Where can I find more information about code-signing certificates?

You can find general information about code-signing certificates in the repository, specifically in:

• the Certificate Practice Statement (CPS), including the code-signing certificate profile
• the Code-signing subscriber agreement
• CSM RAO administrator guide (including details of the personal identifying documentation that needs to be supplied by the person who will use the certificate to sign the software code in Appendix 2).

Why do I have to verify the identity of the person's name on the code signing certificate?

Verifying the identity of a person named in the code-signing certificate is a requirement of the CPS. Clause 4.2.13 states that:

Code Signing Certificates are processed by AusCERT or the Participant Organisation in accordance with the process outlined for Organisation validated Certificates (4.2.1.1) and for high personal/client validated Certificates (4.2.1.2.2). AusCERT or the Participant Organisation may employ the data held in its domain databases to expedite the validation process. If the application data matches the records held by the Participant Organisation, manual validation intervention is not required.

What do I have to do to verify the identity of a person on a code-signing certificate?

The process for verifying the identity of the person identified in the code-signing certificate is the same as for high validation personal certificates. Within the CSM RAO Admin Guide, Appendix 2 refers to the PO's responsibilities when ordering high validation certificates. There are 2 types of high validation certificates that relate to collecting personal identification information. These apply to all code signing certificates and high assurance personal certificates. However, while Appendix 2 only refers to high validation personal certificates – the process is the same.

Who does the actual verification of the person's identity?

The verification of the 100 points of identity is done by the RA and does not involve AusCERT.

The verification of the person's identity documentation occurs outside of the CSM process and is done before a code signing certificate is approved by the DRAO/RAO for any person with an email address for your organisation's domain (as per 4.2.2 in the CPS).

What information is contained in the code-signing certificate?

The certificate profile for each certificate, including code-signing certificates, is outlined from page 59-64 of the CPS, which is available from the repository.

If the person named in the code-signing certificate leaves the organisation, does this constitute a change that would require the certificate to be revoked?

Yes. See clauses 1.4, 1.8 and 1.10 in the code-signing subscriber agreement.

Where can I find information about time-stamping during the code-signing process?

See Comodo's code-signing certificate general FAQs and Comodo's code-signing certificate technical FAQs.

Does using timestamping during the signing process extend the validity of a digital signature associated with an expired code-signing certificate?

Yes. The timestamp is a simple snapshot that basically says, this certificate was valid at a particular time. Hence, the digitally signed code (with timestamping) will continue to show as valid to a relying party, even though the certificate itself has expired. Timestamping delays 'expiration' until the timestamp expires which is usually 8+ years in to the future. Therefore, in effect, using timestamping during the signing process extends the period which a digital signature, when checked by a relying party, will be regarded as valid. See Comodo's code-signing certificate general FAQs and Comodo's code-signing certificate technical FAQs

If you used the timestamping option during the code signing process, will the digital signature remain valid if the certificate is later revoked?

Yes. It will behave in the same way as if the certificate expires naturally. This is because, at the time the code was signed, the certificate was valid and hence the signature, when it was created was valid.

Timestamping therefore should be used selectively and with caution as it can pose a problem for relying parties where a code-signing certificate is subsequently revoked due to the compromise of a code-signing certificate private key. In this situation, if the compromised private key is used by a malicious party to sign code (with a timestamp), and then the compromise is discovered and the certificate is later revoked, the fraudulent digital signature on the malicious software will still show up to a relying party as valid. For more information about Microsoft Windows Authenticode signatures, see Time Stamping Authenticode Signatures (Windows)

Why does my revoked code-signing certificate appear to be valid when I open it in Microsoft Windows?

The reliable method to verify the validity of a certificate is to use the certutil.exe utility, which includes checks for CRL membership. To examine a certificate, run certutil -f -urlfetch -verify mycertificatefile.cer. For more about CRL checking, visit Basic CRL checking with certutil.

How do I use my code-signing certificate to sign Java archive (jar) files?

Comodo has produced the document Using a Comodo Authenticode Certificate for Java jar-signing that details the steps involved in this activity. The pvkimprt.exe utility used in this procedure is no longer available from the included link but can be downloaded from Office 2000 Tool: PVK Digital Certificate Files Importer.