PKCS #12 certificates to be used with MassCert


#1

Hello,

May i generate PKCS #12 certificates with Let’s Encrypt in order to sign my code using MassCert ?

Kyle


#2

No, Let’s Encrypt certs are for TLS only, not code signing.


#3

Is it planned someday ?


#4

Is it possible to have Domain Validated code signing certificat ? That could assure that this binary is really from the owner of example.com and has not beeing modified, even if the binary is distributed across many many mirrors not controlled by example.com.

I do not known the CAs requirement for code signing, but something like this would be really cool and can be easily automated.


#5

From the FAQ:


#6

That’s clear thanks !
But is it planned to happen in a near future ?


#7

There has been no announcement of any such plans, no. As far as I know, code signing certificates are similar to OV certificates, which require manual validation by a human. That’s not something which could be provided by a free CA.


#8

No. If there was ever a plan to do it, you’d find it here: https://letsencrypt.org/upcoming-features/


#9

Couldn’t be possible to have DV code signing certs that just ensure that a binary is distributed by the owner of a domain ?


#10

Technically possible? Yes.

However, Baseline Requirements for Code-Signing certificates state that:

Prior to issuing a Code Signing Certificate to an Organizational Applicant, the Issuer MUST:
2. Verify the Subject’s legal identity, including any DBA proposed for inclusion in a Certificate,
in accordance with Section 11.1.1 and 11.1.2 of this document,
3. Verify the Subject’s address in accordance with Section 11.1.1 of this document,
[…]
Prior to issuing a Code Signing Certificate to an Individual Applicant, the CA MUST:
[…]
2. Verify the Subject’s identity using a government photo ID under Section 11.2.1 of this document, and
3. Verify the authenticity of the government photo ID under Section 11.2.2 of this document.

tl;dr: CAs aren’t allowed to issue a domain-validated certificate for the purpose of code signing.


#11

That’s clear. Thanks !