Digitally signing your code, alongside good key management practices, proves it comes from a known software vendor and protects it from any tampering or damage after it’s published. It is also a requirement of many platforms, including Apple iOS store.
You might already understand the importance of Code Signing, but that probably doesn’t make the process any less painstaking. Here’s just a few developers I found on Twitter who seem to find Code Signing as or more difficult than learning C++.
Code signing always manages to be a pain in the ass, regardless of how many times I've done it, or what platform I'm publishing to :(— Angela Bradley (@angela_bradley) April 22, 2016
Current status. Code signing hell! :(— Rob Pearson (@robpearson) October 14, 2015
Let’s just say, you aren’t the first developer to have gripes with Code Signing!
We get a fair amount of queries with our customers about how it all works, which is my reason for writing this post. Maybe some of the pain can be solved in this blog post, at least before you tear out what is left of your hair! Here’s our top queries and advice on how to solve them.
You Receive a SmartScreen Warning
This error occurs with people who are using SmartScreen filter.
SmartScreen works with Download Manager to prevent malicious downloads. If a download is considered risky, then it will be immediately blocked. The more a file is downloaded, the better reputation it will build and the less risky it is considered by SmartScreen.
Once it is considered less risky, the SmartScreen Filter warning will no longer appear.
Code signed with an EV Code Signing Certificate will not cause SmartScreen warnings, as it features instant reputation with SmartScreen.
Problems with Kernel Code
A Cross Certificate is needed in order to sign kernel code.
GlobalSign’s Cross Certificate can be found here.
If you are using Windows 10, please note that it is a Windows requirement that for kernel code signing, you need an EV Code Signing Certificate.
EV kernel signing instructions can be found here from step five onward.
Problems with Compatibility on MAC
For a signed application to be trusted on Macs, the signer must become an Apple developer. This is because the software GateKeeper from Mountain Lion, OS X pre-installed malware protection, restricts downloads of applications available on the Mac App store unless they are signed by identified Apple developers.
My Signed Certificate is No Longer Valid/Has Expired
If you have signed your app/software with a certificate and this certificate has expired, so will the signature on the code.
In order to fix this problem, you can implement a long term validity signature with a third party Timestamp.
Using a third party Timestamp means software can verify that the certificate was valid at the time of signing, so it can still be trusted. Otherwise, the software just looks at the signing certificate’s current validity and if it’s expired, the code will not be trusted.
Note: The Timestamp feature is not available by default when signing Macros and must be enabled through registry edits.
I Lost My Pick-Up Password
You set the temporary pick-up password whilst ordering your Code Signing Certificate. Due to security reasons, we do not keep copies of this password, meaning we will be unable to recover it with us.
If you didn’t order the certificate, then ask the person who did if they have it, otherwise you will need to cancel and reorder your certificate.
If you’re within the seven day cancellation period (shown by the presence of the ‘Cancel and Reorder’ button), you can quickly and easily cancel and reorder your certificate. You will need to send an email to email@example.com or the vetting team with your old and new order number. You will not be charged for this procedure and the verification of your new certificate will be expedited.
If you have passed your seven day cancellation period and do not have the ‘Cancel and Reorder’ button in your account, you will need to contact the support team.
I’m Not Happy with the Information in My Certificate
If you’ve ordered a Code Signing Certificate with us and you need to change the details on this certificate, action will depend on where your certificate is.
Certificate is Undergoing Vetting
If the certificate is still in vetting, you should be able to email our vetting team and they will be able to change most information except for the common name.
If you typed in the wrong common name, you will have to re-order.
Certificate Has Been Issued
If the certificate has already been issued, you will need to re-order.
Like the instructions for re-ordering above, when you have lost your pick-up password there is a ‘Cancel and Reorder’ button for certificates which are within their seven day cancellation period.
Using a CSR - Java vs. Non Java Keystore Users
If you wish to generate the certificate using a CSR instead of being provided with a .pfx file, you can do this in two ways.
For Java Keystore Users
If you would like to use your Code Signing Certificate on a Java-based machine, using your own keystore, you should place an order for a ‘Code Signing for Sun Java Certificate’.
The generation of this certificate requires a CSR to be entered during the download process.
The certificate will be delivered in a .cer file which can then be imported to the keystore using the instructions in this support article.
For Non Java Keystore Users
For those who do not wish to use a Java keystore, you can place an order for ‘Code Signing for Multi-platforms Certificate’.
During the ordering process you will have the option to specify using your own CSR (PKCS#10), under the ‘Hide Advanced Key Generation Options’ as indicated in this screenshot below.
This option also delivers the certificate in a .cer file when it comes to the download stage.
If you have an issue with a Code Signing Certificate we have not listed here, feel free to use the comments below or for a faster reply, submit a ticket with our support team.