Code Signing Certificate - General FAQ's
- Who needs a Code Signing ID?
Any publisher who plans to distribute code or content over the Internet or over corporate extranets risks corruption and tampering.
- How does the Comodo Code Signing solution work?
Comodo Code Signing uses authenticated digital signatures to assure the publisher details and content integrity of downloadable code.
- Is the Comodo Code Signing solution the right product for me?
Comodo Code Signing is essential if you wish to protect your reputation as an authenticated code publisher.
- Does Comodo certify the content of my code?
No. We certify that the software really comes from the publisher who signed it. We also certify that the software has not been altered or corrupted.
- Is Comodo Code Signing the right product for my business?
A Comodo Code Signing Certificate is strongly recommended for any publisher intending to distribute code or content over the Internet or over corporate extranets. Customers are aware of the dangers involved and are far more trusting of a signed download.
A Comodo Code Signing certificate is an effective way to distribute authentic software over the Internet. It is a best-of-breed product that offers full protection, ease of use and flexible.
- What is Comodo Extended Validation Code Signing certificate?
Comodo issues EV Code Signing certificate after stringent vetting process of the publisher as per CA/Browser forum and Microsoft's specifications. EV CS certificates require the private key in the form of hardware token and the PIN number to be entered while signing your code.
The files signed with EV CS certificates are established with reputation from the certificate irrespective of prior reputation of the file or the publisher at the Microsoft SmartScreen Reputation filter - meaning no unnecessary warning messages are displayed when the user downloads and opens the application.
- How long can I use my code signing certificate?
Code signing certificates are valid for between one to three years depending on your purchase choice. Providing you take advantage of the time-stamping option, all code that you signed before certificate expiry will continue to be trusted even after the certificate has expired. However, if you want to sign new software after expiry, then you will need to renew your certificate.
- Time Stamping Server - Location and usage
In order to sign your code, you pass the code which you want to authenticate through a hashing algorithm and then use your private key to sign the hash, which results in a digital signature. You then build a signature block, which contains the digital signature and the code-signing certificate. Tools like Authenticode let you time stamp the signature block based on the current date and time that a time stamping service provider, such as Comodo, provides. Finally, you bind the time stamped signature block to the original software. Now you can publish the signed software on your Web site for download.
As part of this process you will need to know the URL of Comodo's time stamping server, which is https://support.comodo.com/index.php?/Knowledgebase/Article/View/68/0/time-stamping-server.
- Is timestamped code valid after a Code Signing Certificate expires?
Timestamping ensures that code will not expire when certificate expires. If your code is timestamped the digital signature is valid even though the certificate has expired. A new certificate is only necessary if you want to sign additional code. If you did not use the timestamping option during the signing, you must re-sign your code and re-send it out to your customers.
- Which utility is used to verify whether the file has been timestamped?
Use the chktrust.exe utility included with the Authenticode SDK tools to verify whether the file has been timestamped. The date and time will be displayed when the file has been timestamped. "Unknown date and time" will appear when the file has NOT been timestamped.
- Do code signing certificates last longer than 1 year?
Yes. It is now possible to purchase 2 and 3 year code signing certificates.
- Do Comodo code signing certificates support Kernel-mode signing certificate in Windows?
Yes. Our certificates support kernel mode code signing on both 32 and 64 bit versions of Windows Vista and greater and Windows Server 2008 and greater.
- Is there a limit to the amount of applications allowed to be signed with a Code Signing Certificate?
Comodo does not limit you to any specific number. You can sign as many applications with a Code Signing Certificate as you wish, provided that the applications are going to be used for and distributed by the Organization that owns the certificate.
- What settings should be enabled to allow a user to receive the certificate pop-up?
- In order to receive the Certificate pop-up when the file is downloaded, you will need to enable a setting in Internet Explorer.
- The setting can be found under: Tools > Internet Options > Advanced > Scroll to the bottom of the list to 'Security'
- Make sure that the following option is checked: "Check for signatures on downloaded programs".
- What type of assurance a customer obtains when downloading software signed with Authenticode?
When customer downloads software signed with Authenticode they can be assured of:
- Content Source: The software really comes from the publisher who signed it.
- Content Integrity: The software has not been altered or corrupted since it was signed.
- What will happen if a user encounters an unsigned component distributed via the Internet?
If an end user of one of these applications encounters an unsigned component distributed via the Internet, the following will occur:
- If the application's security settings are set on "High," the client application will not permit the unsigned code to load.
- If the application's security settings are set on "Medium," the client application will display a warning like this screen:
- What will happen if a user encounters a signed component distributed via the Internet?
If a user encounters a signed applet or other code, the client application will display a screen like the following:
- How do I ensure that both I and my customers have the latest Microsoft roots in my certificate store?
For Windows 8, 8.1. Windows 7 and Windows XP, everything is Automatic, meaning well over 200 Million customers will automatically have access to all the latest certificates. For older versions of the Windows operating system it is highly recommended that the latest root update is installed.Good security policy dictates that your root certificate store should have the most current root certificate references from all trusted certification authorities, thereby providing the widest capability to recognize trusted content. Install latest Microsoft root certificate patch here: