Anonymous/hidden certificate

After reading the FAQs, it seems to me it is impossible to get a code signing certificate without providing official documents as to who I am.

Basically, I want a certificate which would prove that an application was released by me and that it wasn’t tampered with, but wouldn’t spread my name and address all over the net. It seems to me the only solution would be a self-signed certificate. Is this correct?

Hello pepak
The documents for validation are
A. Articles of Incorporation (with address)

B. Government Issued Business License (with address)

C. Copy of a recent company phone bill

D. Copy of a recent major utility bill of the company (i.e. power bill, water bill, etc.) or current lease agreement for the company.

E. Copy of a recent company bank statement (you may blacken out the Account Number).
You’ll Need to provide any two valid documents as I mentioned above to validate your account.

Mostly, If you have a signed executable or file (as attached)
You can view the cert by going to the file properties
Properties > Digital Signatures " you should see name of signer, email address" then you can click on details
and more details… your address will not be on the cert.

Only Your Company Name/Name will be on the Cert and if you wish your Email address

hope this helps!

Jake

ie: I attached a signed .dll from CIS, as an example
If you right click > Prop > digital cert

[attachment deleted by admin]

Thanks for the answer, Jacob.

Being a single developer wanting to sign my own free stuff, I don’t have any of those. I checked a few tutorials and it seems I would have to provide a copy of my passport and make sure my domain’s whois data matched it (which won’t happen, as I use a private registration).

Only Your Company Name/Name will be on the Cert and if you wish your Email address
And, I assume, the name shown will have to match the one on my passport, right? So even though I release all my stuff as "pepak", I would have to give out my real name.

If you are individual person and not a organization/company then you could provide your own items (example; your own house electric bill etc etc)

As regarding your name, I am unsure.
I would think you would have to put your own real name.

Hope this helps

Jake

I must say I am not at all comfortable with providing these documents. I can see why you need them with the goal of “verifying integrity of the software and certifying the identity of the developer”, but my needs my needs are better expressed as “verifying integrity of the software and certifying that the developer is the same as the developer of the previous version, whoever that is”. Given that, it seems like self-signed certificates are the only viable option for me. Correct?

Yes that would be correct

Jake

Jake, you would be incorrect, by default your address IS included on the CodeSigning Certificate as well as OV (InstantSSL/EnterpriseSSL, etc.) SSL certificates as they both go through the same validation procedures. You need to EXPLICITLY tell the validation team when they do your callback that you DO NOT want your HOME address to show. All that I remember being required it be shown is the city, state/province, country.

Self-Signed certificates would show your file as untrusted in Windows environments. Windows won’t tell you if the file was altered after downloading if it is a self-signed certificate/unrecognized CA, which it seems you’re after. Most people if they do not digitally sign, they include a SHA1/SHA2 hash of the file so that people can verify the hash if they so desire.

Thank You For Clarifying

Jake

I wish there was something like this too. I’m not comfortable revealing personal details either. Even though there’s nothing fundamentally wrong with self-signing (plus a WOT for example), I think the current infrastructure is hostile for small developers for two reasons:

  1. $$$
  2. People think identity = trust. :frowning:

Disclaimer: I’m not an expert on this topic.

I’ve never seen a code signing certificate that included the address. City, state, country is all I’ve ever seen.
Where is this shown on certificates/are you sure?

Also, about phone bills, bank bills, etc.

If one is using e-Statements (cheaper, easier to archive) would Comodo want an e-mailed PDF or would they need a scanned printout, or…?

110% sure. It can be found on the subject line of the certificate.

Wow, I looked at Comodo Dragon’s certificate and there it was.
Is this only something Comodo tends to do? I don’t remember GlobalSign even asking last year when I dealt with them, and the cert didn’t contain street.

There are NO baseline requirements for Code Signing certificates just yet but there will be in the near future so all CAs do as they feel they should. Street Address & Postal Code are Optional on these and other Organization/Identity validated certificates.

Just found this out the hard way. Absolutely do not want my address available publicly and wasn’t made aware of this at any point. Other code signing certificates just have the person’s name + country and some with the city.

Do you really need to go through the full process to get this changed or can it just be re-issued?