the past 2 weeks I have been trying to work with code signing the
GoGreen PC TuneUp™ software and utility so that the software is trusted
during installation and download detection by Microsoft operating
systems, browsers, and antivirus programs.
odd thing is that there are two versions of a certificate to code sign.
The Basic / Standard or EV (extended verification) versions of a code
signing certificate. The standard one is less expensive than the
advanced EV edition. Instead of $500 for an EV edition, the $200 edition
for 1 year. The EV is about 2-3 times more expensive and slow to order,
slow to process, yet once received works with with immediate reputation
on the operating systems and antivirus programs.
So why is the Standard not fully trusted and requires lots of installations and overrides to get it trusted?
Could it be the time stamp switch being included or not during the code signing? probably.
also basically comes down to money and vendor profiteering. There are
non-profit was for open source code signing, but not for profit ways.
a side note, time stamping was not stressed enough in any of the
documentation of a basic code signing process. I realize now time
stamping is vital in part to be trusted.
More to come.