The winding road to a code-signing certificate

Are you interested in software code signing? If so, here’s the twisting tale of my recent interaction with Symantec, in the hope that it is useful to someone.

Extending a valid certificate with the same credit card and still valid passport? Someone might be impersonating me, so a notary is required (again) to confirm my identity. Somewhat understandable.

The notarization (seal/stamp) is to be scanned and sent by email (upon hearing this, the notary was shocked – anyone could forge it). So the whole process is a farce known as “security theater”. So be it.

The notary’s commission expired the same day I came. Bad luck, but I made sure to send off the document that same day.

Symantec objects: when using a German passport for identification, the notary’s address must be in Germany. The case of an expat living aboard is only allowed if they use secondary ID documents issued by the current country (though no mention is made of this).

Symantec reconsiders: they can accept a Singaporean notary if I cancel the order and create a new one.

Symantec finds fault with the now-expired notary commission. Although it proved my existence on that day, the expired stamp is now considered worthless. Another notarization is needed. As a compromise, they offer to absorb the cost of the second notarization into the purchase price. This seems fair!

I re-notarize the document. Some days later, Symantec sends word that the order is “complicated” and their senior team is investigating.

A few days later, I am contacted by a Symantec employee who wishes to confirm my place of residence and whether all the data are correct.

Soon after, the certificate is issued and works!

However, the agreement has changed [Darth Vader style]. There will not be a further rebate because the discounted price of $173 is already much lower than their usual price.

If such Kafkaesque bureaucracy and flip-flopping is a regular occurrence, I can actually understand why they might want to charge > $400 per year to issue a certificate. After all, this odyssey involved no less than 5 Symantec employees.

However, Comodo seems to be able to do it for much less (around $80 per year). Under German law, there is a case to be made for Symantec’s full price being illegal price gouging, because its cost is “noticeably disproportionate to the services rendered”.

That very interesting point aside, perhaps there are more hassle-free alternatives (this undertaking cost several hours). If you’ve dealt with any other vendors for kernel-mode code signing certificates, I’d love to hear your story via email. If dealing with Symantec in future, beware of the country-of-residence issue. Hope that helps!

Leave a Reply