Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Code Signing Certificate Options

Tags:

certificate

cryptography

code-signing

I've been assigned the task of buying a digital certificate for my company to sign our code. We develop applications in the Microsoft space - mostly WPF or Web Based.

I've investigated options and found Comodo to be well priced and responsive, and we're ready to go ahead and purchase a cert through them.. however in the signup form there are various private key options that I'm not too sure about, namely:

  1. CSP

    • Microsoft Base Cryptographic Provider
    • Microsoft Base Smart Card Crypto Provider
    • Microsoft Enhanced Cryptographic Provider v1.0
    • Microsoft Software Cryptographic Provider

  2. Key Size

    • 1024
    • 2048
    • 4096

  3. Exportable?

    • Yes / No

  4. User Protected?

    • Yes / No

Just wondering what all of this means, and what the best options are for our requirements? Any advice/ suggestions would be appreciated

thanks heaps Greg

like image 330
Jeeby Avatar asked Oct 30 '08 23:10

Jeeby

People also ask

Can I use SSL certificate for code signing?

So no, you cannot use an SSL Certificate to sign scripts and executables and you cannot secure your website's connections with a Code Signing certificate.

Can I create my own code signing certificate?

Self-signed code signing certificates must be used for testing only, here's why… While you technically can self-sign a Code Signing certificate, a self-signed code signing certificate won't work for its intended purpose.

Is a code signing certificate same as SSL?

If you're comparing code signing certificates vs ssl certificates, here's the basic difference: SSL Certificates are for websites to enable HTTPS urls. Code Signing is for applying a digital signature to software and code to avoid security warnings when installing it.

Do I need CSR for code signing certificate?

All certificates issued before June 1, 2021 will remain valid until they expire. To request a code signing certificate or a Windows driver signing certificate, you have to provide us a certificate signing request (CSR) generated by the machine you use to sign the code.

1 Answers

For "most purposes" the following options are recommended:

  • Microsoft Base Cryptographic Provider
  • Key Size: 2048
  • Exportable: Yes
  • User Protected: Yes

To be honest, I'm not familiar with the different CSPs, but the Base does the job every time for me.

  • Key Size makes the keys harder to crack, but more than 2048-bits for a short to medium term key (3-5 years) is ample (IMHO).

  • Exportable lets you export the private key/certificate pair - essential for backing it up!

  • User Protected means that you must enter a password every time that you want to use the cert - highly recommended to prevent accidental or malicious signing of code with your certificate.

like image 79
Froosh Avatar answered Oct 07 '22 08:10

Froosh
Sign in to Comment

Related questions

How do I get started using BouncyCastle? [closed]
Can I get the modulus or exponent from a SecKeyRef object in Swift?
What is an alternative for bcrypt to use with node?
Why is AES more secure than DES?
pyconfig.h missing during "pip install cryptography"
MD5 Hash and Base64 encoding
How to read a RSA public key in PEM + PKCS#1 format
algorithm - Is the RijndaelManaged Class in C# equivalent to AES encryption?
Ruby way to generate a HMAC-SHA1 signature for OAuth
How to use SubtleCrypto in chrome (window.crypto.subtle is undefined)
What kind of Java type is "[B"?
Importing a DSA key from xml string fails for one user. Permissions? Broken installation? Bad KSP?
Password encryption/decryption code in .NET
What specific hash algorithm does MessageDigest.getInstance("SHA") return?
SecureRandom: init once or every time it is needed?
Encrypting/Decrypting large files (.NET)
Java: How to create SHA-1 for a file?
xkcd: Externalities
PBEKeySpec what do the iterationCount and keyLength parameters influence?
How do you verify an RSA SHA1 signature in Python?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!