What is code signing and why do I need it?
Which code signing certificate do I need?
Are code signing certificates available for individual developers?
How does a code signing certificate work?
How long does it take to purchase a code signing certificate?
How long does a digital signature last?
Can I install the code signing certificate on more than one PC?
How does someone know they can trust my signature?
How many code signing certificates do I need?
What if I lose my private key or it becomes compromised?
Do I need to sign all the files within the cab file or just the cab file?
What code signing certificate should I use for Netscape Object Signing?
What is code signing and why do I need it?
Code Signing creates a digital “shrink wrap” that shows customers the identity of the company responsible for the code and confirms that it has not been modified since the signature was applied. In traditional software sales, a buyer can confirm the source of the application and its integrity by examining the packaging. Increasingly, customers download applications online, install plug-ins and add-ins, and interact with sophisticated Web-based applications. They risk compromising their security and the functionality of existing systems if they download malicious or faulty code. VeriSign® Code Signing protects your brand and your intellectual property by making your applications identifiable and harder to falsify or damage with a digital signature.
Back to Top
Which code signing certificate do I need?
Different software platforms have different requirements and different tools for signing code. VeriSign supports more platforms than any other code signing service:
Microsoft® Authenticode®, Sun Java®, Microsoft® Office and VBA, Adobe® AIR®, and Macromedia® Shockwave®. Select the appropriate Code Signing Certificate for your development
platform: VeriSign® Code Signing Certificates.
Back to Top
Are code signing certificates available for individual developers?
Yes. Code signing certificates are available for individual developers who are not affiliated with an incorporated business. Select the appropriate
code signing certificate for your development platform, and you will have the option to choose a certificate for either organisational or individual use.
Back to Top
How does a code signing certificate work?
Code and content signing is based on public key cryptography. A developer or software publisher uses a private key to add a digital signature to code or content.
Software platforms and applications use a public key to decrypt the signature during download and compares the hash used to sign the application against the hash of
the downloaded application. Signed code from a trusted source may be automatically accepted or a security warning may require the end user to view the signature
information and decide whether or not to trust the code.
Back to Top
How long does it take to purchase a code signing certificate?
During the code signing enrolment process, Symantec will collect information about you or your company for authentication. The validation process may take a few
hours or several days, depending on the information you provide and how easily it can be verified. Because Symantec must receive payment before delivering your
certificate, payment by credit card speeds delivery.
Back to Top
How long does a digital signature last?
Every Code Signing Certificate is purchased with a specific validity period. The digital certificate can be used to sign code as frequently as needed during that validity period. When the digital certificate expires, all digital signatures that depend on that digital certificate also expire unless the signature includes a timestamp. A timestamp option shows when code was signed, allowing customers to verify that the code signing certificate was valid at the time of the digital signature.
Back to Top
Can I install the code signing certificate on more than one PC?
You can use a Code Signing Certificate on any computer once it is retrieved. However, you must buy and retrieve your Code Signing Certificate from the same computer.
If you have problems with retrieval, confirm that you are using the same computer, browser, and log-in profile used to enrol. VeriSign recommends that developers
purchase additional Code Signing Certificates rather than sharing certificates for better security and management. If a certificate becomes compromised and must be
revoked, then all applications signed by the single certificate will be disabled.
Back to Top
How does someone know they can trust my signature?
Simply signing your code ensures that it has not been tampered with and that it comes from you, but it does not verify who you are. A third-party CA is more trusted than a self-signed certificate because the certificate requestor had to go through a vetting or authentication process. When software platforms and applications verify a digital signature, they access a “root” certificate to determine whether or not to trust the CA that issued the certificate. It is possible to self sign your code, but then you have to make sure that anyone accessing the code has access to your root certificate or your self-signed application will remain unidentifiable. Because VeriSign root certificates come preinstalled on most devices and embedded in most applications, digital signatures from VeriSign are almost always trusted, reducing warnings and error messages.
Back to Top
How many code signing certificates do I need?
VeriSign recommends that developers purchase additional code signing certificates rather than sharing certificates for better security and management. If a
certificate becomes compromised and must be revoked then all applications signed by the single certificate will be disabled. For ease of use, VeriSign recommends
buying a Code Signing Certificate for each developer platform. You could use a Code Signing Certificate for one platform to sign code for others. However,
different platforms require the certificates in different formats. To use a certificate across platforms requires a conversion process using additional utilities.
Back to Top
What if I lose my private key or it becomes compromised?
If your private key is lost or compromised or if your information changes, you should revoke your code signing certificate immediately and replace it with a new certificate.
Back to Top
Do I need to sign all the files within the cab file or just the cab file?
For Microsoft Windows® applications, developers only need to sign the .cab file using the appropriate
Code Signing Certificate. For Windows Mobile® applications, all executables within the .cab file must be
signed. The VeriSign® Code Signing Portal automatically signs all of the contained executables when the cab file is signed.
Back to Top
What code signing certificate should I use for Netscape Object Signing?
VeriSign no longer offers a Code Signing Certificate for Netscape because Netscape discontinued the signing tools and support for Netscape® 4.x browsers. To
digitally sign files for Netscape Object Signing, purchase a
VeriSign® Code Signing Certificate for Sun Java.
Back to Top
Feedback