What is Code Signing and why do I need it?
How does a Code Signing Portal work?
What is the difference between a Publisher ID and a Content ID?
How many Publisher IDs do I need?
How many Content IDs or signing events do I need?
Do I need to sign all the files within the cab file or just the cab file?
How long does it take to sign code using a Code Signing Portal?
Why do I have to renew my Publisher ID/Administrator ID?
Is there a way to script the process of Code Signing with a Signing Portal?
How long does a digital signature last?
Can I access my Code Signing Portal on different computers?
How does someone know they can trust my digital signature?
What if I lose my USB token or Publisher ID or it becomes compromised?
What is Code Signing and why do I need it?
Code Signing creates a digital "shrink-wrap" that shows customers the identity of the company responsible for the code and confirms that it has not been modified since the signature
was applied. In traditional software sales, a buyer can confirm the source of the application and its integrity by examining the packaging. Increasingly, customers download applications
to their mobile phones, install plug-ins and add-ins, and interact with sophisticated Web-based applications. They risk compromising their own security and the functionality of mobile
networks if they download malicious or faulty code. Symantec Code Signing protects your brand and your intellectual property by making your applications identifiable and harder
to falsify or damage with a digital signature.
Back to Top
How does a Code Signing Portal work?
Code Signing certificates are based on public key cryptography. A developer or software publisher uses a private key to add a digital signature to code or content. Software platforms
and applications use a public key to decrypt the signature during download and compare the hash used to sign the application against the hash on the downloaded application. Signed code
from a trusted source may be automatically accepted or a security warning may require the end user to view the signature information and decide whether or not to trust the code.
With a Code Signing Certificate, the developer signs all code with the same digital signature, identifying the source of the code and that the code has not been tampered with since
signing. A Code Signing Portal uses a two-step signing process to create a unique digital signature each time code is signed, making each version of code released easier to track and
revoke. The developer uses a Publisher ID to sign code and log into their Code Signing Portal. The developer then uploads their code to Symantec through Symantec Code Signing Portal.
Symantec validates the publisher signature, then strips off the publisher’s digital signature and generates a new key pair, signs the content and sends it back to the publisher with the
newly generated Content ID.
Back to Top
What is the difference between a Publisher ID and a Content ID?
A Publisher ID is the digital certificate you receive when you enrol for a Signing Portal. It contains your organisational information and is used to digitally sign your code or content
before you upload it to your Signing Portal. It is also used for authentication when logging into the Signing Portal. Content ID is the unique Code Signing Certificate created by Symantec
when your content is signed in the Signing Portal. It is the only signature that will be trusted on the end-user device for secure downloading and execution. To sign code using a Signing
Portal, you need to purchase a Publisher ID and a bundle of Content IDs or "signing events".
Back to Top
How many Publisher IDs do I need?
Every account for a Code Signing Portal comes with one Publisher ID (also called an Administrator Certificate). An administrator may log-in to the Code Signing Portal and purchase
additional Publisher IDs for different development groups within the organisation. By using a single account with multiple Publisher IDs, the organisation has one portal to view and
track all Code Signing events, and each group has a unique identity that can be revoked or modified for better security.
Back to Top
How many Content IDs or signing events do I need?
A Content ID is consumed each time an application or code is signed. Content IDs are sold through the Code Signing Portal in bundles of signing events. You will need a signing event for
each application that you sign, including different versions. If you have a Windows Mobile® application which consists of 1 cab file containing 1 exe and 1 dll file, signing your
application generates 3 signatures - 1 each for the dll, exe, and the cab file – but only 1 signing event is consumed.
Back to Top
Do I need to sign all the files within the cab file or just the cab file?
All executables within the .cab file must be signed. A Symantec Code Signing Portal automatically signs all of the contained executables when the .cab file is uploaded to be signed.
Back to Top
How long does it take to sign code using a Code Signing Portal?
Symantec automatically signs approved applications. Code Signing may take a few minutes or several days, depending on the type of signing services you use and the device platform or
mobile network requirements. For applications that access secure APIs, a network provider or vendor may require testing. The developer signs the application, sends it to the testing house,
who then uploads it to the Code Signing Portal. Symantec notifies the network provider or vendor that the application is ready to be signed. When the network provider or vendor approves the
application, Symantec completes the signing process. Developers can track the status of their application within the Code Signing Portal. For more information about testing and approval
requirements, please contact your network provider or vendor directly.
Back to Top
Why do I have to renew my Publisher ID/Administrator ID?
Publisher IDs and Administrator IDs expire after 12 months. Symantec uses a proven, robust process to authenticate and verify organisations prior to issuing Class 3 certificates such
as Code Signing. The annual renewal process ensures that the Publisher ID is used by a legitimate organisation and the contact is authorised to develop for that organisation. This
is a necessary process prior to issuing Code Signing Certificates including Publisher IDs to you.
Back to Top
Is there a way to script the process of Code Signing with a Code Signing Portal?
Symantec offers a Publisher API for customers with Symantec Code Signing Portal. Sign-in to your account and click Resource Center
and then Product Documentation. Download the zip file: "Signing Portal Publisher API"
for information and examples of scripting.
Back to Top
How long does a digital signature last?
Symantec Code Signing Portal signs code with 10-year digital signatures. Even if the Publisher ID expires, the unique Content ID and digital signature retain their validity.
Back to Top
Can I access my Code Signing Portal on different computers?
You can access your Code Signing Portal on any computer using a USB token containing your Publisher ID as long as that computer meets the minimum system requirements. However, you must
buy and retrieve your Publisher ID from the same computer. If you have problems with retrieval, confirm that you are using the same computer, browser, and log-in profile used to enrol.
Symantec recommends that developers purchase additional Publisher IDs rather than sharing certificates for better security and management.
Back to Top
How does someone know they can trust my digital signature?
Simply signing your code ensures that it has not been tampered with and that it comes from you, but does not verify who you are. A third-party CA is more trusted than a self-signed
certificate because the certificate requestor had to go through a vetting or authentication process. When software platforms and applications verify a digital signature, they access
a "root" certificate to determine whether or not to trust the CA that issued the certificate. Because Symantec root certificates come preinstalled on most devices and embedded in
most applications, digital signatures from Symantec are almost always trusted, reducing warnings and error messages.
Back to Top
What if I lose my USB token or Publisher ID or it becomes compromised?
A USB token with a Publisher ID or a token password cannot be replaced if it is lost or stolen because you do not want anyone to find it and use it to sign code in your name. If your
private key is lost or compromised or if your information changes, you should revoke your Publisher ID immediately and replace it with a new digital certificate.
Back to Top
Feedback