Free code signing certificates that are trusted by Windows SmartScreen, macOS Gatekeeper, and major antivirus products in the same way as paid OV or EV certificates do not exist from public Certificate Authorities. Certificate Authorities require identity verification before issuing code signing certificates, and that verification process has a cost that CAs pass on to customers.
However, the honest answer to ‘how do I sign my software without paying $200-400 per year’ has changed significantly since 2022. Three real options now exist that effectively solve the problem without purchasing a traditional code signing certificate. Each has specific eligibility requirements, limitations, and tradeoffs. This guide covers all three accurately so you can choose the right path for your project.
Decision Table: Which Option Applies to You?
| Your situation | Best option | Cost | Catch |
| Open-source project with a public repository and existing release history | SignPath Foundation free OSS program | Free | Certificate issued to ‘SignPath Foundation’, not you. Project must meet eligibility criteria. |
| Commercial software; individual or company in US or Canada | Azure Trusted Signing | ~$9.99/month | Not free. But much cheaper than OV/EV. Uses 3-day certificates (timestamped = permanent). US/Canada identity validation only as of 2025. |
| Container images, Python packages, npm packages, cloud-native artifacts | Sigstore keyless signing via cosign | Free | Does not produce SmartScreen-trusted Windows signatures. Best for non-Windows artifacts. |
| Commercial software outside US/Canada; or need traditional certificate | Paid OV from DigiCert, Sectigo, GlobalSign | $70-300/year | No free path exists. This is the paid route. |
Option 1: SignPath Foundation (Free for Open-Source Projects)
SignPath Foundation is a nonprofit organization that provides free code signing for qualifying open-source projects through a partnership with SignPath.io, an enterprise code signing platform. This is the most direct free alternative to a paid certificate for OSS developers who need their Windows software to show a trusted publisher name rather than Unknown Publisher.
What you get
An OV-level code signing certificate for your project, with the private key stored on SignPath Foundation’s HSM (you never receive or handle the key). The certificate is issued to SignPath Foundation, not to you personally or your project directly. The publisher name shown in Windows SmartScreen and installation dialogs is ‘SignPath Foundation’ rather than your name or project name. For many OSS projects this is acceptable because the verification is against the repository, not a personal identity.
Signing is automated through SignPath’s pipeline integration: you configure your CI/CD system (GitHub Actions, Azure DevOps, Jenkins) to submit build artifacts to SignPath for signing. The signing happens server-side in SignPath’s infrastructure. This is genuinely better than most free-trial-period alternatives because it handles key protection, HSM storage, and CI/CD integration.
Eligibility requirements
- The project must be open-source with a publicly accessible repository (GitHub, GitLab, etc.)
- The project must already have released software in the form that needs signing (new projects with no release history are not eligible)
- The project’s functionality must be documented on the download page or in the app store entry
- The project must adhere to SignPath Foundation’s Code of Conduct
- The software must not be malicious, adware-bundled, or otherwise harmful
Because the certificate is issued to SignPath Foundation rather than your project, SignPath Foundation reserves the right to revoke the certificate if the project violates their Code of Conduct, including retroactive revocation. For most legitimate OSS projects this is not a practical concern, but it means your signing identity depends on a third-party organization maintaining their program. Consider this when evaluating whether this path suits your project’s long-term needs.
How to apply
- Go to signpath.org and click Apply for Free Code Signing
- Provide your project’s repository URL, download page URL, and description
- SignPath Foundation reviews the application and verifies the project meets eligibility criteria
- Approved projects receive access to the SignPath platform and can configure their CI/CD pipeline for automated signing
- Applications typically take a few days to a few weeks to process
Option 2: Azure Trusted Signing (Low-Cost, Not Free)
Azure Trusted Signing (formerly called Azure Artifact Signing) is Microsoft’s own managed code signing service. It is not free, but at approximately $9.99 per month for the Basic tier (pricing as of 2026), it is dramatically cheaper than a traditional OV code signing certificate. Microsoft recommends it as the primary option for Windows app developers distributing outside the Microsoft Store.
This service is included in this guide because it addresses the same need that drives people to search for free code signing, and the cost is low enough that it removes price as a barrier for many developers.
How Azure Trusted Signing differs from traditional certificates
Azure Trusted Signing issues short-lived certificates with a validity period of approximately 3 days. These are not the same as traditional OV certificates with 1-2 year validity. The 3-day certificate auto-renews automatically; you never need to think about certificate renewal. When you sign a binary, the signing tool obtains a fresh certificate, signs the artifact, and adds an RFC 3161 timestamp in a single operation. Because the timestamp proves the signature was created during the certificate’s validity, the signed artifact remains trusted permanently even after the 3-day certificate expires.
Short-lived certificates with timestamping are not a workaround or a compromise. They are a more secure approach than long-lived certificates. A 3-day certificate that is stolen or compromised expires in 3 days with no action required. A traditional 2-year OV certificate that is compromised requires revocation and reissuance, and the revocation may not be enforced by browsers. The CA/B Forum is reducing maximum certificate validity for all certificate types in coming years for the same reason.
Geographic restriction as of 2025
Azure Trusted Signing identity validation accepted only US and Canadian organizations as of April 2, 2025. The Microsoft blog post confirming the public preview update noted this limitation explicitly. EU, UK, Australian, and other non-US/Canada organizations and individuals cannot currently complete the identity validation for Azure Trusted Signing.
Microsoft stated that personal (individual developer, not just businesses) validation and broader geographic coverage was coming soon as of May 2025. Check the current Azure Trusted Signing documentation and public preview status before relying on this information, as the availability is actively expanding.
For US and Canadian developers, Azure Trusted Signing is Microsoft’s recommended starting point. The integration with GitHub Actions and Azure DevOps is first-party and well-documented. SmartScreen reputation builds through the Azure Trusted Signing infrastructure just as it does with traditional OV certificates. The 2024 removal of EV’s instant SmartScreen bypass means this service is now functionally equivalent to OV code signing for SmartScreen purposes.
Option 3: Sigstore Keyless Signing (Free, for Non-Windows Artifacts)
Sigstore provides completely free code signing infrastructure for open-source and public projects through its Fulcio CA, Rekor transparency log, and cosign tool. Sigstore keyless signing is the standard for container images, Python packages (PyPI), npm packages, and cloud-native artifacts. It is used by default in GitHub Actions environments and is backed by Google, Red Hat, and the Linux Foundation.
What Sigstore does not do: it does not produce signatures that Windows SmartScreen trusts for .exe, .dll, .msi, or other Windows executable formats. Windows Authenticode signing requires a certificate from a CA that participates in the Microsoft Trusted Root Program. Sigstore Fulcio is not in the Microsoft Trusted Root Program. A Windows binary signed only with Sigstore will still show Unknown Publisher in Windows.
For the use cases where Sigstore applies, it is the best option available: free, fully automated, no private key management, verifiable via the public Rekor log, and increasingly required by package registries and deployment pipelines.
What About Trial/Free-Period Certificates?
Several CAs (historically including Comodo/Sectigo) have offered 30-day trial code signing certificates. As of 2026, these programs have largely been discontinued or restricted. Even when they were available, 30-day trial certificates provided no practical value for distribution because SmartScreen reputation does not build meaningfully in 30 days, the certificate expires before most users encounter the software, and re-signing is required monthly.
Trial certificates from CAs are a sales mechanism, not a viable free signing solution. They are worth dismissing from consideration.
SmartScreen and Why ‘Free’ Is Complicated for Windows Signing
The context for why free Windows code signing is difficult requires understanding how SmartScreen works. SmartScreen evaluates software based on two inputs: whether the software is signed with a certificate from a trusted CA, and how much download reputation the signing identity has accumulated.
A new certificate with no download history triggers SmartScreen warnings even if the certificate is valid. Reputation builds as more Windows users download and run the software without reporting it as malicious. This is true for all certificates, including OV and EV since 2024 (when the EV instant-bypass was removed). The certificate establishes the identity; reputation builds the trust over time.
A self-signed certificate does not help with SmartScreen. It shows as Unknown Publisher because self-signed certificates are not from CAs in the Microsoft Trusted Root Program. SmartScreen has no way to build per-publisher reputation for self-signed certificates because any software can claim any name.
The practical implication for developers: any code signing path that does not use a certificate from the Microsoft Trusted Root Program produces Unknown Publisher warnings in Windows. SignPath Foundation certificates come from Sectigo (an MRCP member) and produce proper publisher attribution. Azure Trusted Signing certificates are from Microsoft’s own CA and build SmartScreen reputation.
Full Comparison of Available Options
| Option | Cost | Windows SmartScreen trust | Publisher name shown | Requires identity verification | Good for |
| SignPath Foundation | Free | Yes (Sectigo certificate) | ‘SignPath Foundation’ | No personal ID; verifies OSS repository | Open-source projects with existing releases |
| Azure Trusted Signing Basic | ~$9.99/month | Yes (Microsoft CA) | Your organization name (after validation) | Yes; US/Canada only currently | US/Canada developers and organizations |
| Sigstore keyless signing | Free | No | Identity from OIDC (GitHub, Google, etc.) | No (uses OIDC identity) | Containers, Python, npm, non-Windows |
| OV from public CA | $70-300/year | Yes | Your verified organization name | Yes; international | Any use case; most established option |
| Self-signed certificate | Free | No | Name you choose (unverified) | No | Internal tools; development only |
Frequently Asked Questions
Is there a completely free code signing certificate that works with Windows SmartScreen?
Not from public Certificate Authorities. A fully free certificate trusted by Windows SmartScreen requires the issuing CA to be in the Microsoft Trusted Root Program, which requires the CA to verify the certificate applicant’s identity. That verification process has costs that CAs charge for. SignPath Foundation provides the closest equivalent to free for qualifying open-source projects: the certificate is issued by Sectigo (a trusted CA) and the verification is done against the OSS repository rather than personal identity. The publisher name shown is ‘SignPath Foundation’ rather than the developer’s name.
What is the cheapest paid option for code signing in 2026?
Azure Trusted Signing at approximately $9.99 per month is currently the lowest-cost option that provides full Windows SmartScreen trust for US and Canadian developers. For international developers, Sectigo PositiveSSL Code Signing and equivalent entry-level OV certificates from other CAs are available in the $70-120 per year range. The 2024 removal of EV’s SmartScreen instant-bypass means there is no practical reason to pay for EV over OV for most use cases.
Does Sigstore replace the need for a code signing certificate?
For non-Windows artifacts, increasingly yes. Python packages on PyPI, npm packages, container images, and Kubernetes artifacts are moving to Sigstore as their standard signing mechanism. For Windows executables, DLLs, MSI installers, and other Authenticode-signed Windows artifacts, no. Windows Authenticode validation is separate from Sigstore and requires a certificate from a CA in the Microsoft Trusted Root Program. Sigstore signatures on Windows executables do not produce SmartScreen trust or suppress Unknown Publisher warnings.
What is Azure Trusted Signing and how does it differ from a traditional code signing certificate?
Azure Trusted Signing is Microsoft’s managed code signing service that issues short-lived certificates (approximately 3-day validity) and performs signing via API without you ever holding a private key. The certificates auto-renew and timestamps are applied automatically, making each signature permanently valid. The service builds SmartScreen reputation just as traditional OV certificates do. It costs approximately $9.99 per month (Basic tier) rather than $200-400 per year for traditional OV certificates. The current limitation is that identity validation requires a US or Canadian organization; broader geographic support was announced as coming in 2025 and may be available by the time you read this.
If I use SignPath Foundation, what happens if my project violates their Code of Conduct?
SignPath Foundation reserves the right to immediately revoke the certificate, including retroactively. All previously signed binaries would show an invalid or revoked certificate status to users who encounter revocation checking. For legitimate OSS projects that follow standard open-source practices, this is not a practical concern. The risk is real but remote. If your project requires guaranteed long-term certificate continuity under your own identity, a paid certificate issued directly to you or your organization is more appropriate.
