Token can be also in cloud.
https://docs.digicert.com/en/digicert-keylocker.html

The only difference is that the non-EV can be also bought by a natural person (with full identity verification).
EV is company only. But then, you can get an EV cert as a sole trader as well.
Not sure how it is the same as "unsigned" - for any code cert to be issued the full credentials of the person have been verified by the CA. In case of ordering for a legal person they verify both the legal entity owner as a natural person as well as the legal entity itself.

I would say when it is given to a natural person then that person is even more on the hook for shit they sign.

Since this year there is almost no difference in cost anymore.
Before the standard cert used to cost 70$/year because you could use it without a HSM. Now you have to have a HSM token for the standard one as well.
The only difference these days between EV and non-EV is the initial smartscreen reputation. Which makes zero difference after your entity is trusted, and this trust in my experience comes quite quickly, I think it took me a month or so initially.

I mean in this way now because there is almost no price and technical difference between EV and non-EV you might as well get an EV cert.
Before there used to be a continuous 3x price difference in something that takes less than a month to solve forever.

This is the same for non-EV certificate when the certificate is issued to a company. It always has been.
The existence and the owner of the company is verified via government data.

In the past the difference between EV and non-EV for companies was that EV came on a HSM and gave instant smart screen reputation to the publisher.
These days the difference is only the smartscreen reputation. If you already established smartscreen reputation in the past and are extending an already existing certificate, then you are already a "trusted publisher" for Microsoft.
The fact that the certificate is now also on HSM like the non-EV variant means that it is also harder to steal - this was the real issue with non-EV certs before (but not since this year anymore).
It's also the reason why the difference between EV and non-EV is now like 20% of the price while it used to be 300%.

There was a tool posted on ecuconnections that read bosch numbers from a file. Also of course anonymous and unsigned.
Except it was also gathering the WinOLS data folder and uploading all ols files to a google drive account. The credentials were in the binary.
There was a very large amount of data on there....

Unless the certificate was stolen, then it is known exactly who signed it and who made this malicious piece of software.
So there is responsibility, versus downloading an unsigned blob from someone completely anonymous.
Yes, both can do you wrong, however, you can sue one, but not the other.

Making a fraudulent piece of software (which is illegal in many places on it's own) and then putting your name on it is some special kind of stupid.

Going through this for a new company, under the new arrangements since June 2023, it did end up over $800 for a 3 year certificate with an HSM, and we're not there yet with the telephone validation (because like many companies we don't do business over the phone and are not listed in US centric phone directories) and might have to get a professional opinion letter written (not just confirming the phone number) taking the cost well over $1000. Still, it is a small part of the cost of making something worthwhile that people trust if you are running it as a company even though companies with multiple premises, more employees than I ever want, trading for multiple years and bringing in lots of revenues don't always do it. I really need it because I do stuff with encryption and networks and light up the heuristics on potentially unwanted software or bad behaviour like a dashboard on a 25 year old badly maintained and badly modified 1.8T. It seems the controversy in this thread is the nature of what is being offered and whether it is a business or not.

No longer in the UK and not in the EU, but GDPR does apply. We avoid processing any customer data except that required to process an order. Thanks for the info, we'll check and if we need to publish one on our website we will. I think our other company that was UK based did have one, and thankfully people didn't call it for irrelevant technical support - that is my main fear. Our main requests for phone numbers from customers are unrelated to the delivery of our products and services.

Imprint (Impressum) is something else, it's a German only requirement.

In EU if you are providing services to natural persons you must have a whole bunch of stuff in the TOS.
If you process any data that falls under the GDPR, you must have a Privacy Policy with a bunch of mandated stuff to comply with the GDPR.

The TOS must have your company phone number in it. It does not matter if this phone number goes to voice mail all the time, there is no requirement to ever answer it.
Just that it has to be there

There is some local listing site that appears to have no actual verification that could be used, but it is box ticking like the business phone that goes to answer phone for other requirements.

Great deal, thanks. I might need it as a fallback as still awaiting phone approval with Sectigo. I wanted to go with Sectigo because I found a working method that uses an HSM with Visual Studio publish and I've adopted that method for version control/updates.