VeriSign Code Signing

• What is Verisign code signing and why do I need it?
• Which Verisign code signing certificate do I need?
• How does a Verisign code signing certificate work?
• How long does it take to purchase a Verisign code signing certificate?
• How long does a digital signature last?
• Can I install the Verisign code signing certificate on more than one PC?
• How does someone know they can trust my signature?
• How many Verisign code signing certificates do I need?
• What if I lose my private key or it becomes compromised?
• Do I need to sign all the files within the cab file or just the cab file?
• What Verisign code signing certificate should I use for Netscape Object Signing?

Verisign Code Signing creates a digital "shrink-wrap" that shows customers the identity of the company responsible for the code and confirms that it has not been modified since the signature was applied. In traditional software sales, a buyer can confirm the source of the application and its integrity by examining the packaging. Increasingly, customers download applications online, install plug-ins and add-ins, and interact with sophisticated Web-based applications. They risk compromising their security and the functionality of existing systems if they download malicious or faulty code. VeriSign® Code Signing protects your brand and your intellectual property by making your applications identifiable and harder to falsify or damage with a digital signature.

[ Back to Top ]

Code and content signing is based on public key cryptography. A developer or software publisher uses a private key to add a digital signature to code or content. Software platforms and applications use a public key to decrypt the signature during download and compares the hash used to sign the application against the hash of the downloaded application. Signed code from a trusted source may be automatically accepted or a security warning may require the end user to view the signature information and decide whether or not to trust the code.

[ Back to Top ]

Code and content signing is based on public key cryptography. A developer or software publisher uses a private key to add a digital signature to code or content. Software platforms and applications use a public key to decrypt the signature during download and compares the hash used to sign the application against the hash of the downloaded application. Signed code from a trusted source may be automatically accepted or a security warning may require the end user to view the signature information and decide whether or not to trust the code.

[ Back to Top ]

 

During the Verisign code signing enrollment process, VeriSign will collect information about you and your company for authentication. The validation process may take a few hours or several days, depending on the information you provide and how easily it can be verified. You have the option to pay by credit card, PayPal, check or wire transfer. We must receive payment before delivering your certificate, payment by credit card or PayPal speeds delivery. Review the Verisign Code Signing Certificate enrollment process:

Microsoft® Authenticode® Enrollment
Sun Java® Enrollment
Microsoft® Office and VBA Enrollment
Adobe® AIR® Enrollment

[ Back to Top ]

Every Verisign Code Signing Certificate is purchased with a specific validity period. The digital certificate can be used to sign code as frequently as needed during that validity period. When the digital certificate expires, all digital signatures that depend on that digital certificate expire also unless the signature includes a time stamp. A timestamp option shows when code was signed, allowing customers to verify that the code signing certificate was valid at the time of the digital signature.

[ Back to Top ]

You can use a Verisign Code Signing Certificate on any computer once it is retrieved. However, you must buy and retrieve your Code Signing Certificate from the same computer. If you have problems with retrieval, confirm that you are using the same computer, browser, and log-in profile used to enroll. VeriSign recommends that developers purchase additional Code Signing Certificates rather than sharing certificates for better security and management. If a certificate becomes compromised and must be revoked, then all applications signed by the single certificate will be disabled.

[ Back to Top ]

Simply signing your code ensures that it has not been tampered with and that it comes from you, but does not verify who you are. A third-party CA is more trusted than a self-signed certificate because the certificate requestor had to go through a vetting or authentication process. When software platforms and applications verify a digital signature, they access a "root" certificate to determine whether or not to trust the CA that issued the certificate. It is possible to self-sign your code, but then you have to make sure that anyone accessing the code has access to your root certificate or your self-signed application will remain unidentifiable. Because VeriSign root certificates come preinstalled on most devices and embedded in most applications, digital signatures from VeriSign are almost always trusted, reducing warnings and error messages.

[ Back to Top ]

VeriSign recommends that developers purchase additional code signing certificates rather than sharing certificates for better security and management. If a certificate becomes compromised and must be revoked then all applications signed by the single certificate will be disabled. For ease of use, VeriSign recommends buying a Code Signing Certificate for each developer platform. You could use a Code Signing Certificate for one platform to sign code for others. However, different platforms require the certificates in different formats. To use a certificate across platforms requires a conversion process using additional utilities.

[ Back to Top ]

If your private key is lost or compromised or if your information changes, you should revoke your Verisign Code Signing Certificate immediately and replace it with a new certificate.

[ Back to Top ]

For Microsoft Windows® applications, developers only need to sign the .cab file using the appropriate Verisign Code Signing Certificate. For Windows Mobile® applications, all executables within the .cab file must be signed. The VeriSign® Flexible Signing Account automatically signs all of the contained executables when the .cab file is signed.

[ Back to Top ]

VeriSign no longer offers a Code Signing Certificate for Netscape because Netscape discontinued the signing tools and support for Netscape® 4.x browsers. To digitally sign files for Netscape Object Signing, purchase a VeriSign® Code Signing Certificate for Sun Java.

[ Back to Top ]