I made few apps for Microsoft App source for Microsoft Dynamics 365 Business Central (D365BC)
These apps are completely free, all validations are passed by app-source except Digital sign.
I need to to sign my apps but not sure what to do
As these apps are free, I do not want to spend too much money to buy code signing certificates
Also, I dont have any guidance which certificate should I buy, will it work with my Apps, is there any free code signing certificates, I can use.
These are my apps https://marketplace.visualstudio.com/publishers/UnitechIT
I don't believe there are any publicly trusted certificate authorities (including Let's Encrypt) that offer free code signing certificates. As I understand it, this is partly because code signing certs can only be tied to a person or business identity (as opposed to more common web PKI certificates that are domain validated). So it costs much more in man-power for a CA to validate those identities.
Though given the number of software systems placing increasing emphasis on code-signing, I really wish the CA/B would come up with a DV equivalent for code-signing certs. It's a huge barrier for individual and small team developers, particularly those doing free or open source work.
It also makes more sense to me from a user perspective. If I'm downloading some app, unless it's made by a well known software company, I rarely know who the developer actually is. So if the signature on the binary is tied to "Jane Doe" rather than "superawesomesoftware.com", how does that help me? In some cases, the code signing cert for even well known companies is actually held by some lesser known parent corporation which is even more confusing. I'd much rather see that the signature matches the site I got the software from.
I think one reason that doing code-signing just with domain names might not be that great is that malware running on your computer can directly cause various kinds of harm (including some ongoing harm far into the future) that arguably website content in general can't¹. So an OS developer might be more interested in ensuring that an identifiable person is responsible for software downloads than a browser developer would be in making the same guarantee about website content.
I think this is exactly right: part of the reason Let's Encrypt can offer DV certificates for websites for free is that it doesn't attempt to confirm any applicant's legal identity at all. The DV process can be automated and hence scale up a lot without much marginal cost, but there isn't an equivalent way to perform an automated validation of legal identities without some kind of human intervention.
I think someone has suggested that maybe Estonia, which provides some kind of government-backed online identity credential, could credibly get into this space in the future. (People will presumably always have to pay for those credentials, but once they've done so, maybe specific kinds of certificates like code-signing certificates could be issued for them at minimal or no additional cost?)
¹ I guess there is lots of debate and different views about that, since people also disagree about whether existing web hosting facilities provide too much or too little protection anonymous and pseudonymous publishing.