Code Signing - Technical FAQ's
What does Authenticode mean?
Authenticode is currently used to sign 32-bit .exe files (PE files), .cab files, .ocx files, and .class files. In particular, if you are distributing active content such as ActiveX controls for use with such Microsoft end user applications as Internet Explorer, Exchange, Outlook, or Outlook Express, you will want to sign code using Authenticode.
What is a Digital ID?
A Digital ID also known as a digital certificate is a form of electronic credentials for the Internet. A Digital ID is issued by a trusted third party to establish the identity of the ID holder. The third party who issues certificates is known as a Certification Authority (CA). Digital ID technology is based on the theory of public key cryptography. In public key cryptography systems, every entity has two complementary keys, a public key and private key, which function only when they are held together. The purpose of a Digital ID is to reliably link a public/private key pair with its owner. When a CA issues Digital IDs, it verifies that the owner is not claiming a false identity.
What about time stamping?
Since key pairs are based on mathematical relationships that can be cracked with a great deal of time and effort, it is a well-established security principle that digital certificates should expire. Your Digital ID will expire one year after it is issued. However, most software is intended to have a lifetime of longer than one year. To avoid having to resign software every time your certificate expires, a time stamping service is introduced. Now, when you sign code, a hash of your code will be sent to Certification authority to be time stamped. This means that you will not need to worry about resigning code when your Digital ID expires. Microsoft Authenticode allows you to time stamp your signed code so that signatures will not expire when your certificate does.
Time Stamping Server - Location and usage
In order to sign your code, you pass the code which you want to authenticate through a hashing algorithm and then use your private key to sign the hash, which results in a digital signature. You then build a signature block, which contains the digital signature and the code-signing certificate. Tools like Authenticode let you time stamp the signature block based on the current date and time that a time stamping service provider, such as Comodo, provides. Finally, you bind the time stamped signature block to the original software. Now you can publish the signed software on your Web site for download.
As part of this process, you will need to know the URL of Comodo's time stamping server, which is http://timestamp.comodoca.com/authenticode.
What will happen if an end user encounters a unsigned component distributed via the Internet?
If an end user of one of these applications encounters an unsigned component distributed via the Internet, the following will occur:
- If the application's security settings are set on "High," the client application will not permit the unsigned code to load.
- If the application's security settings are set on "Medium," the client application will display a warning like this screen:
What will happen if an end user encounters a signed component distributed via the Internet?
If a user encounters a signed applet or other code, the client application will display a screen like the following:
Who issues the digital certificates to applicants?
Certification Authorities are organizations that issue digital certificates to applicants whose identity they are willing to vouch for. Each certificate is linked to the certificate of the CA that signed it.
List the responsibilities of this Certification Authority
As the Internet's leading Certification Authority, Comodo has the following responsibilities:
- Publishing the criteria for granting, revoking, and managing certificates.
- Granting certificates to applicants who meet the published criteria.
- Managing certificates (for example, enrolling, renewing, and revoking them).
- Storing Comodo's root keys in an exceptionally secure manner.
- Verifying evidence submitted by applicants.
- Providing tools for enrollment.
- Accepting the liability associated with these responsibilities.
- Time stamping digital signatures.
What is the six step process of Signing Code?
- Make sure that you are running the correct versions of all tools
- Apply for a Code Signing ID for Authenticode from Comodo
- Pick up your Digital ID
- Prepare your Files to be Signed
- Sign your files
- Test your signature
How do I ensure that both I and my customers have the latest Microsoft roots in my certificate store?
For Windows XP and Vista, everything is Automatic, meaning well over 200 Million customers will automatically have access to all the latest certificates. For older versions of the Windows operating system, it is highly recommended that the latest root update is installed. Good security policy dictates that your root certificate store should have the most current root certificate references from all trusted certification authorities, thereby providing the widest capability to recognize trusted content. Install the latest Microsoft root certificate patch here:-
Trusted Certificate Services
Comodo Code Signing CA
We want our signed files to be time stamped. Could please provide me with the URL of the time stamping server?
The Comodo time stamping server can be found at: http://timestamp.comodoca.com/authenticode