How Does EV Code Signing Work?
Extended Validation Code Signing adds a layer of security to the signing process
EV Code Signing has some extra verification steps to provide the highest level of assurance to your users. But how does it work? Let’s walk through the process from validation to signing.
Extended Validation
You purchase and order your EV Code Signing certificate just like any other code signing certificate, but the validation is a bit more intensive. Not unlike with EV SSL, Comodo is going to put your through a rigorous vetting process to ensure that you are legally registered entity operating in good faith. If that all sounds like a lot-it isn't. And company or organization with up-to-date registration information will cruise through validation.
Friendly Tip: Need help with validation? We've got you covered. Our SSL experts are available 24/7 to help you navigate the validation process.
An Added Layer of Security
All Code Signing certificate private keys are physically mailed to you on an external hardware token, which adds another layer of security to protect against unauthorized access. A compromised private key can be used to sign malicious software, which would crater your reputation across all browsers. By storing your private key on an external hard drive, it prevents anyone from illegally accessing it on your network.
Walk Me Through the Signing Process
Hashing
After your software is created, you hash it. This hash lets users know whether or not the software has been tampered with. If the download doesn't produce the correct hash value, the browsers know it has been compromised.
Signing
Now it's time to insert your external hardware token and use your private key to digitally sign and timestamp your software. This lets the browsers know who published the software and whether to trust it or not.
Download
After the software is hashed, signed and timestamped, it can be posted for download. Whenever a customer tries to download it, their browser will know who published it, whether to trust it and if it's been tampered with.
Get an EV code signing certificate