Comodo Code Signing Certificates

What is Code Signing?

When customers buy software in a store, the source of that software is obvious.

Customers can tell who published the software, and they can verify that the software is still in its original shrink-wrap. These factors enable customers to make decisions about what software to purchase and how much to "trust" those products.

Customers who download digitally signed files (including .exe, .cab, .jar, and more) or drivers from your site can be confident that code really comes from you and hasn't been altered or corrupted since it was created and signed. Digital IDs serve as virtual "shrink-wrap" for your software: after you sign your code, if it is tampered with in any way, the digital signature will break and alert customers that the code has been altered and is not trustworthy.

The solution to these issues is Code Signing. Most platforms have their own Code Signing standard, for example Microsoft's Authenticode technology. Code Signing, through the use of digital signatures, enables software developers to include information about themselves and their code with their software.

When customers download software signed with a Code Signing Certificate issued by Comodo they can be assured of:

• Content Source: End users can confirm that the software really comes from the publisher who signed it.
• Content Integrity: End users can verify that the software has not been altered or corrupted since it was signed.

Users benefit from this software accountability because they know who published the software and that the code hasn't been tampered with. Developers and Web masters benefit from these Certificates because it builds trust in their names and makes it more difficult to falsify their products. By signing their code, developers build a trusted relationship with users, who learn they can download software signed by that publisher or Web site with confidence. And users can make educated decisions about what software they want to download, knowing who published the software and that it hasn't been tampered with.

Code Signing is widely used to protect software that is distributed over the Internet. Code signing does not alter your software; it simply appends a digital signature to the executable. Use digital signatures when you want to distribute software, and you want to assure recipients that it does indeed come from you. This digital signature provides enough information to authenticate the signer as well as to ensure that a code has not been subsequently modified. Code Signing Digital IDs (or certificates) allow content publishers including software developers to sign their content that includes software objects, macros, device drivers, firmware images, virus updates, configuration files or other types of content for secure delivery over the Internet.

Digital signatures are created using a public-key signature algorithm such as RSA. A public-key algorithm uses two different keys: the public key and the private key (called a key pair). The private key is known only to its owner (the developer, in this case), while the public key is available to anyone who needs it (and is included with the digital signature). Public-key algorithms are designed so that the two keys can be used together for secure signatures and encryption in a wide variety of technologies. In digital signatures, the private key generates the signature, and the corresponding public key validates it.

Who Needs a Code Signing Digital ID?

Any software publisher planning to distribute code or content over the Internet risks impersonation and tampering. Even code distributed through an intranet should be signed due to policies set by operating systems such as Windows and macOS. Modern systems prefer signed code as it helps them ensure the user's safety and makes it more difficult to distribute malware. Comodo Code Signing Digital IDs for Microsoft Authenticode protect against these hazards.

Comodo offers Digital IDs designed for commercial software developers, companies, and other organizations that publish software. This class of Digital ID provides assurance regarding an organization's identity and legitimacy, much like a business license, and is designed to represent the level of assurance provided today by physical retail channels for software.

Assurance and Authentication

Comodo Code Signing Certificates help create a sense of online confidence when users download your software by verifying the authenticity of your identity. With a Comodo Code Signing certificate you can sign code under your personal name (for independent developers) or a legally registered business name.

But, before you can display either your company name or individual name as the publisher, Comodo requires you to complete an industry standard validation process, which typically takes 1-3 business days.

For companies, Comodo will attempt to verify your registration details, address and telephone number. For individual developers, Comodo requires you to present a notarized form that validates government issued photo identification and complete a quick phone confirmation. To streamline the process, we'll provide you with an easy-to-read validation guide after purchase.

How does Authenticode work with Comodo Digital IDs?

Authenticode relies on industry standard cryptography techniques such as X.509 v3 certificates and PKCS #7 and #10 signature standards. These are well-proven cryptography protocols, which ensure a robust implementation of code signing technology.

Authenticode uses digital signature technology to assure users of the origin and integrity of software. In a digital signature, the private key generates the signature, and the corresponding public key validates it.

This Comodo Code Signing certificate provides the tools you need to sign executables using the Authenticode standard.

The Code Signing Process:

The process is outlined below

• Publisher obtains a Code Signing Digital ID from Comodo.
• Using the SIGNCODE.EXE utility, the publisher is able to create a digital signature and apply it to their executable
• The end user downloads or runs the executable.
• The end user's browser or operating system (depending on the scenario) examines the publisher's certificate and signature. Comodo's Root certificate, which is recognized and trusted by major platforms allows the platform to recognize the certificate and confirm the signature comes from a trusted Certificate Authority.
• The end user's software verifies the signature by comparing the signed data to a locally-computed hash. If they are identical, the platform knows that the executable file it has is identical – down to each bit – to the executable signed by the publisher. This provides cryptographic proof that there have been no malicious or accidental alternations to the code.

The entire process is seamless and transparent to end users, who see only a message that the content was signed by its publisher and verified by Comodo.

The Six Steps of Code Signing

These instructions provide an overview of obtaining and using Microsoft Authenticode and a Code Signing Digital ID from Comodo.

Step 1: Apply for a Code Signing ID for Authenticode from Comodo

In the process of applying for a Code Signing ID, your browser will generate a private key. You should store this private key securely and never distribute it over the internet. Ideally you keep the private key on a disk or other offline medium so it cannot be easily accessed should your computer be compromised or stolen. Please make a back-up copy of this private key, as you will need this key to sign code.

This key is never sent to Comodo, so if you lose this private key, you will be unable to sign code. If this key is lost, please contact us and we can help you re-issue the certificate for free. If the key is stolen, please get in touch immediately as this is a serious safety concern.

Step 2: Complete Verification and Download your Digital ID

Once you have completed the application process, Comodo will take a number of steps to verify your identity. For commercial publishers, Comodo does a considerable amount of background checking. As a result, it will take approximately 1-5 days to verify your information and issue a Digital ID.

At the end of this process, Comodo will send you an e-mail with instructions on how to download your Code Signing certificate.

Please note that you must use the same machine to apply for and obtain your Digital ID. You can then move the private key and Digital ID to sign files on any of your development machines.

Step 3: Prepare your Files to be Signed

If you are building any executable file (.exe, .ocx, .dll or other), you need not do anything special. For cab files, you need to add the following entry to your .ddf file before creating the cab file: Set ReservePerCabinetSize=6144.

Every platform (Authenticode, XCode, etc) has specific procedures and steps for signing your code. Consult with that platform's documentation.

Step 4. Sign your Files

You can now sign your file/executable. To sign with Authenticode, you will use the SIGNCODE.EXE utility included in the ActiveX SDK. You will also need your Digital ID file (generally called MyCredentials.spc) and the private key.

As part of this process you will need to include the URL of Comodo's Time Stamping server. Consult their documentation for specific instructions for your platform: http://timestamp.comodoca.com/

Step 5: Test Your Signature

The Microsoft SDK contains a utility called chktrust.exe. This may be used to check your signature before distributing your file.

To test a signed .exe, .dll or .ocx file, run chktrust filename

To test a signed cab file, run chktrust -c cabfilename.cab

If your code signing process was OK, this will bring up a digital certificate. Congratulations, you have just digitally signed your file. When this file is downloaded it will display the same certificate to the user. If the file is tampered with in any way after it has been signed, the user will be notified and given the option of refusing installation.

Validation Required

Please note: This product requires you to complete Organization Verification, including Telephone Verification, as well as Identity Verification. You must submit a government-issued photo ID to Comodo for review. Additionally, your organization must be publicly listed on a third-party business directory site (Dun and Bradstreet, Yellow Pages, OpenCorporates, etc.) or you must be prepared to submit a Professional Opinion Letter to verify all required details. Comodo must be able to complete a telephone call with you to complete verification for your certificate. For more information, please review our Organization Validation for Code Signing Knowledgebase article.