How to obtain a digital signature to sign your LISP files

In an earlier post, I explained why you might want to digitally sign your LISP files. If you decide to go ahead with that, then this post explains how you can obtain and install the digital signature you will need to sign your files. This is the most difficult part of the process and it involves spending money.

Getting a digital signature

Although you can make your own digital signature (there’s an Autodesk Knowledgebase article describing the process), there’s little point in doing this. You can sign your files, sure, but that signature won’t be seen as trusted by software that checks for it. Anybody can create a signature like that, including one that impersonates you, and it doesn’t prove anything. The only purpose for such a home-made signature would be to test the methods you’ll be using to apply a proper trusted signature later.

Edit: if you do want to make your own signature, BlackBox informs me that the MakeCert tool in the Windows SDK mentioned in the Knowledgebase article is deprecated. He suggests using this PowerShell Cmdlet instead.

You’re going to need a signature that is trusted. That means you’re going to have to pay somebody trustworthy to trust you. There are a set of certifying authorities, trusted by Microsoft, Autodesk, etc. who can issue code signing certificates to companies and people. You need to prove who you are to one of those authorities and pay them to certify that you are who you say you are. So before you start, make sure you or your business are visible in terms of directory listings, publicly visible phone numbers, etc. If you are representing a company asking for a certificate, you can expect to be asked to produce evidence that you really represent that company. You can expect to confirm that your email and phone number are really under your control.

You only need to do this once a year, or even once every several years if you pay in advance. You might find that the evidence you need to provide changes at renewal time; for example a Yellow Pages listing that was OK in 2015 was no longer accepted when I renewed in 2017, so I had to register my business with another listing.

In my search for a certifying authority, I found that K Software, a reseller for Comodo, was the cheapest source for a code signing certificate, see here. An OV certificate will be fine for signing LISP.

K Software takes your money (USD $67 to $84 a year depending on the length of time you need), gets Comodo to provide the certificate, and provides a handy tool (KSign) that allows you to simply apply the certificate to various files without some of the messing about that’s otherwise required. It’s not useful for LISP files, though. Comodo also provides the support, and I’m happy to report that in my experience their customer service is excellent.

Note: it’s important that you pay close attention to the instructions when applying for your certificate. For example, the browser you use to apply for the certificate is vital. Choose one that’s suggested (e.g. Firefox) and which you expect to use later to obtain the certificate.

Installing a digital signature

Once your evidence is accepted and your payment has gone through, you will be sent an email with a special code, allowing you to obtain the certificate. It’s important that you’re using the same browser on the same computer that you used when applying for the certificate.

Once you click the link and obtain the certificate, you’ll want to export it. In Firefox 58.0, use Options > Privacy & Security and scroll to the bottom to see View Certificates. Select the certificate and pick Export. This will create a .P12 file that you can back up and install on this or another computer. To install the certificate, double-click the .P12 file and follow the prompts to assign it to the current user in the default location (Personal).

That’s it. You should now have a certificate installed that you will be able to use to sign LISP and other files. To check this, start the Windows Certificate Manager (C:\Windows\System32\certmgr.msc). Have a look in Current User > Personal > Certificates and you should find your newly installed certificate.

The next post in this series will explain how to apply this digital signature to your LISP files. That’s the easy bit.

2 Comments

  1. James Maeding

    If a company required me to only use signed lisps, I would simultaneously doubt their competency and refuse to work there. Just saying that for anyone who wants to take Steve’s excellent instructions and look all cool at their workplace by implementing signatures. If a place is that paranoid, what else must they do to make your life miserable.

    1. Steve Johnson

      As a CAD Manager, I absolutely wouldn’t demand only signed LISP. It’s too high a maintenance burden in proportion to the risk.

      As a developer who wants his code to be used by everybody, including companies with very cautious IT departments, I pretty much have to sign my LISP. It also offers me a degree of protection. The cost and inconvenience is a pain, though.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.