A code-signing cert (or signing account) so our Windows binaries install without SmartScreen "unknown publisher" warnings. One cert/account signs every app across all projects — not per-app.
Options, cheapest first (verified 2026)
- SignPath Foundation — FREE for qualifying open-source projects (OV-level, managed signing pipeline). Silphe is open source, so this may cost $0. Has qualification criteria — verify eligibility.
- Azure Artifact Signing (formerly Trusted Signing) — ~$10/month, 5,000 signatures included. Microsoft's recommended path for apps distributed outside the Store; cloud-based, no hardware token to manage, signs everything. Historically needed an org 3+ years old — verify current individual eligibility.
- Certum Open Source Code Signing — ~$70–130/yr, dedicated to OSS, "Open Source Developer" on the cert; uses their card/cloud.
- Traditional CAs (Sectigo/SSL.com/DigiCert): OV ~$216/yr, EV ~$280–560/yr, require a FIPS hardware token. More cost + hassle; not recommended here.
Recommendation
Try SignPath (free, we qualify as OSS) → fall back to Azure Artifact Signing (~$10/mo). Avoid the token-based CAs.
Notes
- 2026 change: code-signing cert lifespans capped at ~1 year.
- Cloudflare does not sell code-signing certs (those are CA/Authenticode products) — but Cloudflare R2/Pages is great + cheap for hosting the signed binary.
A code-signing cert (or signing account) so our Windows binaries install without SmartScreen "unknown publisher" warnings. One cert/account signs every app across all projects — not per-app.
Options, cheapest first (verified 2026)
Recommendation
Try SignPath (free, we qualify as OSS) → fall back to Azure Artifact Signing (~$10/mo). Avoid the token-based CAs.
Notes