I want to sign code for free — where can I get a free code signing certificate?
Sorry to burst your bubble, but free code signing certificates are like Unicorns. They’re lovely fodder for the imagination, but they don’t exist in reality! And, if you do find one, it must be fake. Beware of it!
No certificate authority offers free code signing certificates. Period.
That’s the bad news. The good news is that the situation isn’t all bleak. You can buy a cheap code signing certificate from a certificate authority (CA) or reseller. Don’t misconstrue low price as low quality, though. All commercial code signing certificates from vendors offer the same features, utility, and warranties (if any).
Resellers/vendors buy the digital certificates in bulk with heavy discounted rates from the certificate authorities. That’s how they’re able to sale the digital certificates with a massive discount. There are some sites like CheapSSLsecurity.com that offer the cheapest code signing certificates, with discounts ranging up to 59%.
Check Out Our Cheapest Code Signing Certificates
|Retail Price $179 /Year
Our Price $69.17/year
|Retail Price $179 /Year
Our Price $69.17/year
|Retail Price $299/Year
Our Price $116.67/year
|Retail Price $499/Year
Our Price $327/year
|Buy Now||Buy Now||Buy Now||Buy Now|
If SSL Certificates Are Available for Free, Why Aren’t There Free Code Signing Certificates?
Let’s understand the scenario with a simple real-life example:
Suppose Alice needs a roommate.
Bob, Alice’s good friend, recommends Carol. Bob says he’s checked Carol’s background, credit, and criminal records, and everything seems fine.
At the same time, Alice receives an email from a stranger named Mallory, who is looking for a room.
Now, which would be a safer choice of roommate? Obviously, Carol, because there is a trusted person — Bob — vouching for her. Mallory doesn’t have Bob (or anyone else) vouching for her and may be a great person or a criminal! Plus, anybody can make an email address with a fake name. That email might not be from Mallory at all, but it could be a criminal impersonating Mallory!
The same analogy is applicable to code signing certificates and cyber security. -. Here, Alice is the end user — i.e., a website visitor or user who downloads a software application. Bob represents a publicly trusted certificate authority (CA) who is trusted by users’ browsers and operating systems. Carol and Mallory represent website owners, software developers, and publishers. Carol is verified, and Mallory is an unverified, unknown software developer.
Because Bob (certificate authority) verified Carol’s (software developers’) background before referring her to Alice (end users), the chances of Carol being a criminal are pretty remote. And, if something goes wrong, Bob knows his reputation is on stake.
Why CAs Matter
In real life, the certificate authorities issue thousands of digital certificates, including those for code signing. If their organization validation (OV)/extended validation (EV) digital certificates are misused, CAs (and their certificates) will lose users’ trust. That’s why CAs won’t leave any stone unturned to verify the applicant’s identity before vouching for and issuing a digital certificate to anyone. This, in a nutshell, is why they don’t offer free code signing certificates.
It all comes down to verification and security. Code Signing Certificates Require a Comprehensive Verification Process.
Let’s take a moment to compare free SSL certificates and code signing certificates for context.
An SSL certificate is available in three verification types: Domain validation (DV), organization validation, and extended validation.,
All the free SSL certificates are DV. The CAs just check whether the applicant owns the domains. CAs send you an email with a verification link, and when you click on it, your SSL certificate will get issued within minutes! The entire process is automatic. That’s why some non-profits can afford to offer free DV SSL certificates.
Code signing certificates, on the other hand, don’t have a DV option. There are only OV and EV code signing certificates available.
OV and EV digital certificates require stricter verification processes. The certificate authority’s staff must manually check all the business details. They generally check the details through online government records or local municipal business directories. If not satisfied, they ask the companies to provide documents (such as registration papers, articles of incorporation, a chartered license, Dun & Bradstreet report, Professional Opinion Letter, etc.) to make sure the applicant represents a genuine company.
If you’re a software developer who wants a code signing certificate, the vetting process requires:
- a notarized ID form,
- a government-issued ID such as a passport, driver’s license, or personal ID card, and
- financial and non-financial documents that contains your full name.
It takes one to three days to complete the entire verification process. The verification process requires a large staff and includes heavy operational costs.
That’s why OV and EV digital certificates, both for SSL and code signing, are never available for free.
Free DV SSL certificates are easily available, and now attackers are freely using them on their malicious websites. In fact, research from PhishLabs shows that 58% of phishing websites use SSL/TLS certificates and have enabled HTTPS. The free SSL certificates have already weakened people’s trust in the security of HTTPS.
But this shouldn’t happen with a code signing certificate. If one is issued to the wrong person/organization, it can easily spread the malware hidden in the downloadable software. Once downloaded, such software can steal data and corrupt the entire computer.
That’s why all the CAs follow a rigorous vetting process to make sure that they’re not handing over the code signing certificate to the wrong person or company.
As we said above, the verification process costs money — a lot of money, in fact. And that’s why OV and EV code signing certificates, and SSL certificates for that matter, are never available for free. But you can get it in discounted rate if you buy code signing certificate from vendors like CheapSSLsecurity.com.