What does Authenticode mean?

Authenticode is a code signing technology by Microsoft currently used to sign .exe files (PE files), .cab files, .ocx files, and .class files. In particular, if you are distributing active content such as ActiveX controls for use with such Microsoft end user applications as Internet Explorer, Exchange, Outlook, or Outlook Express, you will want to sign code using Authenticode.

What is Digital ID / Digital Certificate?

Digital ID also known as a Digital Certificate is a form of electronic credentials for the Internet. A Digital certificate is issued by a trusted third party to establish the identity of the ID holder. The third party who issues certificates is known as a Certification Authority (CA). Digital certificate technology is based on public key cryptography. In public key cryptography systems, every entity has two complementary keys, a public key and private key, which function only when they are placed together. The purpose of a Digital ID is to reliably link a public/private key pair with its owner. When a CA issues Digital IDs, it verifies that the owner is not claiming a false identity.

What about time stamping?

Since key pairs are based on mathematical relationships that can be cracked with a long enough time and great enough effort, it is a well-established security principle that a digital certificate should expire. Your Digital ID will expire one year after it is issued. However, most software is intended to have a lifetime of longer than one year. To avoid having to resign software every time your certificate expires, companies have introduced time stamping services. When you sign code, a hash of your code will be sent to Certification Authority to be time stamped. Once your software has been time stamped, you will not need to worry about resigning code when your Digital ID expires. Microsoft Authenticode allows you to time stamp your signed code so that signatures will not expire when your certificate does.

Time Stamping Server - Location and usage

In order to sign your code,

1. Pass the code which you want to authenticate through a hashing algorithm
2. Use your private key to sign the hash resulting in a Digital Signature
3. Build a signature block that contains the digital signature and the code-signing certificate
4. Tools such as Microsoft Authenticode let you time stamp the signature block based on the current date and time that a time stamping service provider, such as Comodo, provides
5. Finally, bind the time stamped signature block to the original software. Now you can publish the signed software on your Web site for download.

As part of this process you will need to know the URL of Comodo's time stamping server, which is located at http://timestamp.comodoca.com/authenticode.

What will happen if a user encounters an unsigned component distributed via the Internet?

If an end user of one of these applications encounters an unsigned component distributed via the Internet, the following will occur:

  • If the application's security settings are set on "High," the client application will not permit the unsigned code to load.
  • If the application's security settings are set on "Medium," the client application will display a warning like this screen:

Code Signing Error 1

What will happen if a user encounters a signed component distributed via the Internet?

If a user encounters a signed applet or other code, the client application will display a screen like the following:

Code Signing Error 2

Who issue the digital certificates to applicants?

Certification Authorities are organizations that issue digital certificate to applicants whose identity they are willing to certify. Each certificate is linked to the certificate of the CA that signed it.

List the responsibilities of Certificate Authority?

As a leading Digital Certificate Authority, Comodo has the following responsibilities:

  • Publishing the criteria for granting, revoking, and managing certificates
  • Granting certificates to applicants who meet the published criteria
  • Managing certificates (for example, enrolling, renewing, and revoking them)
  • Storing Comodo's root keys in an exceptionally secure manner
  • Verifying evidence submitted by applicants
  • Providing tools for enrollment
  • Accepting the liability associated with these responsibilities
  • Time stamping a digital signature
Explain the six step process of Signing Code?
  • Make Sure that you are running the correct versions of all tools
  • Apply for a Code Signing ID for Authenticode from Comodo
  • Pick up your Digital ID
  • Prepare your Files to be Signed
  • Sign your Files
  • Test Your Signature
How do I ensure that both I and my customers have the latest Microsoft roots in my certificate store?

For Windows XP down to Windows XP, everything is automatic, meaning well over 200 Million customers will automatically have access to all the latest certificates. For older versions of the Windows operating system it is highly recommended that the latest root update is installed.Good security policy dictates that your root certificate store should have the most current root certificate references from all trusted certification authorities, thereby providing the widest capability to recognize trusted content. Install latest Microsoft root certificate patch here:
Root Update
Trusted Certificate Services
Comodo Code Signing CA

We want our signed files to be time stamped. Could please provide me with the URL of the time stamping server?

The Comodo timestamping server can be found at: http://timestamp.comodoca.com/authenticode