Authentication. Security. Trust. Code Signing Distributing trustworthy software over the Internet © GlobalSign. A GMO Internet Inc group company. Contents As operating system and browser vendors move towards higher security models and lock down capabilities on unknown code, it is increasingly important for developers and end users to identify legitimate applications from the masses of badware. What is Code Signing? The Benefits of Code Signing Supported Platforms Buyer Considerations Why choose GlobalSign? Adding Code Signing to your Portfolio Authentication. Security. Trust. www.globalsign.com What is Code Signing? Code Signing is the virtual equivalent of shrink-wrapping CD-based software for distribution. Software developers digitally sign code or software distributed over the Internet using X.509 v3 digital certificates marked for the specific use of digitally signing code. The digital certificate binds the identity of a person or entity to a public key which is related to a corresponding private key. The private key is used to apply a digital signature to a shortened version of the code which is run through a hashing algorithm. The public key is used to verify the signature. Signing the hash of the code with an algorithm like SHA-1 provides a method to validate if the code has changed in any way since signature. Authentication. Security. Trust. Digital Certificate marked for Code Signing (Code Signing Certificate) www.globalsign.com The Benefits of Code Signing Code Signing using a trusted third party prevents: − − − Users abandoning the installation of an application that is not easily identified as genuine. Malicious alteration of legitimate code. Identity theft or damage to reputation of vendor or code author. The end user knows the digitally signed software being executed is legitimate, comes from a known software vendor and has not been tampered with since being published. Unsigned code The end user is presented with a warning message that may cause them to abandon the install. Signed code The code has been digitally signed by a certificate from a trusted Certification Authority. The end user is presented with the publisher’s identity. By digitally signing code, the software vendor enhances customer confidence, increasing the number of downloads. Authentication. Security. Trust. www.globalsign.com Supported Platforms Different platforms have different requirements and options available for digitally signing code. GlobalSign’s Code Signing Certificates support: Microsoft Authenticode Windows ActiveX controls can be signed via Authenticode (32 bit and 64 bit .exe, .ocx, .dll or other) and Kernel software for Windows. Windows 7 compatible. Microsoft Office & VBA Digitally sign Microsoft Office macros and Visual Basic Applications (VBA) to avoid Unknown Publisher macro warnings. GlobalSign is one of the select Certificate Authorities enabled by Microsoft to allow Windows Kernel 64 bit code signing. Adobe AIR applications Adobe AIR only allows digitally signed applications to be run. Java JAR applet files can be signed to allow apps access to client-side resources. Authentication. Security. Trust. Apple Mac applications Code Signing was introduced by Apple in MacOS 9 onwards. Mozilla & Netscape Objects Digitally sign Mozilla and legacy Netscape Object files to enable activation in Mozilla browsers. www.globalsign.com Buyer Considerations There are several elements to consider when choosing the right Code Signing Certificate to sign your application. − Ubiquity Public rooted Code Signing Certificates, as opposed to self-signed certificates, will allow users to verify the authenticity of the publisher and origin of the software, as well as ensuring that the code has not been tampered with. − Timestamping services Timestamping ensures that the signature on your application remains valid after the certificate has expired. − Price and value Am I getting good value for the experience, support and functionality? − Trust A good reputation and credibility of the Authority can inspire additional downloads of your application. − Support for individuals and commercial software publishers Many Authorities only support commercial software publishers and not individuals. Authentication. Security. Trust. www.globalsign.com Why choose GlobalSign? The benefits of signing code with a GlobalSign Code Signing Certificate Removes the "Unknown Publisher" popup in Operating Systems and browsers. Full timestamping service included free of charge – timestamping code ensures the signature does not expire. Allows an unlimited number of applications to be signed within the lifespan of the certificate. Supports all developer platforms. Offers multi-year savings - plus multi-year avoids having to renew annually. Offers a risk free refund. Comes with a $100,000 Warranty - underwritten Liability program. Multi-Language Tech Support - access to expert technical support staff via email and telephone. Issued by an organization that’s been a WebTrust Accredited Certification Authority since 2002. Authentication. Security. Trust. www.globalsign.com Adding Code Signing to your Portfolio Adding Code Signing to your value chain Developing Testing Deploying Code Signing is the ideal value-add product for VARs looking to complement core services and existing portfolios, opening up a new revenue stream and ensuring customer satisfaction. Distributing Security Partner Program GlobalSign has developed specialist partner programs to allow you to resell Digital Certificates cost-effectively and hassle-free. Partners receive instant discounts and the GlobalSign SaaS web portal makes the application of certificates quick and easy. A flexible XML API can also allow the process to be fully automated and integrated into your own workflows. The whole range of GlobalSign Digital Certificate Solutions can be resold using the GlobalSign Partner account, including: Code Signing Certificates SSL Certificates Authentication. Security. Trust. Email encryption (S/MIME Digital IDs) Adobe Certified Document Services (CDS) Digital IDs www.globalsign.com Reselling Code Signing Certificates Talk to GlobalSign today about adding Code Signing Certificates to your portfolio. Learn more about our Partner Program at: − http://www.globalsign.com/partners/ Read White Paper. − http://www.globalsign.com/resources/...... Authentication. Security. Trust. www.globalsign.com