Code Signing Frequently Asked Questions

OVERVIEW: This page outlines everything you need to know about GlobalSign Code Signing Certificate. For certificate installation instructions, please refer to this guide. Can't find what you're looking for? Get in touch for assistance.

What is a Code Signing Certificate? 

Digital Certificate contain fields such as Key Usage and Extended Key Usage  that dictate the purpose of a Certificate. Where an SSL Certificate for a website would contain an extended key usage of Server Authentication showing it can be used to identify a server, a code signing Certificate has an extended key usage of Code Signing to indicate it may be used to sign code.

There are other values that get populated into these fields depending on Certificate type. Limiting the use cases of Digital Certificates mitigates some risk in the event of a compromised Certificate. A Certificate with all key purposes enabled would pose a much greater risk in the event of a compromise.

What is the minimum requirements for Code Signing Certificates?

The Minimum Requirements specify that CAs shall ensure stronger protection for private keys. All EV Code Signing Certificates, will require a USB token. All New and Renewal EV Code Signing orders will require a USB token to store the Certificate and protect the private key. Also, all standard Code Signing products - except for EV Code Signing - will be integrated to one “multi-platform” Code Signing Certificate. To learn more about the Code Signing minimum requirements, please refer to this page. 

Can I use the same Certificate on multiple computers?

Yes, but not simultaneously, since the token can only be plugged in to one computer at a time. As long as the drivers are present on another computer, the token can be plugged in to that workstation for use.

How to enable the token Single Sign On? 

To enable the token single sign on, open the Safenet Authentication Client (SAC). Then click, Client Settings. Under the Advanced tab, tick the box for Enable single logon, as shown in the diagram below. Click Save for the changes to take effect. 

Note: This feature is best for customers who wish to batch sign code. This way you don't have to enter the token password every time. However, for regular code signing, we highly recommend to disable this feature as this is not a good practice. 

Do different platforms have different requirements for signing code?

Yes. The code signing requirements will vary from platform to platform. The requirements for signing Java JAR files will differ from signing a Windows portable executable. There are also separate requirements for signing apps on OS X and iOS. How and where your application(s) will be distributed, may also be a factor in signing requirements.

Are there any additional requirements for Windows code signing?

Another factor is the signature algorithm used to sign your Certificate as well as the signature algorithm used to sign code. For more specifics on these requirements, view our Windows Code Signing Hash Algorithm Support article. Note: Starting January 26, 2021, GlobalSign will no longer offer SHA-1 Authenticode and CodeSign Timestamping services.

What utilities are generally required to sign files?

Windows:
Microsoft signtool is the standard utility for signing drivers and executable files. It is bundled as part of the Windows SDK. Signtool can sign using a local .pfx or it can leverage certs in your Windows Certificate store. It works with both standard and EV Code Signing Certificates.

Many development applications have native support for code signing using either the .pfx or Certificate store method. For example, when signing VBA macros through Excel, the application will use certs from your local Certificate store. Other applications such as InstallShield also support integrated code signing.

Java:
Jarsigner is a utility bundled with the Java JDK and can be used to sign Certificates. Generally, if signing code for Java, you'll create a Java Keystore (.jks) with Java KeyTool (also bundled with the JDK), however jarsigner also has support for .pfx files, provided you know the alias.

EV Code Signing also works with Jarsigner. It is a bit more advanced and involves editing a configuration file to specify the slot of the USB token. More details in Java EV Code Signing article.

Apple:
While both standard and EV Code Signing Certificates can sign .dmg and .app files, the local default Gatekeeper policy on OS X and the Apple App Store policy requires the use of a Certificate issued by Apple tied to an Apple Developer ID.

Code Signing Certificates from other CAs can still be used to sign things like profiles and policies on OS X. The default utility on OS X to sign code is called codesign. More information on this utility can be found in the product manual.