Code Signing - Frequently Asked Questions

Does the Certification Authority certify the content of my code?

No. The Certification Authority certifies that your program is really provided by the Publisher who signed it - an important fact when potential customers decide to buy your software or not. It also certifies that your program has not been modified or altered during its transmission or download. Consequently, installing or running your program is safe.

What assurance a customer obtains when downloading my program?

The source of your content (the program comes from the Publisher who signed it) and the integrity of your content (the program has not been modified or altered since it has been signed) are guaranteed to your clients who download or run the program.

What type of components to sign should I chose for my certificate?

A list of the different existing types is available on the CODESIGNING webpage. If you don't know which type to chose, don't hesitate to contact us and we will help you in your choice.

Do I have to buy a certificate for each type of component?

Generally, yes, but it is also possible to digitally sign Sun Java documents (.jar) with a Microsoft Authenticode Code Signing certificate. Contact us for more information.

How many files can I sign with one certificate?

A Code Signing certificate enables you to sign as many components as you wish over the lifetime of the certificate. The signature of the signed files will remain valid after expiry of the certificate thanks to the timestamping feature.

How can I sign my files ?

Once you have your Code Signing certificate, you will have to sign your files with a SDK (Software Development Kit) or with a command line tool. Go to our Support for Digital IDs web page for instructions.

What is timestamping?

Timestamping is enabled for Code Signing certificates from Thawte and Symantec on a Symantec server. This feature enables your code to remain valid once your Code Signing certificate has expired. A new certificate is necessary if you wish to sign other components.

What is the address of the "timestamp" server?

For Code Signing certificates from Thawte and Symantec, the "timestamp" server is the same. For Microsoft Authenticode or Microsoft Office & VBA certificates: http://timestamp.verisign.com/scripts/timstamp.dll. For Sun Java certificates: https://timestamp.geotrust.com/tsa.