year
isn't too bad.
I'm with Arnor, these guys are making a good living.
Ray Rippey
VMT Software
-
Re: Code-signing certs: June 1 deadline reminder
Hi Ray,
On 3/31/2023 14:47 PM, Ray Rippey wrote:
> 798/4 is 199.50, 519/3 is 173.00.. $26.50 difference per year. So I
> think I'm going the $798 route for just a little more money, and I get
> the hardware usb in year 4. My current certificate expires in August,
> so might as well get it done now.
Where did you see 798/4? I only saw the $519 for 3 years... 798 for 3
millisecond of computer time and 5 milliseconds to write it to USB then
pay $40 to have said USB shipped.... Yeah, not bad business model<g>
Allegedly they do some checking, but I knew a guy who worked at Comodo
and his comment on it was that "none of us know what we are doing or
supposed to be doing" That gave me a really fuzzy and warm feeling
about code signing companies<g> In my experience if I just ignored
their requests they got tired of me and sent me the certificate. In one
case they sent it to me and the day after 2 or 3 different people
emailed me for additional information. Sorry guys, you slept through
that one!<g>
Best regards,
--
Arnor Baldvinsson
Icetips Alta LLC
-
Re: Code-signing certs: June 1 deadline reminder
The $798 was on the Sectigo website if you purchase 4 years worth, you
can have the software certificate for 3 years, then the dongle on the
4th year included. But, my understanding is you have to order before
April 23, as that is the last time Certificates and be purchased as
software... after that you have to go with the dongle. So if you wait
until November, then you have to get the dongle.
When I first got my first certificate is was a real PITA. I had to
establish a Dun and Bradstreet record, show my business license, get a
phone call. With Sectigo I think we're starting all over with the
verification again. I figure once I'm verified with them, it's just a
matter of money after that. I never had trouble with Comodo after the
first time... I hope it's like that with Sectigo. I guess the comment
from Comodo is why they had to sell out?
I know one thing for sure, if my potential customers download our demo
and it gives a warning about possible malicious software because it's
not code signed, I lose a lot more money than this certificate costs.
Ray Rippey
VMT Software
-
Re: Code-signing certs: June 1 deadline reminder
Hi Ray,
On 3/31/2023 16:36 PM, Ray Rippey wrote:
> Comodo after the first time... I hope it's like that with Sectigo. I
> guess the comment from Comodo is why they had to sell out?
Wouldn't surprise me!
> I know one thing for sure, if my potential customers download our demo
> and it gives a warning about possible malicious software because it's
> not code signed, I lose a lot more money than this certificate costs.
Absolutely! It's not like we have a choice if we want to stay in this
business! There used to be a word for this... Yes, extortion!<g>
BTW: How DO you get the software certificate? Do you have to use IE,
or how does that work now?
Best regards,
--
Arnor Baldvinsson
Icetips Alta LLC
-
Re: Code-signing certs: June 1 deadline reminder
Hi Charles,
1. I tested out .NET MAUI. Well... a bit slow in running.
2. Subsequently tested blazor. Fast but utilizes plain
html/javascript/css for display and doesn’t have any out of the box
components aside from what comes with the default app template.
3. Taking course on flutter and dart now. Flutter utilizes material
design, and comes with a ton of nice looking widgets. Flutter is the
platform and dart is the language. It is fast.
Thanks.
Kelvin Chua
SINGAPORE
On 4/1/2023 6:55 AM, Charles Edmonds wrote:
> On 31 Mar 2023 11:44:42 -0400, Arnor Baldvinsson wrote:
>
>> Same here. See my reply to Jane. I think this ship has sailed. I'm
>> good until November so I'll start saving up<g>
>
> I think it is time to start delivering web apps that can run in a browser
> or on a mobile device and just be done with desktop apps or app store/play
> store apps.
>
> One code base and none of the code signing, hardware BS, AV problems, etc.
>
> Like the sage wisdom from "War Games" the only way to win is not to play!
>
> Besides the next generation of computer users is not smart enough to know
> the difference anyway!
>
> :-)
>
> Charles
>
-
Re: Code-signing certs: June 1 deadline reminder
And then you need to buy https certificates.
--
John de la Torre
CA, USA
-
Re: Code-signing certs: June 1 deadline reminder
> 1. I tested out .NET MAUI. Well... a bit slow in running.
Thanks for the report!
> 2. Subsequently tested blazor. Fast but utilizes plain
> html/javascript/css for display and doesnʼt have any out of the box
> components aside from what comes with the default app template.
I've heard that about it too.
> 3. Taking course on flutter and dart now. Flutter utilizes material
> design, and comes with a ton of nice looking widgets. Flutter is the
> platform and dart is the language. It is fast.
What are you using (or planning on using) for the datatbase/backend?
Charles
--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ProDocument, ImageEx, ProScan, ProImage, ProPath
and other Clarion developer tools!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
-------------------------------------------------------------------------------------------------------
-
Re: Code-signing certs: June 1 deadline reminder
I'll let you know. I just spent the $798... but on a Friday I won't
pursue it until Monday. I know I'm starting over for business
verification... so I've got to get that done before I get my
certificate. I'm curious if they need IE as well. I don't think I have
it on my Windows11 computer. Should be interesting. I just spent a
crapload of money with these people, I'm going to hold their feet to the
fire.
Ray Rippey
VMT Software
On 3/31/2023 3:37 PM, Arnor Baldvinsson wrote:
> BTW: How DO you get the software certificate? Do you have to use IE,
> or how does that work now?
-
Re: Code-signing certs: June 1 deadline reminder
> I still don't understand the benefits of certificates! Maybe
> hackers can buy certicates, too. Or they can hack other valid
> certificates. Is this some kind of legitimate extortion; an
> extortionware?
>
>
In the latest version of Windows 10 & 11, executable that are not code
signed cannot be run. You will have to switch off the UAC completely
and a couple of other settings...
Kelvin Chua
-
Re: Code-signing certs: June 1 deadline reminder
So clarion examples will not run unless code-signed. And the most
famous program "Hello World"?
--
John de la Torre
CA, USA
-
Re: Code-signing certs: June 1 deadline reminder
Hi John,
On 4/1/2023 10:51 AM, John de la Torre wrote:
> I still don't understand the benefits of certificates! Maybe
> hackers can buy certicates, too. Or they can hack other valid
> certificates. Is this some kind of legitimate extortion; an
> extortionware?
The Solarwinds hack was a perfect example. Russian hackers got into the
build servers and added malicious code into their code base BEFORE it
was code signed. The company essentially codesigned the hackers code
with theirs and this way they were able to gain access to government
agencies in the US and large companies like Microsoft and anyone else of
Solarwinds' 33,000 Orion customers!
Best regards,
>
>
--
Arnor Baldvinsson
Icetips Alta LLC
-
Re: Code-signing certs: June 1 deadline reminder
Hi Arnor,
My point exactly. Code-signing after the hack is useless since you
don't know if you already got hacked. It used to, that CRC-check
was good enough. Maybe clarion's new compiler option can take
care of that issue.
--
John de la Torre
CA, USA
-
1 Attachment(s)
Re: Code-signing certs: June 1 deadline reminder
-
Re: Code-signing certs: June 1 deadline reminder
So it's protection money...
--
John de la Torre
CA, USA
-
Re: Code-signing certs: June 1 deadline reminder
Hi Charles.
>> 3. Taking course on flutter and dart now. Flutter utilizes material
>> design, and comes with a ton of nice looking widgets. Flutter is the
>> platform and dart is the language. It is fast.
>
> What are you using (or planning on using) for the datatbase/backend?
Will use firebase for the time being.
Thanks.
Kelvin Chua
SINGAPORE
-
1 Attachment(s)
Re: Code-signing certs: June 1 deadline reminder
$798/4 (with "free" dongle "later") was in the link in my first post -
directly from Sectigo without Friedrich's discount. Click the "Add to
Cart" button to see the 4-year option.
https://sectigo.com/ssl-certificates...gning-campaign
Jane Fleming
-
Re: Code-signing certs: June 1 deadline reminder
Hi Jane,
On 3/31/2023 15:36 PM, Jane Fleming wrote:
> $798/4 (with "free" dongle "later") was in the link in my first post -
> directly from Sectigo without Friedrich's discount. Click the "Add to
> Cart" button to see the 4-year option.
> https://sectigo.com/ssl-certificates...gning-campaign
Right! Yes, I had been there before! Sorry, this is rather confusing
stuff ;)
Best regards,
--
Arnor Baldvinsson
Icetips Alta LLC
-
Re: Code-signing certs: June 1 deadline reminder
Hi Charles,
> I think it is time to start delivering web apps that can run in a browser
> or on a mobile device and just be done with desktop apps or app store/play
> store apps.
>
> One code base and none of the code signing, hardware BS, AV problems, etc.
That's what I have been working on for my main client for the past few
years :) He runs all his Clarion programs for the big clients via
remote desktop, but you still have to code sign them.
Best regards,
--
Arnor Baldvinsson
Icetips Alta LLC
-
Re: Code-signing certs: June 1 deadline reminder
> I think it is time to start delivering web apps that can run in a browser
> or on a mobile device and just be done with desktop apps or app store/play
> store apps.
Hi Charles
Well, well, well.
The problem is quite simply the end user experience and especially the
deprecation of really nice functionality that is standard on the
desktop. Solutions that depend on web-based only in my view are toast.
Same with desktop only. And of course native mobile app only.
But Clarion has a cunning solution that is ever evolving - AS. Still
early days with some annoying stuff to iron out but it could be just
what the doctor ordered. In my view it solves the any device in most
circumstances for the sort of apps that Clarion programs deliver. But
it will never replace native mobile apps. Had those in production now
for about 8 years - a different concept altogether.
My guess is if you do not offer all three - desktop apps with the
desktop experience, so-called web apps and native mobile apps - you are
going to be toast, unless you are servicing an industry whose users have
not noticed the planet they are living on. Just like like John Cleese's
late mother who who lived through two world wars and major technology
revolutions without noticing any of it.
As for code signing - I see the benefits but it has turned into a racket
of sorts. Just been through the nightmare. Went for one year. I am
not sure that the hardware angle will pan out as they plan it to nor if
buying a certificate that spans many years will be supported after the
hardware thing is in play. I have seen this game before. There are a
few actors on the stage and they are in cahoots. Definition of a
techno-pessimist - a techno-optimist with loads of real life experience
- that is I - the singular perpendicular.
Cheers
Andre