All about Code Signing Certificate FAQ
What is a Code Signing Certificate?
Authenticode™ is a technology developed by Microsoft that, according to them:
While not guaranteeing bug-free code, Authenticode identifies the publisher of signed software and verifies that it hasn’t been tampered with, before users download software to their PCs - technet.microsoft.com/en-us/library/cc750035.aspx
Authenticode is commonly referred to as Code Signing because a “digital signature” is attached to .EXE and other files that is used to determine if the file has been modified since being “signed” by the publisher. The way most users have run across Authenticode is likely by downloading a piece of software and seeing a rather nasty “Unknown Publisher” warning from the web browser (or Windows). Does this look familiar to anyone?
Note the “This Digital Signature is OK” message. If you don’t see that on the certificate details page then you should not run it as the file has been modified since the publisher signed it (it could have a virus or contain some other sort of malware).
What Authenticode is Not?
Authenticode (Code Signing) is not a guarantee that the software that has been digitally signed is bug free or even virus/malware free. All a digital signature says is “this file has not been modified since it was signed by the publisher”. Having said that it is worth noting that obtaining a code signing certificate is not free and that companies or individuals that apply for a code signing certificate do have to pay a fee and do have to prove their identity to the company that issues the certificate.
Who can get a Code Signing Certificate?
However, keep in mind that code signing certificates can only be issued to "legal entities", like registered companies or directly to individuals (in the latter case, your name is used as the Publisher). A code signing certificate is an identity verification product so the "publisher" needs to be a recognized business.
You can get a code signing certificate even if your business is just you "Doing Business As" another name, as long as that name has been registered and is recognized by other 3rd parties (like banks, utility companies, phone companies, etc). Normally officially filing a DBA (Doing Business As) name is very easy to do with your local or State government.
You cannot get a code signing certificate with the name of your website as the publisher unless you have registered your website as your business name (like Amazon.com).
See the FAQ entry for "Validation Requirements" for a full list of documentation that Comodo might ask you for.
Is there a free trial for a Code Signing Certificate?
Unfortunately, no, by necessity there can't be a free trial because every order has to pass through validation where the identity of the publisher ordering is verified.
We do, however, offer a 100% money-back guarantee. If you don't want or need the certificate after you order it you can always get your money back.
What is the order procedure for a Code Signing Certificate?
The order process consists of two steps, placing the order (filling out a short form at https://codesigncert.com) and validating your identity with Comodo. The validation process is handled via email by Comodo and you will receive full instructions with your order confirmation within a few minutes. Follow those instructions and you'll receive a link to collect your certificate and install it into your browser then you export the code signing certificate to a PFX/P12 file and use that file with a signing utility (like kSign). It is important that you use the same computer and browser to order and collect the certificate but after collection the certificate can be exported and used on any number of computers or servers.
For export instructions please see the FAQ entries for "How do I export my certificate to a file.." -- the process varies depending on which browser is used so be sure you follow the instructions for the browser you used to order.
We recommend you use Internet Explorer or Firefox to order but mobile browsers are not supported in the ordering process.
What happens when my Code Signing Certificate expires?
Code signing certificates are valid from 1 to 5 years. When your certificate expires only your ability to create new signatures is affected, past signatures remain valid as long as you used a timestamp when you sign.
Comodo provides a timestamp server free to any certificate holder, the URL is https://timestamp.comodoca.com/authenticode - that URL can be passed to signing utilities like Microsoft's signtool.exe. You should always use a timestamp!
How long does it take to get a Code Signing Certificate?
Assuming you have all of the documentation required ready to send over the entire process generally takes no more than 2 business days. For more information about the documentation requirements see the FAQ (or just drop us a line).
What is a timestamp?
Put simply, a timestamp records when a signature was created. Because all code signing certificates expire it is important for any software verifying a digital signature to know if the signature was created before or after the certificate expires. If you use a timestamp your signatures never expire, even when your certificate does.
It signs but other code signing utilities like Microsoft's signtool.exe need to be passed a URL for a timestamp server. Comodo offers a timestamp server for free for any certificate holder, the URL is https://timestamp.comodoca.com/authenticode
For Microsoft's SignTool (4.0 and later) and others applications like Jarsigner which support RFC 3161 (Time Stamping Protocol): use the URL https://timestamp.comodoca.com/authenticode
NOTE : For signing macros in MS Office / VBA - use the Authenticode URL (https://timestamp.comodoca.com/authenticode)
What browsers are supported?
The only time a browser comes into the equation is at order and collection time. Users do not need to install the certificate for it to change the Unknown Publisher warnings on your downloads, the certificates are already trusted in all versions of Windows (and OSX, most Java devices, Android and iOS too).
Mobile browsers are not supported for ordering.
When ordering the browser does play a key (yet temporary) role because it creates the CSR (certificate signing request), and generates the private key and stores that key temporarily in your browser. The recommended browser for ordering is Firefox, because it works out of the box and doesn't prompt users unnecessarily with warnings, prompts and options like some other browsers do. However, most other major browsers will work as well.
What does the error message "[You] do not own the corresponding private key" mean?
Generally that means that you are visiting the collection link either in a different browser or on a different computer than the one you used to order. The private key portion of the order is temporarily stored in the browser for security (so that it never leaves your possession) and is paired with the certificate at collection time (so you can export it to a PFX file -- see the Exporting tutorials for instructions there).
The other possible reason you might see an error message like that is if you used Chrome to order. If that is the case,email us with your order number and we'll fix it for you.
What do I do after I click the collection link and install my Code Signing Certificate?
In order to use your certificate you need to export it to a file.There are a number of browser-based export tutorials located here. If you're stuck just drop us a line at mailto:firstname.lastname@example.org and we'll help!
An Comodo Code Signing Certificates be used for kernel mode driver signing?
As of late August 2013, all valid (not expired, not revoked) Comodo Code Signing Certificates can be used for Kernel-Mode Code Signing!!! (For Windows Vista and greater)
1. Download the Comodo cross-signed CA that matches your Code Signing certificate's Root CA.
2. Open an elevated Windows command prompt (cmd) and run signtool.exe :
signtool.exe sign /v /ac "CROSS_SIGNED_COMODO_CA_HERE" /f YOUR_PFX_HERE /trhttps://timestamp.comodoca.com/rfc3161 "FULL_PATH_TO_FILE_TO_SIGN"
Example: signtool.exe /v /ac "AddTrustExternalCARoot_kmod.crt" /f my.pfx /trhttps://timestamp.comodoca.com/rfc3161 "C:\myfile.dll"
Note: For most customers CROSS_SIGNED_COMODO_CA_HERE will be:
[KMCS] AddTrust External CA Root OR [KMCS] UTN-USERFirst-Object
For more general information and instruction about kernel mode signing certificates, see Microsoft's Kernel-Mode Code Signing Walkthrough . (MSDN.microsoft.com)
Will CodeSignCert's certificates work for Mozilla, Android, Java, Adobe AIR, Flash, Silverlight, MS-Office and OSX/iOS?
One certificate will sign on ALL supported platforms. Microsoft Authenticode (DLL, EXE, COM, etc), Java, Mozilla, Android, Adobe AIR, Flash, Silverlight, MS-Office and OSX/iOS.
Will a Code Signing Certificate get rid of the Unknown Publisher warning my users are seeing?
That's exactly what they do -- verify a publisher's identity.
Without a code signing certificate your users will see :
WITH a code signing certificate your users will see :
Will a Code Signing Certificate get rid of the "This file may harm your computer" warning my users are seeing?
Almost. The "This file may harm your computer" warning is actually generated by a Microsoft software called SmartScreen. SmartScreen uses file reputation
to warn users when a file hasn't been downloaded very often. A digital signature does help SmartScreen identify your files but a signature alone doesn't
instantly mean your users won't see the SmartScreen warning. With a digital signature and some time, that SmartScreen warning will disappear (and stay
gone, as long as you're signing your files so you can always be identified as the publisher).
One trick we've learned is to release some sort of freeware download that is signed with the same digital signature. Users tend to download free software much more than trial versions or commercial versions so you get the reputation bump (because of the digital signature) on all files you download.
In summary, a digital signature alone won't guarantee your software isn't flagged by SmartScreen but signing helps ensure that your software's reputation can be recognized for everything you sign. That means that when you release new versions or editions of your software your SmartScreen reputation is maintained and doesn't have to start from scratch.
What is a .p12/PFX file (Or a PKCS12 file)?
.p12 is an alternate extension for what is generally referred to as a "PFX file", it's the combined format that holds the private key and certificate and
is the format most modern signing utilities use. If you have a .p12 file that you exported from Firefox or Safari just rename the .p12 extension to .PFX if
you need to, it's the same format.
If your signing tools refer to a PKCS12 file, that is the same thing as well.