RSS Feed
Knowledgebase : Comodo Certification Authority > Certificates > Code Signing

  The private key for a Comodo Code signing certificate is generated by the browser during certificate enrollment. When the submit button is pressed, a key pair of the selected size is generated. The PRIVATE KEY is encrypted and stored in the LOCAL KEY DATABASE. COMODO recommends using INTERNET EXPLORER 8+ on Windows and FIREFOX on Mac for certificate enrollment as it is both easy to apply and convenient for the user. To apply for a Code signing certificate, visit the below URL.. https://ww...
The process to follow is: 1. Convert the *.pvk into a *.pfx file using the pvk2pfx tool. This should be in your Program Files\Microsoft Visual Studio 8\Common7\Tools\Bin directory. 2. In Visual Studio 2005, go to Project->Properties->Signing tab. Check Sign the assembly or both depending. Click on the 'Choose the Strong Name Key' combo and select 'Browse'. In the 'File Dialog' choose the *.pfx file you've created in step 1. Click for more information on VSS and code signing from Mi...
When customers buy software in a store, the source of that software is obvious. Customers can tell who published the software, and they can see whether the package has been opened. These factors enable customers to make decisions about what software to purchase and how much to "trust" those products. Customers who download digitally signed Active X controls, dynamic link libraries, .cab files or HTML content from your site can be confident that code really comes from you and hasn't been alte...
Any software publisher planning to distribute code or content over the Internet or through an extranet risks impersonation and tampering. Comodo Code Signing Digital IDs for Microsoft Authenticode protect against these hazards. Comodo offers Code Signing Digital IDs designed for commercial software developers (companies and other organizations that publish software). This class of Digital ID provides assurance regarding an organization's identity and legitimacy, much like a business licen...
Authenticode relies on industry standard cryptography techniques such as X.509 v3 certificates and PKCS #7 and #10 signature standards. These are well-proven cryptography protocols, which ensure a robust implementation of code signing technology. Authenticode uses digital signature technology to assure users of the origin and integrity of software. In digital signatures, the private key generates the signature, and the corresponding public key validates it. To save time, the Authenticode pro...
Customer Confidence Code Signing Digital ID protects (reassures) your customers by assuring them that the integrity of the code they download from your site is intact - that it has not been tampered with or altered in transit. Authenticity After downloading, end users can be sure that the code they obtained really came from you, helping you preserve your business reputation and intellectual property. Digital IDs allow customers to identify the author of digitally signed code and contact th...
Please remember that you must use Internet Explorer (IE) when signing a file. The following types of files can be signed using Authenticode and a Code Signing certificate. *.exe *.cab *.ocx *.dll The Code Signing Certificate is currently for use with Authenticode only Update March 2007: .jar files can also now be signed (again only with Authenticode), however you will need the latest version of java installed so that you have the required roots to allow the certificate to be trus...
Authenticode is currently used to sign 32-bit .exe files (PE files), .cab files, .ocx files, and .class files. In particular, if you are distributing active content such as ActiveX controls for use with such Microsoft end user applications as Internet Explorer, Exchange, Outlook, or Outlook Express, you will want to sign code using Authenticode.
A Digital ID also known as a digital certificate is a form of electronic credentials for the Internet. A Digital ID is issued by a trusted third party to establish the identity of the ID holder. The third party who issues certificates is known as a Certification Authority (CA). Digital ID technology is based on the theory of public key cryptography. In public key cryptography systems, every entity has two complementary keys, a public key and private key, which function only when they ar...
Since key pairs are based on mathematical relationships that can be cracked with a great deal of time and effort, it is a well-established security principle that digital certificates should expire. Your Digital ID will expire on its expiry date. However, most software is intended to have a lifetime of longer than one year. To avoid having to resign software every time your certificate expires, a timestamping service is introduced. Now, when you sign code, a hash of your code will be s...
In order to sign your code, you pass the code which you want to authenticate through a hashing algorithm and then use your private key to sign the hash, which results in a digital signature. You then build a signature block, which contains the digital signature and the code-signing certificate. Tools like Microsoft's SignTool [https://msdn.microsoft.com/aa387764.aspx] let you time stamp the signature block based on the current date and time that a time stamping service provider, such as Comodo...
The following process describes how to backup certificates 1. Start Internet Explorer, select Tools, Internet Options, Content, Certificates 2. On the Personal Certificates tab, select the certificate to export and Select Export 3. When requested, select 'Yes, export the private key' NOTE: the default is set to No, so will need changing 4. And 'Include all certificates in the certification path, if possible' 5. Type a password which you can remember later ...
Sorry, an error has occurred Close this window This error is usually displayed if you are not using Internet Explorer to sign up for a Code Signing Certificate. Since July 2007, other browser that can be used to sign up for a Code Signing Certificate are Opera and Mozilla.
How do I determine the name of the digital certificate to be used to sign the script. I have a *large* number of scripts and exe's that need to be signed. The following scripts from the Microsoft TechNet web site, that signs all scripts in a given folder. The script requires use the SignFile method, specifying both the file name of the script to be signed and the name of the digital certificate to be used to sign the script Microsoft Scripting Guide WSH 5.6 includes the Scripting.S...
Visual Basic for Applications (VBA) code will require you to import the Private Key. To do this you will need a Microsoft tool called pvkimprt.exe The download for this tool can be found at: http://office.microsoft.com/downloads/2000/pvkimprt.aspx
Signing Microsoft Office 2K & XP VBA Macros with a Comodo Code-Signing Certificate. Must have these: * Microsoft's tool to import PVK files: Download the PVK import tool from Microsoft (pvkimprt.exe) * Your code signing certificate from Comodo (as PVK and SPC files). If you do not have these files. Follow these directions here Preparation: Click to obtain your Code Signing Certificate from Comodo Procedure: 1. Install pvkimport you downloaded from Microsoft. Remember t...
Signing Open Office 2.0 Macros with a Comodo Code-Signing Certificate. This document details the process needed to sign Microsoft Office 2000 & XP VBA macros with a Comodo Code-Signing certificate including a worked example. All web links are provided for illustration purposes only, and are correct at time of publishing. It is recommended that the user checks for any updates that may become available since the publishing of this document. Pre-requisites: * Microsoft's tool to import PV...
I see this error message when collecting codesigning certificate Certificate installation was unsuccesfull! Error: -2146885628 Your certificate appears to be already installed Solution: The Code signing certificate can only be installed on the same machine from where you applied. Do not install the codesigning certificate to different machine, unless the private key has been backed up successfully. The Private key will be stored in the default directory C:\mykey.pvk.
This is a known bug in Microsoft Internet Explorer 4.01 causes this error. To resolve this you have to either upgrade the browser being used or install Service Pack 2 for Microsoft Internet Explorer 4.01 on the machine. The error is a Microsoft error and is not related to the certificate in any way.
Error: 000004c0 The format of the specified password is invalid Answer: Ensure that the password being entered is the one which was entered during the enrollment process, and remember that passwords are case sensitive so ensure that Caps lock is not enabled. 1. Make sure that the files are imported on the original machine the certificate was requested from. 2. Install the latest version of signcode on the machine you are using the certificate on The PVK/SPC file must be converted...
Assembly Signing Using Visual Studio Project Designer's Problem : The .pfx file cannot include certificate chaining information. (If the .pfx file does include this information, the following import error will occur: "Cannot find the certificate and private key for decryption.") Resolution : The most common problem arises when using a .pfx file that contains chaining information. You can remove chaining information from the key file by running the Certificate Manager snap-in (Certmgr...
HOW TO CONVERT PFX/P12 FILE TO SPC/PVK FORMAT EXPORT CERTIFICATE WITH PRIVATE KEY. Use the export wizard with the following options: * Export Private Key (YES) * DO NOT TICK INCLUDE ALL CERTIFICATES IN THE CERTIFICATION PATH IF POSSIBLE * TICK ENABLE STRONG PROTECTION * DO NOT TICK DELETE PRIVATE KEY PREREQUISITE: OpenSSL 0.9.8 or better. OpenSSL 1.x preferred. NOTE: If you are running Windows you may download OpenSSL here [http://www.shininglightpro.com/products/Win32OpenSSL....
Can InstallShield be set to automatically sign the project? We recommend that you consult the softwares help system or help manual for details relating to their product. However, we are aware that InstallShield 11 can be set to automatically sign the project by setting up the 'Digital Signature' option under 'Build', 'Release Wizard'. The 'Digital Signature' options area number of steps through the wizard, but the screen will look like this: For details of what to set in each field...
A pdf How-To for this process can be downloaded: https://support.comodo.com/uploaded/UsingComodoAuthenticodeCertificateforJava.pdf
From looking at the error there are two resolutions that can be recommended. The first is on the error message that you are receiving http://support.microsoft.com/default.aspx?scid=kb;en-us;246183 The above threads from Microsoft explains the cause discusses what can possibly be done to resolve it . Once this has been followed and the modifications made then reapplying for the certificate should resolve the error . The second method for resolving this is slightly simpler and more o...
If you have successfully installed your certificate, however you wish to make a backup with the private key, if you do not have full admin rights, Windows will not allow it. You must give your self access to the MachineKeys Folder: Open Microsoft Windows Explorer. Locate the "%SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys" (assuming you have a clean install) folder. There are several files located in this folder. Each file in this fo...
Changing from AT_KEYEXCHANGE (1) to AT_SIGNATURE (2) Using CertUitl from Windows Server 2003 SP1 or later you can force KeySpec to match your wishes/needs when importing a PFX (aka PKCS#12) file. The steps to follow are: Using the "Certifiates" MMC export the existing keyset (KeySpec=1) to a PFX file. Note: Please backup this file to a safe location and test if the file can be imported ok on another machine before moving on to the next step. Delete the existing certificate from the ...
Prerequisites (Must haves) * Microsoft's tool to import PVK files (For Windows 2000/XP Only!) * Your code signing certificate from Comodo (as PVK and SPC files). Install pvkimport you downloaded from Microsoft. Note: Remember the paths to where you installed it (c:\codesign\) Copy your certificate/key (mycert.spc & mykey.pvk) files to the directory where you installed 'pvkimport' Open a command-prompt and change to the folder where you installed 'pvkimport'. (c:\codesign\) Combin...
There are several tools that are required to package and sign Java code, including keytool, jar and jarsigner. Beginning with JDK 5.0, jarsigner can generate signatures that include a time stamp, allowing validation that the JAR file was signed while the code signing certificate was still valid. OPTION 1 – REQUEST A NEW CODE SIGNING CERTIFICATE 1. Download the JDK, if necessary * http://java.sun.com/javase/downloads/index.jsp 2. Purchase a Code Signing Certificate from Comodo. * Create...
QUESTION: > I have digitally signed my files with my Authenticode Signing > Certificate (Code Signing) > [http://www.instantssl.com/code-signing/code-signing.html], yet my > IE9 users see a message containing: "This file is not commonly > downloaded and could harm your computer." What can I do? ANSWER: > Your software needs to build up a reputation within the Windows > community. The more that download and run your file, the better. We > also STRONGLY advise you to ALWAYS serve your downl...
Question:     When I try to verify I signed my code correctly, SignTool reports the following error: SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. Answer:     This is because of the "verify" command you may have run: signtool verify myfile.exe. If you run this command, signtool will use the Windows Driver Verification Policy. In order for your file to "verify" properly you need to inclu...
As of late August 2013, all valid (not expired, not revoked) Comodo Code Signing Certificates can be used for Kernel-Mode Code Signing!!! (For Windows Vista and greater) * Download the Comodo cross-signed CA that matches your Code Signing certificate's Root CA. * Open an elevated Windows command prompt (cmd) and run SIGNTOOL.EXE: signtool.exe sign /v /ac "CROSS_SIGNED_COMODO_CA_HERE" /f YOUR_PFX_HERE /tr http://timestamp.comodoca.com/rfc3161 "PATH_TO_FILE_TO_SIGN" NOTE: For most custome...
CERTIFICATE: (openssl x509) Data: Version: 3 (0x2) Serial Number: 2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af Signature Algorithm: sha384WithRSAEncryption Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority Validity Not Before: May 9 00:00:00 2013 GMT Not After : May 8 23:59:59 2028 GMT Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Code Signing CA Subject Public Key Info: Public Key Algo...
                                   CODE SIGNING (SHA-2) ROOT LEVEL: AddTrustExternalCARoot.crt TEXT PEM Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root Validity Not Before: May 30 10:48:38 2000 GMT Not After : May 30 10:48:38 2020 GMT Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External ...
INSTRUCTIONS FOR INSTALLING YOUR COMODO CODE SIGNING CERTIFICATE After purchasing a standard code signing certificate, COMODO validates your information and sends you an email that contains a link to install your code signing certificate. *SUN JAVA NOTE: If your certificate was keyed for the Sun Java Platform, your code signing certificate installation process is different than the one described on this page. Please see Java Code Signing Certificate Set Up and Usage Guide [https://support.com...
SETTING UP AND USING YOUR ORACLE JAVA CODE SIGNING CERTIFICATE In Java, the process for setting up your COMODO Code Signing Certificate consists of creating a Java keystore and a Certificate Signing Request (CSR) and then, installing your COMODO generated code signing certificate file to the Keystore file from where the CSR was generated. * If you have already set up your code signing certificate and are ready to sign your Java .jar files, see the Signing Java .jar Files with Jarsigner ins...
HOW TO VERIFY YOUR CODE SIGNING CERTIFICATE IS INSTALLED After generating your code signing certificate, we recommend that you take a second to verify that your certificate is installed in the browser's Certificate Store. Internet Explorer Chrome Firefox INTERNET EXPLORER: VERIFYING YOUR CLIENT CERTIFICATE IS INSTALLED * In Internet Explorer, go to INTERNET OPTIONS. * In the INTERNET OPTIONS window, on the CONTENT tab, click CERTIFICATES. * In the CERTIFICATES window, on the...
HOW TO VERIFY YOUR CODE SIGNING CERTIFICATE IS INSTALLED After generating your Code Signing Certificate, we recommend that you take a second to verify that your certificate is installed in the keychain or in the browser's Certificate Store. Safari and Chrome Removing the "_This certificate was signed by an unknown authority"_ Warning Message Firefox SAFARI AND CHROME: VERIFYING YOUR CODE SIGNING CERTIFICATE IS INSTALLED If you used Safari or Chrome to install your Code Signing Certificat...
HOW TO EXPORT YOUR CODE SIGNING CERTIFICATE After installing your code signing certificate, you may need to export the certificate for use on a different computer, for signing code, etc. Safari and Chrome Firefox SAFARI AND CHROME: EXPORTING YOUR CODE SIGNING CERTIFICATE AS A P12 FILE If you used Safari or Chrome to install your Code Signing Certificate, the certificate should be located in the login keychain. * Open KEYCHAIN ACCESS. In the FINDER window, under FAVORITES, click APP...
HOW TO EXPORT YOUR CODE SIGNING CERTIFICATE After installing your code signing certificate, you may need to export the certificate for use on a different computer, for signing code, etc. Internet Explorer Chrome Firefox INTERNET EXPLORER: EXPORTING YOUR CODE SIGNING CERTIFICATE AS A PFX FILE * In Internet Explorer, go to INTERNET OPTIONS. * In the INTERNET OPTIONS window, on the CONTENT tab, click CERTIFICATES. * In the CERTIFICATES window, on the PERSONAL tab, select your c...
ISSUE: Profile Manager does not show a code signing certificate when asked to sign configuration profiles. Please try to import the intermediate certificate files manually on the IOS device through the following URLs: * Intermediate 1:https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/966/108/intermediate-1-sha-2-comodo-rsa-certification-authority [https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/966/108/intermediate-1-sha-2-comodo-rsa-certific...
There are several methods of signing with Visual Studio, depending on exactly what you want to do. For signing the compiled EXE, a post-build step is the easiest route: In order to get a signature automatically applied to your EXE (or DLL) when you compile/build, you need to call a signing utility like SignTool.exe as a post-build step. Microsoft has a good tutorial on that, view it here: http://msdn.microsoft.com/en-us/library/ms180786%28VS.80%29.aspx NOTE: If you want strong name signi...
Code Signing for Windows Windows Software Development Kit (SDK) contains headers, libraries, and tools you can use when you create apps that run on Windows operating systems. To download the Windows Software Development Kit (SDK) click here [https://www.microsoft.com/en-us/download/details.aspx?id=8279]. IMPORTANT SIGNTOOL OPTIONS: * /AC  -  Specify an Additional Certificate. * /A  -  Automatically selects the best certificate to sign the file from your Windows Certificate Store. ...
Code Signing End User Guide Version 5.7
CODE SIGNING CERTIFICATES - SHA1 AND SHA-256 INFORMATION IF YOUR USERS ARE GETTING AN ERROR MESSAGE THAT READS "THE SIGNATURE OF THIS PROGRAM IS CORRUPT OR INVALID" WHEN THEY DOWNLOAD, YOU NEED TO UPGRADE TO AN SHA-256 SIGNATURE! According to the Microsoft PKI blog [http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx]: "Effective January 1, 2016, Windows (version 7 and higher) and Windows Server will no lon...
  If your certificate uses SHA-2 or has SHA-2 certificates in its chain of trust and you are using it to sign kernel modules, then you should be aware of KB3033929 [https://support.microsoft.com/en-us/kb/3033929], an update for Windows 7 distributed through Windows Update. On versions of Windows 7 without this update, the kernel will reject signatures made with certificates that use SHA-2, so they cannot be used to get a kernel module to load. In order for your driver to install successfully...
The following error may occur when building projects for Microsoft Visual Studio 2008 - 2015. Error: "Cannot import the following key file: mykey.pfx. The key file may be password protected." Cannot import the following key file: mykey.pfx. The key file may be password protected. To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key container name: VS_KEY_C1D3ACB8FBF1AGK4 SOLUTION 1: * Click Start > All Pro...
EV Code Signing Certificates, along with MS SmartScreen technology, protect users from downloading infected applications and malware. WHAT IS “APPLICATION REPUTATION”? Software downloaded from the Internet is similar to people on the Internet--it's hard to tell which ones are dogs, at least without help. That's where "application reputation" technology comes in. Application reputation is a method employed by Microsoft's SmartScreen(R) filter to distinguish good software from bad software as i...
  Please use the latest version of signtool for this process. 'SIGNTOOL' available in Windows 8.1 SDK or Windows 10 SDK should be good.  * Download the Comodo cross-signed CA that matches your Code Signing certificate's Root CA. * Open an elevated Windows command prompt (cmd) and run SIGNTOOL.EXE: signtool.exe sign /v /p /ac "CROSS_SIGNED_COMODO_CA_HERE" /f YOUR_PFX_HERE /tr http://timestamp.comodoca.com/rfc3161 [http://timestamp.comodoca.com/rfc3161] "FULL_PATH_TO_FI...
1. Once the certificate is in located in the browser, export the certificate with the private key and include all of the certificates and export all extended properties. A password is required. The exported file will be .PFX or .P12 format. Check the following articles as per your OS, EXPORTING CERTIFICATES (MAC) [HTTPS://SUPPORT.COMODO.COM/INDEX.PHP?/KNOWLEDGEBASE/ARTICLE/VIEW/1003/0/EXPORTING-CERTIFICATES-MAC] Export Certificates (Windows) [https://support.comodo.com/index.php?/Knowledgebas...