Monday, November 18, 2024

Here's how I wasted $249 on code signing, so you don't have to!

      ,      No comments   

I don't have positive experiences with code signing.

As of today I have another tale of confusion, frustration, anger, disappointment, and expense.


I'll try and keep this to just the facts, so I don't let my emotions carry me away:

  • I sign my VSIX (Visual Studio extension) and NuGet packages with a code signing certificate.
  • I use a hosted Code Signing solution from DigiCert.
  • Their certificates are initially limited to signing 1000 files per year. (Additional issuances are available for $249 for another 1000.)
  • I got through my initial thousand MUCH faster than I was expecting.  
  • I found out I'd used my allocation when signing suddenly started failing.
  • It turns out that, when signing a .vsix file, the default behaviour is to also (first) sign all the files inside the package and then sign the package as a whole.
  • Even if the internal files are already signed.
  • Regardless of where the files in the package are from.
  • So, when I thought I was signing one file, under the hood it was signing many more.
  • In some cases it was signing 30-40 files each time.
  • In the past I bought the certificate, installed it on my build machine and it didn't matter how many files I signed a file (or multiple packages in a file.)
  • Now that everything is a subscription (and especially for expensive ones), it becomes even more important to understand how the things you're using work and you may end up being billed for using them.
  • No, the documentation on this is far from extensive, clear, or useful.
  • I worked out the solution based on the description here "Some artifacts are containers that contain other signable file types."
  • Then I found the setting `--filelist` in the documentation at https://learn.microsoft.com/en-us/visualstudio/extensibility/dotnet-sign-cli-reference-vsix?view=vs-2022#options 
  • I've now updated all my signing scripts to only sign what's absolutely necessary. As an example see this commit.



Not mentioned: dealing with DigiCert support and how they made it hard for me to pay them money to buy more "issuances". :'(

0 comments:

Post a Comment

I get a lot of comment spam :( - moderation may take a while.