The process is outlined below
- Publisher obtains a Code Signing Digital ID
- Publisher creates code.
- Using the SIGNCODE.EXE utility, the publisher:
- Creates a hash of the code, using an algorithm such as MD5
- Encrypts the hash using his/her private key,
- Creates a package containing the code, the encrypted hash,
and the publisher's certificate.
- The end user encounters the package.
- The end user's Microsoft browser examines the publisher's
Digital ID. Using the Comodo root Public Key, which is already
embedded in Authenticode-enabled applications, the end user
browser verifies the authenticity of the Code Signing
Digital ID (which is itself signed by the Comodo root Private
- Using the publisher's public key contained within the
publisher's Digital ID, the end user browser decrypts the signed
- The end user browser runs the code through the same hashing
algorithm as the publisher, creating a new hash.
- The end user browser compares the two hashes. If they are
identical, the browser messages that the content has been
verified by Comodo, and the end user has confidence that the code
was signed by the publisher identified in the Digital ID, and
that the code hasn't been altered since it was signed.
The entire process is seamless and transparent to end users, who see only a message that the content was signed by its publisher and verified by Comodo.
Step 1: Make Sure that you Are Running the Correct
Versions of all Tools:
- Internet Explorer 4.0 or later
- Internet Client SDK
Step 2: Apply for a Code Signing ID for Authenticode from
In the process of applying for a Code Signing ID, your browser
will generate a private key. You should store this private key
(called MyPrivateKey.pvk) on a floppy disk, which is stored in a
safe deposit box or other secure location. Please make a back-up
copy of this private key, as you will need this key to sign code.
This key is never sent to Comodo, so if you lose this private key,
you will be unable to sign code. If this key is lost or stolen,
please contact Comodo immediately.
Step 3: Pick up your Digital
Once you have completed the application process, Comodo will
take a number of steps to verify your identity. For commercial
publishers, Comodo does a considerable amount of background
checking. As a result, it will take approximately 3-5 days to
verify your information and issue a Digital ID.
At the end of this process, Comodo will send you an e-mail
containing a PIN (Personal Identification Number). Follow the
instructions in this e-mail to pick up your Digital ID. Save your
Digital ID as a file (e.g. MyCredentials.spc).
Please note that you must use the same machine to apply for and
obtain your Digital ID. You can then use the private key and
Digital ID to sign files on a different machine.
Step 4: Prepare your Files to be Signed
If you are building any PE file (.exe, .ocx, .dll or other), you
need not do anything special. For cab files, you need to add the
following entry to your .ddf file before creating the cab file:
Step 5. Sign your Files
You can now sign your .exe, or .cab, .ocx, or .dll file. To
sign, you will use the SIGNCODE.EXE utility included in the
ActiveX SDK. You will also need your Digital ID file (generally
called MyCredentials.spc) and the diskette containing your private
As part of this process you will need to know the URL of
Comodo's time stamping server, which is
Step 6: Test Your Signature
The Microsoft SDK contains a utility called chktrust.exe. This
may be used to check your signature before distributing your file.
To test a signed .exe, .dll or .ocx file, run chktrust filename
To test a signed cab file, run chktrust -c cabfilename.cab
If your signing process was OK, this will bring up a
certificate. Congratulations, you have just digitally signed your
file. When this file is downloaded from a Web site by Internet
Explorer, it will display the same certificate to the user. If the
file is tampered with in any way after it has been signed, the
user will be notified and given the option of refusing
Microsoft and Comodo are committed to making the Internet a
secure and viable platform for commerce and the distribution of
content. With Authenticode and Comodo's Code Signing Digital IDs,
your code will be as safe and trustworthy to your customers as it
would be if you shrink-wrapped it and sold it off a store shelf.