-
Information about Comodo Code-Signing
I don't know if this pertains to most customers, but it would have
been useful to have this information about individual orders on the
order page.
The non-EV certificates can be purchased as an individual (e.g., not a
company). This requires a different validation method, which entails
having a notarized "face to face verification"
https://support.comodo.com/index.php...ification-form
If you want an EV certificate, the individual option is not possible.
I'm having a frustrating time, trying to get my Dun and Bradstreet
record to become available "globally". It's been weeks now. So now I'm
going to try a personal order.
Comodo uses https://www.upik.de/en/ to look up the record. I have been
checking it every day, and their captcha is frustrating as heck (find
the cars, find the store front, find the traffic lights). If your
record isn't there, you are SOL. It doesn't matter if you can
successfully look it up on dnb.com.
Jeff Slarve
www.jssoftware.com
Ones and Zeros are my Heroes
-
Re: Information about Comodo Code-Signing
Also, does the Non-EV certificate really support kernal-mode signing?
This page seems to specify that an EV certificate is required for
that.
https://docs.microsoft.com/en-us/win...sta-and-later-
Jeff Slarve
www.jssoftware.com
Ones and Zeros are my Heroes
-
1 Attachment(s)
Re: Information about Comodo Code-Signing
Hi Jeff,
> Also, does the Non-EV certificate really support kernal-mode signing?
>
> This page seems to specify that an EV certificate is required for
> that.
this is from their "previous" website (see attached screenshot).
Friedrich
-
Re: Information about Comodo Code-Signing
Jeff,
> I don't know if this pertains to most customers, but it would have
> been useful to have this information about individual orders on the
> order page.
Thank you for your suggestion! Information added.
http://www.lindersoft.com/order_codesigning.htm
Friedrich
-
Re: Information about Comodo Code-Signing
On your website its got:
Note 1: since the private key is stored on the hardware token, for
security it cannot be copied or exported to create a PFX file
Does this means its being stored in the Intel CPU's like this?
https://www.intel.com/content/www/us...-security.html
Do you know if it only works with Intel CPU's or are AMD cpu's
supported and do you know if removing the Intel Management Engine which
some consider to be a HW backdoor would bugger up this hardware token
storage?
With the github code released about removing the Intel Management
Engine I have not see anything talking about it affecting certs that
might be stored on the cpu but that could be for a number of reasons
including not realising the certs are stored in this part of the CPU,
or it could just be malicious code designed to tank a cpu which isnt
cheap.<g>
https://github.com/corna/me_cleaner
https://gist.github.com/CHEF-KOCH/af...09497d136996df
https://github.com/bartblaze/Disable-Intel-AMT
--
Richard
--
Richard
-
Re: Information about Comodo Code-Signing
Richard,
I think there is no Intel CPU involved. The E-Token is some kind of secure
USB flash drive.
Friedrich
-
Re: Information about Comodo Code-Signing
This is all I can really find about eToken.
https://en.wikipedia.org/wiki/Aladdi...ity_management
https://safenet.gemalto.com/multi-fa...p/etoken-pass/
So it appears that only the comodo EV certs are stored on these etoken
dongles, the std certs are not.
https://support.comodo.com/index.php...g-certificates
I wonder how these etoken dongles work, ie do they use the USB bus
still which can be sniffed using Portmon to capture serial data or
https://desowin.org/usbpcap/ to capture raw usb data.
It might be fun to see what secrets can be given up with these etoken
dongles.<g>
--
Richard
--
Richard
-
Re: Information about Comodo Code-Signing
Hi Friedrich -
Not to make more work for you, but:
1. I would remove this from "Note 2" under EV, as it is misplaced: 'It
requires a different validation method, which entails having a
notarized "face to face verification"'.
2. Under the "Standard", I would put this note: 'Note: Individuals are
able to purchase standard code signing certificates, but it entails
the use of a different validation method than done for companies. See
<a
href="https://support.comodo.com/index.php?/Knowledgebase/Article/View/903/0/face-to-face-verification-form">here.</a>.
Jeff Slarve
www.jssoftware.com
Ones and Zeros are my Heroes
-
Re: Information about Comodo Code-Signing
Hi Jeff,
I agree. Changed! Thank you :-)
Friedrich
-
Re: Information about Comodo Code-Signing
> The non-EV certificates can be purchased as an individual (e.g., not a
> company). This requires a different validation method, which entails
> having a notarized "face to face verification"
> https://support.comodo.com/index.php...ification-form
>
> If you want an EV certificate, the individual option is not possible.
I notice that in the declaration in the document linked above, it says in part..
"Declaration Made by Applicant According to Comodo's _Extended Validation_ Certificate Requirements"
So that sounds like it is _for_ EV certs...
I am also wondering if this works outside the US, especially wrt "Confirming Persons"?
Has anyone any knowledge or experience...?
Thanks.
John Newman
Software Partners Australia
C11
-
Re: Information about Comodo Code-Signing
hmmm... I wonder why they told me "no" on the personal EV cert.
I think Comodo is based in Germany. They use this site to confirm DUNS
info: https://www.upik.de/en/
Also, I asked another code signing certificate provider (US Based).
They gave the same answer. No personal EV certificate.
So I wonder if that's a typo. I will ask Comodo.
Jeff Slarve
www.jssoftware.com
Ones and Zeros are my Heroes
-
Re: Information about Comodo Code-Signing
I'm guessing they're talking about EV SSL, but will check.
Jeff Slarve
www.jssoftware.com
Ones and Zeros are my Heroes
-
Re: Information about Comodo Code-Signing
The rep that I chatted with said that the face-to-face AND a business
license/tax document are required for an EV cert. I will let you know
how my EV order goes.
But (from my recollection of what I was told before) if you want a
non-EV signing cert, you can do a personal certificate but you still
need to do the face-to-face.
Jeff Slarve
www.jssoftware.com
Ones and Zeros are my Heroes
-
Re: Information about Comodo Code-Signing
Hi Jeff,
> I think Comodo is based in Germany. They use this site to confirm DUNS
> info: https://www.upik.de/en/
They used to be in the US - at least they had a big office somewhere in
the US. One of their guys came couple of times to a conference Sue put
together several years ago. Of course that may all have changed.
Nothing this guy said helped to increase my respect for code signing
companies... Rather to the contrary...<bg>
Best regards,
--
Arnor Baldvinsson
Icetips Alta LLC
-
Re: Information about Comodo Code-Signing
> But (from my recollection of what I was told before) if you want a
> non-EV signing cert, you can do a personal certificate but you still
> need to do the face-to-face.
Thanks for chipping in Jeff, it all has become more complex over time
(which I wouldn't have thought possible!)
Good luck with the EV cert.
John Newman
Software Partners Australia
C11
-
Re: Information about Comodo Code-Signing
One week later, nuttin'. I have chatted them up 3 times. The 2nd time,
they "elevated" it<g>. They say it comes in the order received. So the
1-5 days on the web page is a little bit generous.
Today, the chat guy asked for a couple of things. But nobody has
contacted me like they're working on the case.
Jeff Slarve
www.jssoftware.com
Ones and Zeros are my Heroes
-
Re: Information about Comodo Code-Signing
Some of the things that they look at for EV Code Signing validation:
1. DUNS - It must be in the global Dun & Bradstreet DB.
2. Whichever Government website to confirm your company exists. My
company wasn't listed on what they were looking at, so I told them
about the City of Riverside site and State of California sites.
3. They look for articles of incorporation.
4. Since I am not inc'd, they require the face-to-face with a notary.
Instructions are here (I don't know whether being inc'd would save you
from going through the face-to-face, though)
https://comodoca.my.salesforce.com/s...RtzGrBdALLjPbo
It cost me about $50.00 to notarize the documents. The line behind me
at the UPS store was getting pretty long<g>
So now I have my fingers crossed again.<g> I have been checking back
with them almost every day since my June 4 order. The chat thing works
okay. I think they're a squeaky wheel oriented establishment, as they
don't respond by email when they say they will. But they do the chat.
Jeff Slarve
www.jssoftware.com
Ones and Zeros are my Heroes
-
Re: Information about Comodo Code-Signing
Jeff,
> Some of the things that they look at for EV Code Signing validation:
The question I've been wanting to ask. Specifically, WHY EV?
--
Lee White
RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com
Creative Reporting: http://www.CreativeReporting.com
Product Release & Update Notices
http://twitter.com/DeveloperPLUS
Hydrogen, the only CLEAN fuel and the future of clean air.
-
1 Attachment(s)
Re: Information about Comodo Code-Signing
> The question I've been wanting to ask. Specifically, WHY EV?
Well, damn! Jane gets a reply and all I get is the cold shoulder!
I'm so hurt.... ACK!!!!!<g>
Lee White
-
Re: Information about Comodo Code-Signing
Sorry Lee. I didn't see it. No cold shoulders here.
EV - I want to avoid the reputation thing.
https://comodosslstore.com/code-sign...v-code-signing
Jeff Slarve
www.jssoftware.com
Ones and Zeros are my Heroes
-
Re: Information about Comodo Code-Signing
And a concealed weapons permit is acceptable as your primary ID !
And agreed, my (non-EV) experience with Comodo has always been
squeaky-wheel/chat for best results.
jf
-
Re: Information about Comodo Code-Signing
I asked them to put that in there for you<g>
Jeff Slarve
www.jssoftware.com
Ones and Zeros are my Heroes
-
Re: Information about Comodo Code-Signing
Jeff,
> Sorry Lee. I didn't see it. No cold shoulders here.
That's what you say NOW!<g>
> EV - I want to avoid the reputation thing.
I've known you for decades and your reputation precedes you. And, hey,
you survived the dreaded BIG RED ONE - so you're good to go!!!!<g>
Lee White
-
Re: Information about Comodo Code-Signing
I have finally received my call-back verification. Now it goes to
final review. The gentleman on the phone said "24 hours", which I am
beginning to suspect is just a standard number that they tell you<g>.
Order was placed on June 4. Perhaps most customers won't have had to
go through all of the hoops that I did, but I think the "Issuance
within 1-5 days" on the order page is probably a little bit over
ambitious.
I'm not complaining about that, though. I can see how they'd want to
get this right. The value of an EV certificate would be diminished if
issuance was too hasty.
Next on the agenda is figuring out the roadblocks for a NEW company to
get an EV cert.
Jeff Slarve
www.jssoftware.com
Ones and Zeros are my Heroes
-
Re: Information about Comodo Code-Signing
The item is out for delivery, so I guess 24 hours is roughly equal to
1 week <g>. It shipped out of Kanata, ON.
The email that I received says "Please note you may also need to
install additional etoken software to access/manage the certificate;
we suggest Safenet, however there are many applications you can
utilize."
Safenet's pricing page is basically just a "contact us" form. Doesn't
sound too inexpensive. I hadn't anticipated additional expenses.
Has anyone used something like this before? Have a preferred app?
Basically, all I want to do is set it up so that Setupbuilder can see
the EV certificate using the experimental syntax that's defined in the
help. So I need a way to assign or retrieve a name or something.
Thanks.
Jeff Slarve
www.jssoftware.com
Ones and Zeros are my Heroes
-
1 Attachment(s)
Re: Information about Comodo Code-Signing
-
Re: Information about Comodo Code-Signing
"Is there someone else I can talk to?" <g>
Jeff Slarve
www.jssoftware.com
Ones and Zeros are my Heroes
-
Re: Information about Comodo Code-Signing
Jeff,
> "Is there someone else I can talk to?" <g>
Sorry, I no longer accept robo-calls!
Lee White
-
Re: Information about Comodo Code-Signing
On the sheet of paper that they sent with the eToken, it says to
search https://sectigo.com/knowledgebase for "safenet". There's a
download there.
Jeff Slarve
www.jssoftware.com
Ones and Zeros are my Heroes
-
Re: Information about Comodo Code-Signing
> On the sheet of paper that they sent with the eToken, it says to
> search https://sectigo.com/knowledgebase for "safenet". There's a
> download there.
An interesting choice on their part.
FWIW, your USB "token" can definitely be cloned and a software replacement
installed on any computer. Then whatever they use to talk to the USB
device will think it is talking to the real thing.
Charles
--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.learnh5fast.com - Master building web and mobile apps with Clarion H5!
www.clarionproseries.com - ProDocument, ImageEx, ProScan, ProImage, ProPath
and other Clarion developer tools!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.fotokiss.com - "World's Best Auction Photo Editor"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
-------------------------------------------------------------------------------------------------------
-
Re: Information about Comodo Code-Signing
One more consideration: You can't use an EV to sign something within a
virtual machine. Safenet sees the token on the host, but nothing in
the VM.
From Sectigo tech support:
"It is mandatory to plugin the device on every device you want to sign
the files . Unfortunately it can not be used on virtual machine."
Regarding the Safenet (below) you can download from sectigo, it's an
un-registered version. I don't know yet if it expires or how much it
costs if it does. I was able to use it to change the EV password. You
can also change the label.
It shows the maximum password re-tries as 15. And it shows how many
attempts have been made. So don't mess up<g>.
Jeff Slarve
www.jssoftware.com
Ones and Zeros are my Heroes
-
Re: Information about Comodo Code-Signing
You have done this?
Jeff Slarve
www.jssoftware.com
Ones and Zeros are my Heroes
-
Re: Information about Comodo Code-Signing
> You have done this?
I've seen it first hand software that was protected by those hardware
devices and drivers.
There is a "backup" service that has software that will read the original
device and create a file. That gets send to the company and they create a
data file from it.
Then a person loads a software driver on their PC that will load the data
file and present itself as the original device (even in a VM and even
multiple VMs at the same time).
When the protected software tries to access the hardware key, it thinks it
is talking to it and it loads and runs as expected.
I know people who have been running it for years now (and they update the
software solution every year as the hardware gets updated).
The hardware thing is a pretty good lock for someone who knows nothing
about getting around it, but it is an easy bypass if you have the tools.
Charles
--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.learnh5fast.com - Master building web and mobile apps with Clarion H5!
www.clarionproseries.com - ProDocument, ImageEx, ProScan, ProImage, ProPath
and other Clarion developer tools!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.fotokiss.com - "World's Best Auction Photo Editor"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
-------------------------------------------------------------------------------------------------------
-
Re: Information about Comodo Code-Signing
What does one stand to gain by defeating the intended security and
sending the coveted jewels to a 3rd party?
Jeff Slarve
www.jssoftware.com
Ones and Zeros are my Heroes
-
Re: Information about Comodo Code-Signing
> What does one stand to gain by defeating the intended security and
> sending the coveted jewels to a 3rd party?
The folks I know who are running it don't want the inconvenience of being
forced to have multiple USB keys hanging off a laptop (or carry a hub to
use with it).
Also the company who uses the keys charges you FULL price for a replacement
if you lose your key.
So most folks backup the key, put the originals in a safe deposit box and
call it a day.
Plus for ones that might use it on a laptop on the road and a desktop at
home, they never have to be unable to work if they forgot to take it off
the desktop PC before they left.
But I think the big thing for most of the ones I talked to is not getting
stuck paying $2500 for a new dongle if they lost it or it was stolen.
Charles
--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.learnh5fast.com - Master building web and mobile apps with Clarion H5!
www.clarionproseries.com - ProDocument, ImageEx, ProScan, ProImage, ProPath
and other Clarion developer tools!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.fotokiss.com - "World's Best Auction Photo Editor"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
-------------------------------------------------------------------------------------------------------
-
Re: Information about Comodo Code-Signing
>> What does one stand to gain by defeating the intended security and
>> sending the coveted jewels to a 3rd party?
I forgot to add that most people figure that is the software vendors
problem for using hardware dongles in the first place.
Personally I have never even considered them for our commercial products.
They alienate customers and potentially cause far more problems than they
solve.
Charles
--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.learnh5fast.com - Master building web and mobile apps with Clarion H5!
www.clarionproseries.com - ProDocument, ImageEx, ProScan, ProImage, ProPath
and other Clarion developer tools!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.fotokiss.com - "World's Best Auction Photo Editor"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
-------------------------------------------------------------------------------------------------------
-
Re: Information about Comodo Code-Signing
Charles,
> I forgot to add that most people figure that is the software vendors
> problem for using hardware dongles in the first place.
>
> Personally I have never even considered them for our commercial products.
>
> They alienate customers and potentially cause far more problems than they
> solve.
This is not your average dongle - it's for signing software programs,
not for running them.<g>
--
Lee White
RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com
Creative Reporting: http://www.CreativeReporting.com
Product Release & Update Notices
http://twitter.com/DeveloperPLUS
Hydrogen, the only CLEAN fuel and the future of clean air.
-
Re: Information about Comodo Code-Signing
> This is not your average dongle - it's for signing software programs,
> not for running them.<g>
I understand that.
My point was that the hardware was not more than a casual way to prevent
the magic key from being spread.
Charles
--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.learnh5fast.com - Master building web and mobile apps with Clarion H5!
www.clarionproseries.com - ProDocument, ImageEx, ProScan, ProImage, ProPath
and other Clarion developer tools!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.fotokiss.com - "World's Best Auction Photo Editor"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
-------------------------------------------------------------------------------------------------------
-
Re: Information about Comodo Code-Signing
okay. Sounds like the folks you know are into piracy.
Jeff Slarve
www.jssoftware.com
Ones and Zeros are my Heroes
-
Re: Information about Comodo Code-Signing
> okay. Sounds like the folks you know are into piracy.
Actually the developers I know who use the backup service are very legit
people. Every one of them pays thousands of dollars a year for legit
upgrades to software that they own and paid thousands of dollars for
originally.
They just don't want to be screwed for a new license just because a vendor
made a bad decision to use hardware locks and doesn't care that sometimes
bad things happen (keys are lost or stolen).
Plus with that many keys a laptop is useless without an external port, then
you are stuck carrying that and the cables for it.
I'd wager that all of the folks I know would be happy to pay the vendor
some sort of "insurance" fee to not get it stuck in their behinds and
broken off if something happened.
I mean sure, you could add it to an insurance policy for your home or
business, but if there was a fire you are usually looking at a minimum of 3
months to a year (maybe more) before there is any pay out on this sort of
thing. Meanwhile someone who spent a lot of money to get a tool they
needed (and can't yet afford a replacement license at full price) is
screwed and out of work because of the vendor policy.
I probably know 20 developers who use it and none of them consider it
anything more than a backup for something that they paid for. Several of
those who don't travel still use the original keys daily and just keep the
backup option in case something does happen.
At any rate, as I told Lee, my point was that the hardware used to secure
the certificates just wasn't all that secure. Granted I guess it is better
than nothing, but if someone with a laptop gained access to the key for 30
seconds they could get a duplicate running on any number of machines.
Charles
--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.learnh5fast.com - Master building web and mobile apps with Clarion H5!
www.clarionproseries.com - ProDocument, ImageEx, ProScan, ProImage, ProPath
and other Clarion developer tools!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.fotokiss.com - "World's Best Auction Photo Editor"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
-------------------------------------------------------------------------------------------------------