Symantec Code Signing Portal FAQ
What is code signing and why do I need it?
Code signing creates a digital “shrink-wrap” that shows customers the identity of the company responsible for the code and confirms that it has not been modified since the signature was applied. In traditional software sales, a buyer can confirm the source of the application and its integrity by examining the packaging. Increasingly, customers download applications to their mobile phones, install plug-ins and add-ins, and interact with sophisticated web-based applications. They risk compromising their own security and the functionality of mobile networks if they download malicious or faulty code. Symantec Code Signing protects your brand and your intellectual property by making your applications identifiable and harder to falsify or damage with a digital signature.
How does the Symantec Code Signing Portal work?
Code signing certificates are based on public key cryptography. A developer or software publisher uses a private key to add a digital signature to code or content. Software platforms and applications use a public key to decrypt the signature during download and compare the hash used to sign the application against the hash on the downloaded application. Signed code from a trusted source may be automatically accepted or a security warning may require the end user to view the signature information and decide whether or not to trust the code.
With a code signing certificate, the developer signs all code with the same digital signature, identifying the source of the code and that the code has not been tampered with since signing. The Code Signing Portal uses a two-step signing process to create a unique digital signature each time code is signed, making each version of code released easier to track and revoke. The developer uses a Publisher ID to sign code and log into their Code Signing Portal. The developer then uploads their code to the Code Signing Portal. Symantec validates the publisher signature, then strips off the publisher’s digital signature and generates a new key pair, signs the content and sends it back to the publisher with the newly generated Content ID.
What is the difference between a Publisher ID and a Content ID?
A Publisher ID is the digital certificate you receive when you enroll for a Signing Portal. It contains your organizational information and is used to digitally sign your code or content before you upload it to your Signing Portal. It is also used for authentication when logging into the Signing Portal. Content ID is the unique Code Signing Certificate created by Symantec when your content is signed in the Signing Portal. It is the only signature that will be trusted on the end-user device for secure downloading and execution. To sign code using a Signing Portal, you need to purchase a Publisher ID and a bundle of Content IDs or "signing events".
How many Publisher IDs do I need?
Every account for a Code Signing Portal comes with one Publisher ID (also called an Administrator Certificate). An administrator may log-in to the Code Signing Portal and purchase additional Publisher IDs for different development groups within the organization. By using a single account with multiple Publisher IDs, the organization has one portal to view and track all Code Signing events, and each group has a unique identity that can be revoked or modified for better security.
How many Content IDs or signing events do I need?
A Content ID is consumed each time an application or code is signed. Content IDs are sold through the Symantec Code Signing Portal in bundles of signing events. You will need a signing event for each application that you sign, including different versions. If you have a Windows Mobile application which consists of 1 cab file containing 1 exe and 1 dll file, signing your application generates 3 signatures - 1 each for the dll, exe, and the cab file – but only 1 signing event is consumed.
Do I need to sign all the files within the cab file or just the cab file?
All executables within the .cab file must be signed. The Symantec Code Signing Portal automatically signs all of the contained executables when the .cab file is uploaded to be signed.
How long does it take to sign code using the Symantec Code Signing Portal?
Symantec automatically signs approved applications. Code signing may take a few minutes or several days, depending on the type of signing services you use and the device platform or mobile network requirements. For applications that access secure APIs, a network provider or vendor may require testing. The developer signs the application, sends it to the testing house, who then uploads it to the Code Signing Portal. Symantec notifies the network provider or vendor that the application is ready to be signed. When the network provider or vendor approves the application, Symantec completes the signing process. Developers can track the status of their application within the Code Signing Portal. For more information about testing and approval requirements, please contact your network provider or vendor directly.
Why do I have to renew my Publisher ID/Administrator ID?
Publisher IDs and Administrator IDs expire after 12 months. Symantec uses a proven, robust process to authenticate and verify organizations prior to issuing Class 3 certificates such as code signing. The annual renewal process ensures that the Publisher ID is used by a legitimate organization and the contact is authorized to develop for that organization. This is a necessary process prior to issuing code signing certificates including Publisher IDs to you.
Is there a way to script the process of Code Signing with the Code Signing Portal?
Symantec offers APIs for both Publisher and Provider accounts for use with Symantec’s Code Signing Portal. You can request these API Guides from your local account representative or from our support team.
How long does a digital signature last?
The Symantec Code Signing Portal signs code with 10-year digital signatures. Even if the Publisher ID expires, the unique Content ID and digital signature retain their validity.
Can I access my Code Signing Portal on different computers?
You can access your Code Signing Portal on any computer using a USB token containing your Publisher ID as long as that computer meets the minimum system requirements. However, you must buy and retrieve your Publisher ID from the same computer. If you have problems with retrieval, confirm that you are using the same computer, browser, and log-in profile used to enroll. Symantec recommends that developers purchase additional Publisher IDs rather than sharing certificates for better security and management.
How does someone know they can trust my digital signature?
Simply signing your code ensures that it has not been tampered with and that it comes from you, but does not verify who you are. A third-party CA is more trusted than a self-signed certificate because the certificate requestor had to go through a vetting or authentication process. When software platforms and applications verify a digital signature, they access a “root” certificate to determine whether or not to trust the CA that issued the certificate. Because Symantec root certificates come preinstalled on most devices and embedded in most applications, digital signatures from Symantec are almost always trusted, reducing warnings and error messages.
What if I lose my USB token or Publisher ID or it becomes compromised?
A USB token with a Publisher ID or a token password cannot be replaced if it is lost or stolen because you do not want anyone to find it and use it to sign code in your name. If your private key is lost or compromised or if your information changes, you should revoke your Publisher ID immediately and replace it with a new digital certificate.