EV Code Signing Certificates

Increase customer confidence and download rates

EV Code Signing Certificates combine all the benefits of regular code signing plus additional features including:

  • Company address and organization type displayed in the certificate
  • Time stamping, signature does not expire once certificate expires
  • Certificate stored on a hardware token for two factor authentication
  • Immediate reputation with Microsoft SmartScreen
  • Required to access the Windows Hardware Development Center Dashboard Portal

GlobalSign Competitive Pricing

1 Year

2 Years

3 Years
Best Value
Per year pricing - per year - per year - per year
Total Price - total - total - total
Buy Now Buy Now Buy Now

Exclusive GlobalSign Features

  • Digitally sign an unlimited number of apps with single certificate

  • Access to GlobalSign's superior support

  • Compatible with major platforms (Authenticode, Office VBA, Java, Adobe AIR, Mac OS, Mozilla)

Addressing weak verification and key protection

EV Code Signing addresses two of the most commonly used vulnerabilities malware developers leverage to spread their malicious code - weak identity verification processes and poor private key protection.

  • Strict vetting process - Applicants for EV Code Signing certificates go through a more rigorous application process than regular code signing certificates. In addition to verifying the publisher’s organization name, other corporate information, such as physical address and jurisdiction, are vetted.  This thorough verification process makes it much more difficult for malware developers to impersonate and obtain a code signing credential to use for signing malware under the guise of a legitimate development company.

  • Certificate stored on USB token - Unlike regular code signing certificates that reside locally on a developer’s machine, all GlobalSign Code Signing certificates are stored on cryptographic tokens. This makes it much more difficult for a malicious party to copy or steal the private key and use it to sign malicious software under the identity of the actual certificate holder.

Immediate Reputation with Microsoft SmartScreen Filter

Microsoft SmartScreen uses information about an application's reputation to warn end users if an application isn't' well known and might be malicious. Beginning with Internet Explorer 9.0 and Windows 8, applications signed with an EV code signing certificate have immediate reputation established so no alarming warnings will be presented to the downloader.

Microsoft SmartScreen without EV Code Signing Certificate smartscreen-ie-warning3.jpg
Example Windows 8 SmartScreen Warning Example IE9 SmartScreen Warning
Next Steps

Purchase an EV Code Signing Certificate

Frequently Asked Questions:

What kind of Hardware Tokens  EV Code Signing Certificates come on?
They are Safenet USB eTokens, typically the 5100 model.

Is the token security standard comparable to HSM ?
The tokens are FIPS 140-2 Level III compliant, as are most HSMs. The token is password protected and you can set the number of failed password attempts before the token automatically locks and deletes the contents.

Can you make the private keys on the token exportable?
By default, the private keys are not exportable from the USB token. This option is not changeable.

Is it possible to use a HSM instead of a token?
Currently, we do not offer the option to install your EV Code Signing certificate on to an HSM, though there are plans to add this feature in the future.

What tools can I use to sign code?
In most cases you would leverage the standard utilities like signtool and jarsigner to sign your applications and drivers. Some customers have developed scripts to suit their needs and automate the signing process.

Do you support Microsoft Windows SDK “Signtool.exe”?
Yes. Signtool.exe will work with our standard code Signing certificates as well as EV Code Signing.

Can I sign multiple platforms with the same certificate such as Java?
GlobalSign's EV Code Signing Certificates can be used to sign jar files as well as drivers and executables. The signing process for Java is a little more involved than for Microsoft executables & drivers, but we have both scenarios documented.

With EV Code Signing, it is a requirement that the certificate is stored on a hardware module of some sort, so the delivery method is the same, hence we do not differentiate by platform with EV. As long as the tool you are using to sign can access the token or the Windows Certificate Store*, it should be able to use the EV code signing certificate on it.

*When you have the USB token plugged in, the private key stays on the token and the public key is copied to your Windows Certificate Store making it available to other applications. If an application like Signtool or Visual Studio has visibility to the certificate store, it should see the certificate on the token like any other certificate. The only difference is you will be prompted for the token password when you sign. Java jarsigner does not see the Windows certificate store, so you have to manually specify the path to the token.