Sign in
Create Account
Popular Questions about Code Signing Certificates
Q: What are Code Signing certificates used for?
A: Code Signing certificates are recommended for use to all publishers distributing code or content on the Internet or in corporate networks. Clients understand the risks associated with downloading files online and they therefore trust signed files to a much greater degree than unsigned ones. On seeing the publisher's signature, the client understands that the file is authentic and does not contain malware. The publisher's signature is a reliable way to protect the application from any third-party interference.
Q: What documents are required to order a Code Signing certificate?
A: Standard Code Signing certificates are available for individual entrepreneurs and legal entities.
In the case of Sectigo(Comodo) you will need:
- a link to a government database with your company registration;
- contact details: name, email, phone, title;
- a scan of government-issued photo ID (like passport, driver license and etc) is required to verify the requestor (admin contact) on the order;
- a selfie with government-issued photo ID [passport, driver license] (it should contain photo, name).
It's a mandatory Sectigo's requirements, more details:
https://sectigo.com/knowledge-base/detail/OV-Code-Signing-Validation-for-Organizations-and-Individuals/kA01N000000brb0 - for verification of the phone number: a link to an online directory with your company registration(from kompass.com or DUNS number).
This profile should contain company name, address and telephone number.
In the case of Digicert you will need:
- a link to a government database with your company registration;
- contact details: name, email, phone, title;
- For verification of the phone number: company registration at dnb.com/DUNS or state registration with a phone number.
In the case of Certum you will need:
- organization's Registration Document
- Authorization/Power of Attorney: Signed in accordance with the manner of representation specified in the registration document. *Required only if the individual applying for the certificate is not authorized to represent the organization independently.
- Utility Invoice (required for EV only): an invoice for utilities issued to the organization's name that confirms the current address of the company's headquarters (e.g., invoice for gas, electricity, water, landline telephone, fixed Internet, office space rental or lease agreement).
LeaderTelecom doesn’t issue Code Signing certificates to individuals.
The Code Signing EV certificate is available only to legal entities. The requirements for issuing it are the same, but the verification is more thorough (state sources are checked).
Q: How to sign a code using a Code Signing certificate?
A: To sign a code, you must pass it through a special hashing algorithm, then use your private key to sign the hash, giving you a digital signature. Then you create a signature block that contains the digital signature and the Code Signing certificate. Tools such as Authenticode allow you to set a timestamp for a signature block based on the current date and time. Finally, you bind the signature block with a time stamp to the software. Now you can publish a signed program on your website for download.
A time stamp is required in order to ensure that the validity of the code does not expire with the validity period of the Code Signing certificate. If your code has a timestamp, then the digital signature will be valid even after the expiration of the certificate. A new certificate will be required only if you want to sign an additional code. If you did not use the ability to add time stamps during the application signing process, you will need to re-sign the code and send it to your customers.
Q: How to use your certificate after purchasing it?
A: It depends on the type of certificate. You can find the instructions here
Q: What happens if the Code Signing certificate expires?
A: Code Signing certificates are issued for a period of one to three years. The expiration of a Code Signing certificate means that you cannot create new signatures. All past signatures will work for a given timestamp.
In the case of Microsoft Authenticode, the use of timestamps means the code won’t expire when the certificate expires.
If time stamps are not used, then when the certificate expires you will need to re-sign the code and send it to your customers.
It is worth remembering that some certificates do not support the creation of timestamps (for example, certificates for Netscape Object Signing and Sun Java).
Q: What is the difference between code signing and document signing? Can I sign PDF files with ordinary Code Signing certificates?
A: Most often, Code Signing certificates have an extKeyUsage extension with a Code Signing value and sometimes also commercial Code Signing. However, they do not have values that allow other uses.
RFC 5280 for the Extended Key Usage extension implies that “if the extension is specified, then the certificate should be used only to achieve one of the relevant objectives.”
However, in the situation in question, the Code Signing certificate is used to sign a document that is not a code, which is a direct violation of the X.509 Public Key Infrastructure Certificates specification.
For this reason, there is a high probability that Adobe Reader will reject PDF signatures generated using code signing certificate. And, even if there are no problems with certificates now, it isn’t guaranteed that this will not happen in the future with the release of new versions of Adobe Reader. For this reason, many certificate resellers differentiate between certificates for code signing and certificates for signing documents (in particular, certificates for signing PDFs). Prices for PDF-certificates are often several times higher.
Q: Are there any differences between code signing certificates for Java, Adobe AIR, Authenticode, VBS?
A: As follows from the RFC 5280 specification, any Code Signing certificate can be used to sign Java code, AIR code, Authenticode, VBS, etc. Accordingly, from a technical point of view, there are no differences between the code signing certificates.
However, some certification authorities may impose certain restrictions on the scope of their codesigning certificates.
Q: How to sign the Visual Studio .msi installation files? After I sign .msi, all .exe files included in the installation package lose their signatures. What should be done to ensure that the signatures of these files remain during the installation of the package on the client's computer?
A: Visual Studio creates two folders at time of compilation: obj and bin. Output files are most often copied from the obj folder to the bin folder. If you sign files in the bin folder, they will later be overwritten by files from the obj folder. The way out: signing exe files located in the obj folder. In this case, the signatures of all exe files will remain.
Q: Are there any restrictions on the number of applications that can be signed using a Code Signing certificate?
A: No. You can sign as many applications as you need with the Code Signing certificate, provided that the application is distributed by the organisation for which the certificate was issued.
Q: Can I sign drivers (Kernel-mode) using a Code Signing certificate?
A: No, from May 2021 driver signature for Windows 8, 10 is no longer supported. Source: Deprecation of Software Publisher Certificates.
Q: How to bypass the Smart Screen when installing a signed application on Windows® 8/10/11?
A: You must use the EV Code Signing certificate. Programs signed with Code Signing EV are automatically trusted, even if there is no reputation for this publisher or file. You can set reputation only for Authenticode certificates that have been issued by a certification authority that is a member of the Windows® Root Certificate Program.
You can order a following EV certificates from us:
Certum EV Code Signing in the Cloud
Sectigo(Comodo) EV Code Signing
Q: Is reputation in SmartScreen possible using standard Code Signing certificate?
A: Yes, it is possible, but this requires around 3000 app downloads (approximate data).
Q: Can I sign Mac software using your Code Signing products?
A: No, please check https://developer.apple.com/support/code-signing/
Q: PFX files are no longer available for Code Signing certificates. What are the other options?
A: Starting 06/01/2023, PFX files are no longer available for Code Signing certificates.
Modern standards require that the private keys for code signing certificates be generated and stored in secure environments.
This typically means using hardware devices such as HSMs, smart cards, or secure USB tokens.
Generating private keys on these devices ensures that the key cannot be extracted or exported, thereby preventing the issuance of certificates in PFX format.
Sectigo now offers their certificates on USB tokens:
https://www.leaderssl.com/suppliers/comodo/products/code_signing
https://www.leaderssl.com/suppliers/comodo/products/code_signing_ev
As an alternative, we now offer certificates from Certum:
https://www.leaderssl.com/suppliers/certum/products/code_signing_ev
https://www.leaderssl.com/suppliers/certum/products/code_signing
These are referred to as 'in the Cloud.'
You will need to use a special desktop application and sign via signtool.
Q: Using Code Signing certificate on the token and potential virtualization
A: Sectigo (formerly Comodo) OV/EV Code Signing certificates issued on a USB token follow "one device – one token" security model. This means the certificate is designed to be used only on the machine where the USB token is physically connected. The token itself holds the private key and must be inserted to perform a code signing operation.
However, in scenarios like vacation or absence, the token can be temporarily moved and used on another developer’s machine—as long as the token is physically present and the appropriate drivers/software are installed on the second machine. The certificate and key are not exportable from the token, maintaining compliance with EV security standards.
Regarding virtualized:
If you're trying to sign the application from different locations. In this case, we recommend dedicating a computer specifically for the token. You can plug the token into this machine and allow your developers to access it remotely using tools such as VNC Viewer, TeamViewer, or AnyDesk. Please note that Remote Desktop Protocol (RDP) will not work with the token.
