Code Signing Account FAQ - Code Signing from VeriSign UK Ltd.

Questions:

What is code signing and why do I need it?
How does a code signing account work?
What is the difference between a Publisher ID and a Content ID?
How many Publisher IDs do I need for a signing account?
How many Content IDs or signing events do I need?
Do I need to sign all the files within the cab file or just the cab file?
Which type of signing account do I need?
How long does it take to sign code using a signing account?
Why do I have to renew my Publisher ID/Administrator ID?
Is there a way to script the process of code signing with a signing account?
How long does a digital signature last?
Can I access my code signing account on different computers?
How does someone know they can trust my digital signature?
What if I lose my USB token or Publisher ID or it becomes compromised?

Answers:

What is code signing and why do I need it?
Code Signing creates a digital “shrink wrap” that shows customers the identity of the company responsible for the code and confirms that it has not been modified since the signature was applied. In traditional software sales, a buyer can confirm the source of the application and its integrity by examining the packaging. Increasingly, customers download applications to their mobile phones, install plug-ins and add-ins, and interact with sophisticated Web-based applications. They risk compromising their own security and the functionality of mobile networks if they download malicious or faulty code. VeriSign® Code Signing protects your brand and your intellectual property by making your applications identifiable and harder to falsify or damage with a digital signature.

Back to Top

How does a code signing account work?
Code and content certificates are based on public key cryptography. A developer or software publisher uses a private key to add a digital signature to code or content. Software platforms and applications use a public key to decrypt the signature during download and compare the hash used to sign the application against the hash on the downloaded application. Signed code from a trusted source may be automatically accepted or a security warning may require the end user to view the signature information and decide whether or not to trust the code.

With a code signing certificate, the developer signs all code with the same digital signature, identifying the source of the code and verifying that the code has not been tampered with since signing. A Code Signing Account uses a two-step signing process to create a unique digital signature each time code is signed, making each version of released code easier to track and revoke. The developer uses a Publisher ID to sign code and log in to their code signing account. The developer then uploads their code to VeriSign through a VeriSign® Flexible Signing Account or a VeriSign® Authenticated Content Signing (ACS) for Symbian™. VeriSign validates the publisher signature, then strips off the publisher’s digital signature and generates a new key pair, signs the content and sends it back to the publisher with the newly generated Content ID.

Back to Top

What is the difference between a Publisher ID and a Content ID?
A Publisher ID is the digital certificate you receive when you enrol for a signing account. It contains your organisational information and is used to digitally sign your code or content before you upload it to your account. It is also used for authentication when logging in to the signing account portal. The Content ID is the unique code signing certificate created by VeriSign when your content is signed in the signing account. It is the only signature that will be trusted on the end-user device for secure downloading and execution. To sign code using a signing account, you need to purchase a Publisher ID and a bundle of Content IDs or “signing events”.

Back to Top

How many Publisher IDs do I need for a signing account?
Every signing account comes with one Publisher ID (also called an Account ID or Administrator Certificate). An administrator may log in to the signing account and purchase additional Publisher IDs for different development groups within the organisation. By using a single signing account with multiple Publisher IDs, the organisation has one portal to view and track all code signing; and each group has a unique identity that can be revoked or modified for better security.

Back to Top

How many Content IDs or signing events do I need?
A Content ID is consumed each time an application or code is signed. Content IDs are sold through the signing account in bundles of signing events. You will need a signing event for each application that you sign, including different versions. If you have a Windows Mobile® application that consists of one .cab file containing one .exe and one .dll file, signing your application generates three signatures - one each for the .dll, .exe and .cab file – but only one signing event is consumed.

Back to Top

Do I need to sign all the files within the .cab file or just the .cab file?
All executables within the .cab file must be signed. A VeriSign® Flexible Signing Account automatically signs all of the contained executables when the .cab file is uploaded to be signed.

Back to Top

Which type of signing account do I need?
Different network providers and software platforms have different requirements and different tools for signing code. With the VeriSign® Flexible Signing Account developers can upload applications for Microsoft® Mobile2Market Normal or Privileged Access. For Symbian developers, the VeriSign® ACS for Symbian™ is available for Symbian Certified Signing.

Back to Top

How long does it take to sign code using a signing account?
VeriSign automatically signs approved applications. Code Signing may take a few minutes or several days, depending on the type of signing services you use and the device platform or mobile network requirements. For applications that access secure APIs, a network provider or vendor may require testing. The developer signs the application, sends it to the testing house, who then uploads it to the signing account. VeriSign notifies the network provider or vendor that the application is ready to be signed. When the network provider or vendor approves the application, VeriSign completes the signing process. Developers can track the status of their application within the signing account. For more information about testing and approval requirements, please contact your network provider or vendor directly.

Back to Top

Why do I have to renew my Publisher ID/Administrator ID?
Publisher IDs and Administrator IDs expire after 12 months. VeriSign uses a proven, robust process to authenticate and verify organisations prior to issuing Class 3 certificates such as code signing. The annual renewal process ensures that the Publisher ID is used by a legitimate organisation and the contact is authorised to develop for that organisation. This is a necessary process prior to issuing you with code signing certificates including Publisher IDs.

Back to Top

Is there a way to script the process of code signing with a signing account?
VeriSign offers a Publisher API for customers with a VeriSign® Flexible Signing Account. Log in to your account and click Resource Centre and then Product Documentation. Download the zip file: "Signing Portal Publisher API" for information and examples of scripting.

Back to Top

How long does a digital signature last?
VeriSign code signing accounts sign code with 10-year digital signatures. Even if the Publisher ID expires, the unique Content ID and digital signature retain their validity.

Back to Top

Can I access my code signing account on different computers?
You can access your signing account on any computer using a USB token containing your Publisher ID, as long as that computer meets the minimum system requirements. However, you must buy and retrieve your Publisher ID from the same computer. If you have problems with retrieval, confirm that you are using the same computer, browser, and login profile used to enrol. For better security and management, VeriSign recommends that developers purchase additional Publisher IDs rather than sharing certificates.

Back to Top

How does someone know they can trust my digital signature?
Simply signing your code ensures that it has not been tampered with and that it comes from you, but it does not verify who you are. A third-party CA is more trusted than a self-signed certificate because the certificate requestor had to go through a vetting or authentication process. When software platforms and applications verify a digital signature, they access a “root” certificate to determine whether or not to trust the CA that issued the certificate. Because VeriSign root certificates come preinstalled on most devices and embedded in most applications, digital signatures from VeriSign are almost always trusted, reducing warnings and error messages.

Back to Top

What if I lose my USB token or Publisher ID or it becomes compromised?
A USB token with a Publisher ID or a token password cannot be replaced if it is lost or stolen because you do not want anyone to find it and use it to sign code in your name. If your private key is lost or compromised, or if your information changes, you should revoke your Publisher ID immediately and replace it with a new digital certificate.

Back to Top

Learn More

White Paper: To Increase Downloads, Instil Trust First
White Paper: Securing Code Transfer with Signing: A Technical Overview
Data Sheet: VeriSign Code Signing Certificate (PDF)
Data Sheet: VeriSign Signing Account (PDF)
All VeriSign® Code Signing Resources