Sectigo Code Signing Authentication Evolves
Some Sectigo Code Signing certificate subscribers have opined recently that our Code Signing authentication now includes additional steps and requirements it did not have in previous years. This observation is accurate. Sectigo of recent has increased its process and requirements for obtaining Code Signing certificates.
The short story on why is that in 2019 we saw a strong uptick in the frequency of bad actors seeking to sign malware. In response, we researched and instituted additional authentication measures beyond those required by CA/Browser Forum Baseline Requirements (BRs). As Code Signing certificates can be valid for up to three years, it is our opinion that an authentication process that is slightly less convenient for a subset of subscribers is more than justified if it makes malware signing more difficult. We believe that the overwhelming majority of our customers would agree.
Note that this is a work in progress, and we continue to investigate, implement, and measure the results of process changes.