Code Signing Certificate
When customers buy software in a store, the source of that software is obvious.
Customers can tell who published the software, and they can see whether the package has been opened. These factors enable
customers to make decisions about what software to purchase and how much to "trust" those products. Customers who
download digitally signed Active X controls, dynamic link libraries, .cab files or HTML content from your site can be confident
that code really comes from you and hasn't been altered or corrupted since it was created and signed. Digital IDs serve as
virtual "shrinkwrap" for your software: after you sign your code, if it is tampered with in any way, the digital signature will
break and alert customers that the code has been altered and is not trustworthy.
The solution to these issues is Microsoft's Authenticode technology coupled with Digital IDs from Comodo. Code
Signing, through the use of digital signatures, enables software developers to include information about themselves
and their code with their software.
When customers download software signed with a Code Signing Certificate issued by Comodo, they can be assured of:
- Content Source: End users can confirm that the software really comes from the publisher who signed it.
- Content Integrity: End users can verify that the software has not been altered or corrupted since it was signed.
Users benefit from this software accountability because they know who published the software and that the code hasn't
been tampered with. In the extreme case that software performs unacceptable or malicious activity on their computers;
users can also pursue recourse against the publisher. This accountability and potential recourse serve as a strong
deterrent to the distribution of harmful code. Developers and Web masters benefit from Code Signing because it builds
trust in their names and makes it more difficult to falsify their products. By signing their code, developers build a trusted
relationship with users, who learn they can download software signed by that publisher or Web site with confidence.
With Code Signing Certificates, developers can create exciting Web pages using signed ActiveX™ controls, signed
Java™ applets, or other signed executables. And users can make educated decisions about what software they want
to download, knowing who published the software and that it hasn't been tampered with.
Code signing is widely used to protect software that is distributed over the Internet. Code signing does not alter it; it
simply appends a digital signature to the executable code itself. Use digital signatures when you want to distribute data,
and you want to assure recipients that it does indeed come from you. This digital signature provides enough information
to authenticate the signer as well as to ensure that the code has not been subsequently modified. Code signing digital IDs
(or certificates) allow content publishers including software developers to sign their content that includes software objects,
macros, device drivers, firmware images, virus updates, configuration files or other types of content for secure delivery over
the Internet.
Digital signatures are created using a public-key signature algorithm such as the RSA public-key cipher. A public-key
algorithm actually uses two different keys: the public key and the private key (called a key pair). The private key is known
only to its owner, while the public key can be available to anyone. Public-key algorithms are designed so that if one key is
used for encryption, the other is necessary for decryption. Furthermore, the decryption key cannot be reasonably calculated
from the encryption key. In digital signatures, the private key generates the signature, and the corresponding public key
validates it.
Who Needs a Code Signing Digital ID?
Any software publisher planning to distribute code or content over the Internet or through an extranet risks impersonation and
tampering. Comodo Code Signing Digital IDs for Microsoft Authenticode protect against these hazards.
Comodo offers Code Signing Digital IDs designed for commercial software developers: companies and other organizations that
publish software. This class of Digital ID provides assurance regarding an organization's identity and legitimacy, much like a
business license, and is designed to represent the level of assurance provided today by retail channels for software.
Customer Confidence
Code Signing Digital ID protects (reassures) your customers by assuring them that the integrity of the code they download
from your site is intact - that it has not been tampered with or altered in transit.
Authenticity
After downloading, end users can be sure that the code they obtained really came from you, helping you preserve your
business reputation and intellectual property. Digital IDs allow customers to identify the author of digitally signed code
and contact them should an issue or query arise.
Seamless Integration with Industry-Standard Technology
Most browsers will not accept action commands from downloaded code unless the code is signed by a certificate from a
trusted Certificate Authority, such as Comodo.
Ease of Use
Code signing certificates are easy to use in conjunction with the vendor software tools that developers use to create products, macro's and objects.
How does Authenticode work with Comodo Digital IDs?
Authenticode relies on industry standard cryptography techniques such as X.509 v3 certificates and PKCS #7 and #10 signature
standards. These are well-proven cryptography protocols, which ensure a robust implementation of code signing technology.
Authenticode uses digital signature technology to assure users of the origin and integrity of software. In digital signatures, the
private key generates the signature, and the corresponding public key validates it. To save time, the Authenticode protocols use
a cryptographic digest, which is a one-way hash of the document.
Code Digital IDs Signing Process:
The process is outlined below
- Publisher obtains a Code Signing Digital ID from Comodo.
- Publisher creates code.
- Using the SIGNCODE.EXE utility, the publisher:
- Creates a hash of the code, using an algorithm such as MD5 or SHA,
- Encrypts the hash using his/her private key,
- Creates a package containing the code, the encrypted hash, and the publisher's certificate.
- The end user encounters the package.
- The end user's Microsoft browser examines the publisher's Digital ID. Using the Comodo root Public Key, which is already embedded in Authenticode-enabled applications, the end user browser verifies the authenticity of the Code Signing Digital ID (which is itself signed by the Comodo root Private Key).
- Using the publisher's public key contained within the publisher's Digital ID, the end user browser decrypts the signed hash.
- The end user browser runs the code through the same hashing algorithm as the publisher, creating a new hash.
- The end user browser compares the two hashes. If they are identical, the browser messages that the content has been verified by Comodo, and the end user has confidence that the code was signed by the publisher identified in the Digital ID, and that the code hasn't been altered since it was signed.
The entire process is seamless and transparent to end users, who see only a message that the content was signed by its publisher and verified by Comodo.
The Six Steps In Code Signing
These instructions provide an overview of obtaining and using Microsoft Authenticode and a Code Signing Digital ID from Comodo.
Step 1: Make Sure that you Are Running the Correct Versions of all Tools:
These include:
- Internet Explorer 4.0 or later
- Internet Client SDK
Step 2: Apply for a Code Signing ID for Authenticode from Comodo
In the process of applying for a Code Signing ID, your browser will generate a private key. You should store this private key (called MyPrivateKey.pvk) on a floppy disk, which is stored in a safe deposit box or other secure location. Please make a back-up copy of this private key, as you will need this key to sign code. This key is never sent to Comodo, so if you lose this private key, you will be unable to sign code. If this key is lost or stolen, please contact Comodo immediately.
Step 3: Pick up your Digital ID
Once you have completed the application process, Comodo will take a number of steps to verify your identity. For commercial publishers, Comodo does a considerable amount of background checking. As a result, it will take approximately 3-5 days to verify your information and issue a Digital ID.
At the end of this process, Comodo will send you an e-mail containing a PIN (Personal Identification Number). Follow the instructions in this e-mail to pick up your Digital ID. Save your Digital ID as a file (e.g. MyCredentials.spc).
Please note that you must use the same machine to apply for and obtain your Digital ID. You can then use the private key and Digital ID to sign files on a different machine.
Step 4: Prepare your Files to be Signed
If you are building any PE file (.exe, .ocx, .dll or other), you need not do anything special. For cab files, you need to add the following entry to your .ddf file before creating the cab file: Set ReservePerCabinetSize=6144
Step 5. Sign your Files
You can now sign your .exe, or .cab, .ocx, or .dll file. To sign, you will use the SIGNCODE.EXE utility included in the ActiveX SDK. You will also need your Digital ID file (generally called MyCredentials.spc) and the diskette containing your private key (MyPrivateKey.pvk).
As part of this process you will need to know the URL of Comodo’s time stamping server, which is http://timestamp.comodoca.com/authenticode
Step 6: Test Your Signature
The Microsoft SDK contains a utility called chktrust.exe. This may be used to check your signature before distributing your file.
To test a signed .exe, .dll or .ocx file, run chktrust filename
To test a signed cab file, run chktrust -c cabfilename.cab
If your signing process was OK, this will bring up a certificate. Congratulations, you have just digitally signed your file. When this file is downloaded from a Web site by Internet Explorer, it will display the same certificate to the user. If the file is tampered with in any way after it has been signed, the user will be notified and given the option of refusing installation.
Conclusion
Microsoft and Comodo are committed to making the Internet a secure and viable platform for commerce and the distribution of content. With Authenticode and Comodo's Code Signing Digital IDs, your code will be as safe and trustworthy to your customers as it would be if you shrink-wrapped it and sold it off a store shelf.
Code Signing Certificates FAQ
Who needs a Code Signing ID?
Any publisher who plans to distribute code or content over the Internet or over corporate extranets risks corruption and tampering
How does the Comodo Code Signing solution work?
Comodo Code Signing uses authenticated digital signatures to assure the publisher details and content integrity of downloadable code.
Is the Comodo Code Signing solution the right product for me?
Comodo Code Signing is essential if you wish to protect your reputation as an authenticated code publisher.
Does Comodo certify the content of my code?
No. We certify that the software really comes from the publisher who signed it. We also certify that the software has not been altered or corrupted.
Is Comodo Code Signing the right product for my business?
A Comodo Code Signing certificate is strongly recommended for any publisher intending to distribute code or content over the Internet or over corporate extranets. Customers are aware of the dangers involved and are far more trusting of a signed download.
A Comodo Code Signing certificate is an effective way to distribute authentic software over the Internet. It is a best-of-breed product that offers full protection, ease of use and flexible.
How long can I use my developer certificate?
Code signing certificates are valid for one or two years depending on which life cycle you choose when you purchase the certificate.
Time Stamping Server – Location and usage
In order to sign your code, you pass the code which you want to authenticate through a hashing algorithm and then use your private key to sign the hash, which results in a digital signature. You then build a signature block, which contains the digital signature and the code-signing certificate. Tools like Authenticode let you time stamp the signature block based on the current date and time that a time stamping service provider, such as Comodo, provides. Finally, you bind the time stamped signature block to the original software. Now you can publish the signed software on your Web site for download.
As part of this process you will need to know the URL of Comodo’s time stamping server, which is http://timestamp.comodoca.com/authenticode.
Is timestamped code valid after a Code Signing Certificate expires?
Timestamping ensures that code will not expire when certificate expires. If your code is timestamped the digital signature is valid even though the certificate has expired. A new certificate is only necessary if you want to sign additional code. If you did not use the timestamping option during the signing, you must re-sign your code and re-send it out to your customers.
Which utility is used to verify whether the file has been timestamped?
Use the chktrust.exe utility included with the Authenticode SDK tools to verify whether the file has been timestamped. The date and time will be displayed when the file has been timestamped. "Unknown date and time" will appear when the file has NOT been timestamped.
Do code signing certificates last longer than 1 year?
Yes. It is now possible to request a 2-year code signing certificate.
Is there a limit to the amount of applications allowed to be signed with a Code Signing Certificate?
Comodo does not limit you to any specific number. You can sign as many applications with a Code Signing Certificate as you wish, provided that the applications are going to be used for and distributed by the Organization that owns the certificate.
What settings should be enabled to allow a user to receive the certificate pop-up?
- In order to receive the Certificate pop-up when the file is downloaded, you will need to enable a setting in Internet Explorer.
- The setting can be found under: Tools > Internet Options > Advanced > Scroll to the bottom of the list to 'Security'
- Make sure that the following option is checked: "Check for signatures on downloaded programs".
What type of assurance a customer obtains when downloading software signed with Authenticode?
When customer downloads software signed with Authenticode they can be assured of:
- Content Source: The software really comes from the publisher who signed it.
- Content Integrity: The software has not been altered or corrupted since it was signed.
How do I ensure that both I and my customers have the latest Microsoft roots in my certificate store.
For Windows XP, everything is Automatic, meaning well over 200 Million customers will automatically have access to all the latest certificates. For older versions of the Windows operating system it is highly recommended that the latest root update is installed.Good security policy dictates that your root certificate store should have the most current root certificate references from all trusted certification authorities, thereby providing the widest capability to recognize trusted content. Install the latest Microsoft root certificate patch here:- Root Update
What does Authenticode mean?
Authenticode is currently used to sign 32-bit .exe files (PE files), .cab files, .ocx files, and .class files. In particular, if you are distributing active content such as ActiveX controls for use with such Microsoft end user applications as Internet Explorer, Exchange, Outlook, or Outlook Express, you will want to sign code using Authenticode.
What is a Digital ID?
A Digital ID also known as a digital certificate is a form of electronic credentials for the Internet. A Digital ID is issued by a trusted third party to establish the identity of the ID holder. The third party who issues certificates is known as a Certification Authority (CA). Digital ID technology is based on the theory of public key cryptography. In public key cryptography systems, every entity has two complementary keys, a public key and private key, which function only when they are held together. The purpose of a Digital ID is to reliably link a public/private key pair with its owner. When a CA issues Digital IDs, it verifies that the owner is not claiming a false identity.
What about timestamping?
Since key pairs are based on mathematical relationships that can be cracked with a great deal of time and effort, it is a well-established security principle that digital certificates should expire. Your Digital ID will expire one year after it is issued. However, most software is intended to have a lifetime of longer than one year. To avoid having to resign software every time your certificate expires, a timestamping service is introduced. Now, when you sign code, a hash of your code will be sent to Certification authority to be timestamped. This means that you will not need to worry about resigning code when your Digital ID expires. Microsoft Authenticode allows you to timestamp your signed code so that signatures will not expire when your certificate does.
Time Stamping Server – Location and usage
In order to sign your code, you pass the code which you want to authenticate through a hashing algorithm and then use your private key to sign the hash, which results in a digital signature. You then build a signature block, which contains the digital signature and the code-signing certificate. Tools like Authenticode let you time stamp the signature block based on the current date and time that a time stamping service provider, such as Comodo, provides. Finally, you bind the time stamped signature block to the original software. Now you can publish the signed software on your Web site for download.
As part of this process you will need to know the URL of Comodo’s time stamping server, which is http://timestamp.comodoca.com/authenticode.
What will happen if an end user encounters an unsigned component distributed via the Internet?
If an end user of one of these applications encounters an unsigned component distributed via the Internet, the following will occur:
- If the application's security settings are set on "High," the client application will not permit the unsigned code to load.
- If the application's security settings are set on "Medium," the client application will display a warning like this screen:
What will happen if an end user encounters an signed component distributed via the Internet?
If a user encounters a signed applet or other code, the client application will display a screen like the following:
Who issue the digital certificates to applicants?
Certification Authorities are organizations that issue digital certificates to applicants whose identity they are willing to vouch for. Each certificate is linked to the certificate of the CA that signed it.
List the responsibilities of Certification Authority?
As the Internet's leading Certification Authority, Comodo has the following responsibilities:
- Publishing the criteria for granting, revoking, and managing certificates.
- Granting certificates to applicants who meet the published criteria.
- Managing certificates (for example, enrolling, renewing, and revoking them).
- Storing Comodo's root keys in an exceptionally secure manner.
- Verifying evidence submitted by applicants.
- Providing tools for enrollment.
- Accepting the liability associated with these responsibilities.
- Time stamping digital signatures.
Explain the six step process of Signing Code?
- Make Sure that you are running the correct versions of all tools
- Apply for a Code Signing ID for Authenticode from Comodo
- Pick up your Digital ID
- Prepare your Files to be Signed
- Sign your Files
- Test Your Signature
How do I ensure that both I and my customers have the latest Microsoft roots in my certificate store.
For Windows XP, everything is Automatic, meaning well over 200 Million customers will automatically have access to all the latest certificates. For older versions of the Windows operating system it is highly recommended that the latest root update is installed.Good security policy dictates that your root certificate store should have the most current root certificate references from all trusted certification authorities, thereby providing the widest capability to recognize trusted content. Install the latest Microsoft root certificate patch here:-
Root Update
Trusted Certificate Services
Comodo Code Signing CA
We want our signed files to be time stamped. Could please provide me with the URL of the time stamping server?
The Comodo timestamping server can be found at: http://timestamp.comodoca.com/authenticode
|
About US | 
