Running today the program described in the
article , I saw the following warning:
An unusual prefix,
Open source developer , is striking. In addition, a few days ago I already saw the exact same prefix, with a different name. The conclusion is that, most likely, there is some kind of program for issuing such certificates.
A simple search revealed the following:
')
As you know, you should not neglect safety.
(If someone does not know: the digital signature of the file protects it from unauthorized changes. The certificate certifies that the author of the signed file is you and no one else.)In the modern world it is almost impossible to meet the program from a large vendor without a digital signature. More and more of my friends are beginning to pay attention to the presence of the CPU in the program being launched or installed, due to the fact that Windows displays this information (see CDPV).
On Habré, they touched upon the topic of code signing several times:
general overview ,
tips on simplifying the procedure . Not so long ago, an
option from StartSSL was considered , nevertheless, requiring confirmation of the identity of class 2 (in terms of StartSSL), which is already paid (unlike the free class 1 for domains).
The sum of 60-500 dollars is not money for at least some large company. But what about Open Source? Often, such projects (if we are not talking about names that are widely known) do not have sufficient funding or are developed exclusively on the basis of enthusiasm and other intangible values.
For such cases, you can use the
offer from the Polish company Certum :
To do this, you need to
register (the form is also available in Russian) and send by email the following documents:
- A copy of the ID card / passport / driver's license, etc., with the date on the copy, marked “I can find compliance with the original”, date and personal signature (for more details see the website).
- The address of the Open Source page of the product. The company warns that the check is made on the basis of publicly available information, so the project must be submitted to the network.
As you can see, the procedure is quite simple and does not take much time (according to the company - up to 24 hours).
For certificates, the following is claimed (translated only essential items, see the full version on the website):
- Simplified identification procedure
- WebTrust SM / TM Compliance
- The root certificate CERTUM is included in the list of trusted in all popular browsers and Microsoft products.
- Delivery within 24 hours after inspection
- Hash SHA1 (as of November 4, 2014). Most likely, SHA2 will be offered in the near future .
- Signature for .docm, xlsm, .pptm, .xpi, .jar, .war, .ear, exe, .dll, .ocx, .cab, .msi extensions.
- Free review or reissue
- The ability to store a key on a smart card
- Free time stamp
- External internal signatures creation
- Supported products include MS Office 2000+, ToolSign.sh and openSSL for UNIX / Linux, Firefox, Key Manager, Jarsigner and verifier from Java JDK 1.5+, SignTool, SignCode, Visual Studio Express
- Certificate revocation list (CRL) and Online Certificate Status Protocol (OCSP) support
- Date of issue: 1 year
- 24h technical support
- The recommended key length is 2048 - 4096 bits, the minimum: RSA / DSA - 2048 bits, EC - 571 bits (NIST K-571 and NIST B-571).
It seems that security is becoming a trend, and there are more and more non-commercial offers
in various fields . I wonder what we will offer the following?
UPD : the certificate has ceased to be free, the current value is € 14.00 / € 17.22 (it is not yet clear for how long the certificate is issued)
Nevertheless, it is still lower than that of the nearest competitor - StartSSL ($ 60)