VeriSign Code Signing

Digital Shrink Wrap to Protect Your Brand VeriSign® Code Signing Certificates provide a virtual "shrink wrap" for secure delivery of content over the Internet. When customers download software signed with Authenticode® Technology and verified by VeriSign, they can be assured of the content source and the content integrity. Code Signing adds a level of trust to your applications and makes them harder to falsify or damage, protecting your brand and your intellectual property.

Increase Customer Confidence with Fewer Security Warnings When Internet Explorer, Exchange, Outlook®, or other Microsoft programs encounter unsigned executables, a security warning disrupts the user or content simply fails to load. To prevent disruption, publishers who use ActiveX® controls, plug-ins and other executables should sign their code using Authenticode Technology and a VeriSign Code Signing Certificate for Microsoft Authenticode.

Make the Most of Your Verisign Code Signing Investment With VeriSign Code Signing Certificates, developers select a platform, a validity period and install the certificate on their desktop or a portable device such as a USB drive. A timestamp option shows when code was signed, allowing customers to verify that the code signing certificate was valid at the time of the digital signature. VeriSign is a trusted provider of digital certificates for Microsoft Windows® Logo programs.

Verisign Is The Leader in Online Trust and Security VeriSign supports more platforms than any other code signing provider with the most reliable infrastructure and the most trusted security brand on the Internet (Tec-Ed Whitepaper, PDF, Oct. 2007). Because VeriSign root certificates come preinstalled on most end users' devices and embedded in most applications, the digital signature authentication and verification process is seamless and transparent to most end users.

A Code Signing Certificate generates a digital signature that provides authentication of the code source and assurance of code integrity. Increasingly, operating systems, software applications, devices, and mobile networks require a digital signature to ensure that the code will not harm or interrupt services.

How Verisign Code Signing Certificates Work

With a VeriSign® Code Signing Certificate, the developer signs all code with the same digital signature using public key cryptography.

1. A developer or software publisher uses a Code Signing Certificate to add a digital signature to code or content using a unique private key.
2. The content is uploaded to a Web site or mobile network or otherwise made available for download.
3. When a user downloads or encounters the code, the user's system software or application uses a public key to decrypt the signature.
4. By comparing the hash used to sign the application against the hash on the downloaded application, the system determines whether to warn the end user, not allow the download, or allow the download without interruption (depending on the platform, application, and client security settings).

Different software platforms have different requirements and different tools for signing code.
VeriSign offers Code Signing Certificates for:

• Microsoft® Authenticode®
• Sun Java®
• Microsoft® Office and VBA
• Adobe® AIR®

Root Certificates: Why Your CA Matters

When software decrypts the digital signature, it looks for a "root" certificate, the source of the identity information. A self-signed digital certificate means that you own your own root certificate and are vouching for your own identity, kind of like using a homemade photo ID. In most cases, your root certificate will not be available to third party software and devices, and a warning message will appear.

When you enroll for a digital certificate from a Certificate Authority (CA), the CA authenticates your identity and provides a certificate that is chained to its root certificate. If the software or device trusts the provider of your root certificate (CA), it trusts you.

VeriSign is the most trusted security brand on the Internet (Tec-Ed Whitepaper, PDF, Oct. 2007) and we support more development platforms than any other code signing provider. VeriSign uses a robust and time-tested authentication and validation process, recognized worldwide. Before issuing a digital certificate with your full organizational name and your public key, VeriSign validates the existence of the organization with third party sources and your authority to request a certificate on the organization's behalf.

Verisign Certificate Center allows you to buy, renew, and manage all your certificates with a single sign-in:

• Select certificate options and a validity period.
• Enter required contact information.
• Enter certificate information (choose the default if you are not sure), create a backup and follow instructions.
• Enter organization and billing information.
• Create a Verisign Certificate Center account or sign in to an existing account.
• Pick up your certificate in Verisign Certificate Center after Verisign completes authentication.

NOTE: You must buy and retrieve your Verisign code signing certificate from the same computer. Problems? Confirm that you are using the same computer, browser, and log-in profile used to enroll.

Your Verisign code signing certificate contains your full organizational name and your public key. It can be used to digitally sign code and content during the certificate validity period.