Comodo Code Signing, through the use of digital signatures, enables software developers
to include information about themselves and their code with their software. Your
end users who download digitally signed 32-bit or 64-bit Portable Executable
(.exe, .ocx, .dll or other) or .cab files can be confident that code
really comes from you and has not been altered or corrupted since it was created
What is Code Signing?
When customers buy software in a store, the source of that software is
obvious. Customers can tell who published the software, and they can see whether
the package has been opened. These factors enable customers to make decisions about
what software to purchase and how much to "trust" those products. Customers who
download digitally signed Active X controls, dynamic link libraries, .cab files
or HTML content from your site can be confident that code really comes from you
and hasn't been altered or corrupted since it was created and signed. Digital IDs
serve as virtual "shrinkwrap" for your software: after you sign your code, if it
is tampered with in any way, the digital signature will break and alert customers
that the code has been altered and is not trustworthy. The solution to these issues
is Microsoft's Authenticode technology coupled with Digital IDs from Comodo.
Code Signing, through the use of digital signatures, enables software
developers to include information about themselves and their code with their software.
When customers download software signed with a Code Signing Certificate issued by
Comodo Certificate Authority, they can be assured of:
- Content Source: End users can confirm that the software really
comes from the publisher who signed it.
- Content Integrity: End users can verify that the software has not
been altered or corrupted since it was signed.
Users benefit from this software accountability because they know who published
the software and that the code hasn't been tampered with. In the extreme case that
software performs unacceptable or malicious activity on their computers; users can
also pursue recourse against the publisher. This accountability and potential recourse
serve as a strong deterrent to the distribution of harmful code. Developers
and Web masters benefit from these Certificates because it builds trust
in their names and makes it more difficult to falsify their products. By signing
their code, developers build a trusted relationship with users, who learn they can
download software signed by that publisher or Web site with confidence. With
Code Signing Certificates, developers can create exciting Web pages
using signed ActiveXT controls, or other signed executables. And users can make
educated decisions about what software they want to download, knowing who published
the software and that it hasn't been tampered with.
Code signing is widely used to protect software that is distributed
over the Internet. Code signing does not alter it; it simply appends a digital signature
to the executable code itself. Use digital signatures when you want to distribute
data, and you want to assure recipients that it does indeed come from you. This
digital signature provides enough information to authenticate the signer as well
as to ensure that a code is not been subsequently modified. Code signing digital
IDs (or certificates) allow content publishers including software developers
to sign their content that includes software objects, macros, device drivers, firmware
images, virus updates, configuration files or other types of content for secure
delivery over the Internet.
Digital signatures are created using a public-key signature algorithm
such as the RSA public-key cipher. A public-key algorithm actually uses two different
keys: the public key and the private key (called a key pair). The private key is
known only to its owner, while the public key can be available to anyone. Public-key
algorithms are designed so that if one key is used for encryption, the other is
necessary for decryption. Furthermore, the decryption key cannot be reasonably calculated
from the encryption key. In digital signatures, the private key generates the
signature, and the corresponding public key validates it.
Who Needs a Code Signing Digital ID?
Any software publisher planning to distribute code or content over the Internet
or through an extranet risks impersonation and tampering. Comodo Code Signing
Digital IDs for Microsoft Authenticode protect against these hazards.
Comodo offers Digital IDs designed for commercial software developers:
companies and other organizations that publish software. This class of Digital ID
provides assurance regarding an organization's identity and legitimacy, much like
a business license, and is designed to represent the level of assurance provided
today by retail channels for software.
Features & Benefits of Code Signing Digital ID
- Customer Confidence
They protect and reassure your customers by assuring them that the integrity of
the code they download from your site is intact - that it has not been tampered
with or altered in transit.
After downloading, end users can be sure that the code they obtained really came
from you, helping you preserve your business reputation and intellectual property.
Digital ID's allow customers to identify the author of digitally signed code and
contact them should an issue or query arise.
- Seamless Integration with Industry-Standard Technology
Most browsers will not accept action commands from downloaded code unless the code
is signed by a certificate from a trusted Certificate Authority,such as Comodo.
- Ease of Use
Code signing certificates are easy to use in conjunction with the vendor software
tools that developers use to create products, macro's and objects.
How does Authenticode work with Comodo Digital IDs?
Authenticode relies on industry standard cryptography techniques such as X.509 v3
certificates and PKCS #7 and #10 signature standards. These are well-proven cryptography
protocols, which ensure a robust implementation of code signing technology. Authenticode
uses digital signature technology to assure users of the origin and integrity of
software. In a digital signature, the private key generates the signature, and the
corresponding public key validates it. To save time, the Authenticode protocols
use a cryptographic digest, which is a one-way hash of the document.