Free Code Signing Certificate — Is It Possible?

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5, rated)
Loading...

Some things in life are free… but code signing certificates aren’t among them

Everyone wants to get stuff for free: Free food, free entertainment (remember Napster?), and even free code signing. However, much like legitimate MP3s, code signing certificates aren’t free (at least, not trustworthy ones). And if anyone says that they can get you a free code signing certificate, run the other way.

Simply put, a “free code signing certificate” is an untrusted — and untrustworthy — code signing certificate. It’s something that every reputable software developer or publisher should avoid. Here’s why.

Why Can’t I Get a Code Signing Certificate for Free?

But why isn’t there free code signing? After all, there are free SSL certificates, right? True. There are free DV SSL certificates that some organizations issue — but that doesn’t mean they’re necessarily a great thing.

“Free” SSL certificates aren’t truly free because they make you pay in other ways (shorter lifespans, certificate management headaches, lack of support, lack of site identity, etc.). Also, they require only the most basic level of validation — domain validation (DV). This process entails binding a public/private key pair to your website to transfer data via the secure HTTPS protocol without asserting any real identity or trust.

Asserting trust and identity requires organization validation (OV) or extended validation (EV) capabilities. With code signing, there is no DV-equivalent. And considering that more than half of phishing websites use free SSL certificates — free DV SSL certificates — it isn’t exactly the kind of example that you want to point to when supporting the idea of why something should be free.

Getting into the Nitty-Gritty of Why Free Code Signing Doesn’t Exist

When it comes to the issue of free code signing and why it’s not possible, it really boils down to compliance, reputation, and economic considerations. Getting your software signed and trusted by a certificate authority (CA) is a very powerful thing. If a trusted CA signs off on your software, then the major browsers will trust your software. This means that security systems like Microsoft’s SmartScreen filter won’t kick up a warning that informs users about the potential dangers of untrusted software.

As a certain superhero’s late uncle liked to say: With great power comes great responsibility.

Secure Your Software with DigiCert Code Signing

Add digital code signing security on your software with world’s trusted code signing certificate.

Shop DigiCert Code Signing

For a CA to have this kind of power, they need to meet certain social and technical trust criteria and expectations. This is where CA’s root certificates and certificate trust chains come into play. But the SSL certificate chain is a whole other technical conversation for another time — thankfully, one we’ve already covered in a previous article.

To get back to the point: If just anyone could get a code signing certificate without any sort of vetting, imagine the chaos it would create. Not to mention the reputational damage it would create for the CAs. To avoid issues of certificate abuse and key mismanagement — and to create barriers for keeping bad people from getting code signing certificates — that’s why there needs to be a certain level of vetting involved for a certificate to be issued.

But, like many things in life, basic and extended business vetting isn’t free. CAs, the organizations that are responsible for issuing code signing certificates, can’t just hand out free code signing certificates. After all, they want to make sure that not only your company’s legit but that they also have a “CYA” paper trail to protect them (you know, just in case you decide to go to engage in shady business later).

As you can imagine, there are costs involved with vetting your company before they issue any code signing certificates. These costs include:

  • Employment and training their staff to conduct validations;
  • Documenting everything — and we mean everything;
  • Performing regular audit; and.
  • Maintaining logs of every certificate issued.

There’s a lot of work and responsibilities involved with these tasks. And these processes require a fair amount of time and money.

So, to summarize: No, there aren’t any legitimate free code signing certificates from trusted CAs. And considering that the whole point of code signing is about creating trust, it would kind of defeat the whole purpose of using one that doesn’t do that.

Save Up to 50% on Code Signing Certificates!

Secure your code and software with a code signing certificate from a reputable certificate authority. Get a code signing certificate for as little as $130/year!

Shop Code Signing Certificates