Code Signing Certificate FAQ

Questions:

What is code signing and why do I need it?
Which code signing certificate do I need?
How does a code signing certificate work?
How long does it take to purchase a code signing certificate?
How long does a digital signature last?
Can I install the code signing certificate on more than one PC?
How does someone know they can trust my signature?
How many code signing certificates do I need?
What if I lose my private key or it becomes compromised?
Do I need to sign all the files within the cab file or just the cab file?
What code signing certificate should I use for Netscape Object Signing?

Answers:

What is code signing and why do I need it?
Code Signing creates a digital “shrink-wrap” that shows customers the identity of the company responsible for the code and confirms that it has not been modified since the signature was applied. In traditional software sales, a buyer can confirm the source of the application and its integrity by examining the packaging. Increasingly, customers download applications online, install plug-ins and add-ins, and interact with sophisticated Web-based applications. They risk compromising their security and the functionality of existing systems if they download malicious or faulty code. VeriSign® Code Signing protects your brand and your intellectual property by making your applications identifiable and harder to falsify or damage with a digital signature.

Back to Top

Which code signing certificate do I need?
Different software platforms have different requirements and different tools for signing code. VeriSign supports more platforms than any other code signing service: Microsoft® Authenticode®, Sun Java®, Microsoft® Office and VBA, Adobe® AIR®, and Macromedia® Shockwave®. Select the appropriate Code Signing Certificate for your development platform: VeriSign® Code Signing Certificates.

Back to Top

How does a code signing certificate work?
Code and content signing is based on public key cryptography. A developer or software publisher uses a private key to add a digital signature to code or content. Software platforms and applications use a public key to decrypt the signature during download and compares the hash used to sign the application against the hash of the downloaded application. Signed code from a trusted source may be automatically accepted or a security warning may require the end user to view the signature information and decide whether or not to trust the code.

Back to Top

How long does it take to purchase a code signing certificate?
During the code signing enrollment process, VeriSign will collect information about you and your company for authentication. The validation process may take a few hours or several days, depending on the information you provide and how easily it can be verified. You have the option to pay by credit card, purchase order, check or wire transfer. Because VeriSign must receive payment before delivering your certificate, payment by credit card speeds delivery. Review the Code Signing Certificate enrollment process:
Microsoft® Authenticode® Enrollment
Sun Java® Enrollment
Microsoft® Office and VBA Enrollment
Adobe® AIR® Enrollment
Macromedia® Shockwave® Enrollment

Back to Top

How long does a digital signature last?
Every Code Signing Certificate is purchased with a specific validity period. The digital certificate can be used to sign code as frequently as needed during that validity period. When the digital certificate expires, all digital signatures that depend on that digital certificate expire also unless the signature includes a time stamp. A timestamp option shows when code was signed, allowing customers to verify that the code signing certificate was valid at the time of the digital signature.

Back to Top

Can I install the code signing certificate on more than one PC?
You can use a Code Signing Certificate on any computer once it is retrieved. However, you must buy and retrieve your Code Signing Certificate from the same computer. If you have problems with retrieval, confirm that you are using the same computer, browser, and log-in profile used to enroll. VeriSign recommends that developers purchase additional Code Signing Certificates rather than sharing certificates for better security and management. If a certificate becomes compromised and must be revoked, then all applications signed by the single certificate will be disabled.

Back to Top

How does someone know they can trust my signature?
Simply signing your code ensures that it has not been tampered with and that it comes from you, but does not verify who you are. A third-party CA is more trusted than a self-signed certificate because the certificate requestor had to go through a vetting or authentication process. When software platforms and applications verify a digital signature, they access a “root” certificate to determine whether or not to trust the CA that issued the certificate. It is possible to self-sign your code, but then you have to make sure that anyone accessing the code has access to your root certificate or your self-signed application will remain unidentifiable. Because VeriSign root certificates come preinstalled on most devices and embedded in most applications, digital signatures from VeriSign are almost always trusted, reducing warnings and error messages.

Back to Top

How many code signing certificates do I need?
VeriSign recommends that developers purchase additional code signing certificates rather than sharing certificates for better security and management. If a certificate becomes compromised and must be revoked then all applications signed by the single certificate will be disabled. For ease of use, VeriSign recommends buying a Code Signing Certificate for each developer platform. You could use a Code Signing Certificate for one platform to sign code for others. However, different platforms require the certificates in different formats. To use a certificate across platforms requires a conversion process using additional utilities.

Back to Top

What if I lose my private key or it becomes compromised?
If your private key is lost or compromised or if your information changes, you should revoke your Code Signing Certificate immediately and replace it with a new certificate.

Back to Top

Do I need to sign all the files within the cab file or just the cab file?
For Microsoft Windows® applications, developers only need to sign the .cab file using the appropriate Code Signing Certificate. For Windows Mobile® applications, all executables within the .cab file must be signed. The VeriSign® Flexible Signing Account automatically signs all of the contained executables when the .cab file is signed.

Back to Top

What code signing certificate should I use for Netscape Object Signing?
VeriSign no longer offers a Code Signing Certificate for Netscape because Netscape discontinued the signing tools and support for Netscape® 4.x browsers. To digitally sign files for Netscape Object Signing, purchase a VeriSign® Code Signing Certificate for Sun Java.

Back to Top