Increase customer confidence and download rates
EV Code Signing Certificates combine all the benefits of regular code signing plus additional features including:
- Company address and organization type displayed in the certificate
- Time stamping, signature does not expire once certificate expires
- Certificate stored on a hardware token for two factor authentication
- Immediate reputation with Microsoft SmartScreen
- Required to access the Windows Hardware Development Center Dashboard Portal
GlobalSign Competitive Pricing
|Per year pricing||- per year||- per year||- per year|
|Total Price||- total||- total||- total|
|Buy Now||Buy Now||Buy Now|
Exclusive GlobalSign Features
Digitally sign an unlimited number of apps with single certificate
Access to GlobalSign's superior support
Compatible with major platforms (Authenticode, Office VBA, Java, Adobe AIR, Mac OS, Mozilla)
Addressing weak verification and key protection
EV Code Signing addresses two of the most commonly used vulnerabilities malware developers leverage to spread their malicious code - weak identity verification processes and poor private key protection.
Strict vetting process - Applicants for EV Code Signing certificates go through a more rigorous application process than regular code signing certificates. In addition to verifying the publisher’s organization name, other corporate information, such as physical address and jurisdiction, are vetted. This thorough verification process makes it much more difficult for malware developers to impersonate and obtain a code signing credential to use for signing malware under the guise of a legitimate development company.
Certificate stored on USB token - Unlike regular code signing certificates that reside locally on a developer’s machine, all GlobalSign Code Signing certificates are stored on cryptographic tokens. This makes it much more difficult for a malicious party to copy or steal the private key and use it to sign malicious software under the identity of the actual certificate holder.
Immediate Reputation with Microsoft SmartScreen Filter
Microsoft SmartScreen uses information about an application's reputation to warn end users if an application isn't' well known and might be malicious. Beginning with Internet Explorer 9.0 and Windows 8, applications signed with an EV code signing certificate have immediate reputation established so no alarming warnings will be presented to the downloader.
|Example Windows 8 SmartScreen Warning||Example IE9 SmartScreen Warning|
Purchase an EV Code Signing Certificate
Frequently Asked Questions:
What kind of Hardware Tokens EV Code Signing Certificates come on?
They are Safenet USB eTokens, typically the 5100 model.
Is the token security standard comparable to HSM ?
The tokens are FIPS 140-2 Level III compliant, as are most HSMs. The token is password protected and you can set the number of failed password attempts before the token automatically locks and deletes the contents.
Can you make the private keys on the token exportable?
By default, the private keys are not exportable from the USB token. This option is not changeable.
Is it possible to use a HSM instead of a token?
Currently, we do not offer the option to install your EV Code Signing certificate on to an HSM, though there are plans to add this feature in the future.
What tools can I use to sign code?
In most cases you would leverage the standard utilities like signtool and jarsigner to sign your applications and drivers. Some customers have developed scripts to suit their needs and automate the signing process.
Do you support Microsoft Windows SDK “Signtool.exe”?
Yes. Signtool.exe will work with our standard code Signing certificates as well as EV Code Signing.
Can I sign multiple platforms with the same certificate such as Java?
GlobalSign's EV Code Signing Certificates can be used to sign jar files as well as drivers and executables. The signing process for Java is a little more involved than for Microsoft executables & drivers, but we have both scenarios documented.
With EV Code Signing, it is a requirement that the certificate is stored on a hardware module of some sort, so the delivery method is the same, hence we do not differentiate by platform with EV. As long as the tool you are using to sign can access the token or the Windows Certificate Store*, it should be able to use the EV code signing certificate on it.
*When you have the USB token plugged in, the private key stays on the token and the public key is copied to your Windows Certificate Store making it available to other applications. If an application like Signtool or Visual Studio has visibility to the certificate store, it should see the certificate on the token like any other certificate. The only difference is you will be prompted for the token password when you sign. Java jarsigner does not see the Windows certificate store, so you have to manually specify the path to the token.