Code Signing Center - Application Signing Support
Customer support center for Code Signing certificates (certificates for signing code and applications). Here you will find all relevant information regarding code signing and the use of Code Signing certificates.
Code Signing Certificates
Certificates for signing code (Code signing) are used for signing applications developed on various development platforms. The goal of code signing is not just authentication of the publisher, but mainly protection of the application's authenticity and its immutability. If someone were to alter the application (for example, add malware), the signature would cease to be valid. Therefore, most current systems either require the application's signature (MacOS) or strongly warn before launching an unsigned application (Windows).
Code Signing EV Certificate
We also offer a certificate with extended validation for code signing. Its benefits and instructions for activation can be found in the following paragraphs.
The Importance of Code Signing EV Certificate
Its importance lies in increasing the security of the certificate and the private key. The certificate is stored with the private key on a token and cannot be exported. Using the certificate is password-protected, and after a few incorrect attempts, the token is erased. This is an excellent protection of your code signing certificate against misuse. Another important advantage of the Code Signing EV certificate is absolute trustworthiness in the Smartscreen filter, which is part of Windows. Thanks to the EV signature, you can be sure that the Windows system will not block your application from users.
More information about the Code Signing certificate in our offer can be found on the product page DigiCert Code Signing EV.
How to Obtain and Activate a Code Signing EV Certificate
The entire process of obtaining and activating a Code Signing EV certificate is described in the article Commissioning (Activation) of a Code Signing EV Certificate.
How to Sign Software with a Digital Certificate
For signing applications with Code Signing, you need two things:
- Code Signing Certificate
- An application for signing
You will obtain a Code Signing certificate from SSLmarket, and it is easy. You will choose the signing application based on the platform you are developing on. The following signing tools are popular and widespread, which we have described in our help and can advise you on:
- Signtool from the Windows SDK (help)
- Jarsigner (see article on the blog).
- Utility smctl from DigiCert - recommended for KeyLocker (help). It can use, for example, signtool and simplifies signing.
Most of our customers develop in the MS Windows environment and use Windows SDK. Signing is then done using the signtool.exe tool. Documentation for signtool can be found on the page SignTool.exe (Sign Tool) on Microsoft's website.
Signing with Cloud HSM
Cloud HSM serves as a secure storage for the Code Signing certificate and provides remote access to it. Unlike a token certificate, it allows automation, and signing is very fast because only the file hash (so-called hash signing) is sent to the cloud.
We strongly recommend signing using hash-signing and cloud compared to a token. It is safe, fast, and inexpensive.
Recommended Cloud HSMs
- DigiCert KeyLocker
- DigiCert Software Trust Manager
- Azure Key Vault
- GCP Cloud KMS (Google)
- AWS CloudHSM
In the following paragraphs, you will find the advantages and disadvantages of each solution.
DigiCert KeyLocker
The cheapest alternative to a token is KeyLocker. It is a simple service for a single user that allows for easy code signing. DigiCert provides its own KSP and PKCS#11 libraries that you install on your system and sign code just as you are used to. With their SMCTL utility, signing is even easier and more straightforward than with signtool. SMCTL is compatible with the most common Code Signing tools and can call them. KeyLocker has a limit of 1000 signatures, making it suitable for less frequent signing. However, the number of signatures can be increased for a fee.
DigiCert Software Trust Manager
This is a top cloud solution from the DigiCert ONE platform, intended for enterprise use. It offers management of an unlimited number of certificates, users, and is infinitely scalable. Connection to your CI/CD platform is ensured by prepared scripts and libraries. Access to STM and the number of signatures are licensed. For more information on pricing and licensing, please feel free to contact us. Documentation can be found on DigiCert's website.
Cloud HSM - Azure and Google
Both major cloud players offer an HSM service with secure remote access through their own libraries, which function as KSP in Windows. Their use is not complicated, and the cost of both is very favorable (you only pay for cryptographic operations). We recommend Azure and GCP for a large number of signatures per year because the costs are low.
Instructions for code signing using Azure Key Vault can be found in the article Code Signing using Azure Key Vault. For GCP Cloud KMS, refer to the article Code Signing using Google Cloud KMS.
AWS CloudHSM
With Amazon, it is also possible to sign using the cloud with Signtool from the Windows SDK, but the established HSM is charged per hour of operation. Besides fixed costs, you also pay for operations (signatures). If you are not yet using AWS, we recommend Azure or GCP HSM instead. More information about using Signtool can be found in the article Use Microsoft SignTool with Client SDK 3 to sign files.
Comparison of Azure Key Vault vs Google Cloud KMS vs AWS CloudHSM/KMS+HSM
Comparison of all three cloud HSMs can be found in the following table. It focuses on costs for signing operations (hash signing), fixed fees, scalability, low usage, operational complexity, and latency/throughput.
| Factor | Azure Key Vault | Google Cloud KMS | AWS CloudHSM / KMS + HSM |
|---|---|---|---|
| Fees for operations (sign/verify) | Very low (≈ $/10,000 operations). | Very low (≈ $/10,000 operations). | Not the key cost; the main ones are fixed costs for HSM. |
| Fixed costs | Possible monthly fee for HSM-key; otherwise low. | No significant fixed costs in the basic mode. | High — hourly rental of HSM (24/7) or Custom Key Store. |
| Scalability and capacity | Linear according to transactions; limited by throttling. | Linear; watch out for quotas (QPS/QPM). | Scalability by adding HSM; fixed costs also increase. |
| Cost with low usage | Affordable — mainly pay for operations. | Affordable — mainly pay for operations. | Unfavorable — pay for HSM even without load. |
| Operational complexity | Low — managed service. | Low — managed service. | Higher — management of HSM cluster and HA/DR. |
Contact Us
If you are unsure about any step in the certificate order, certificate issuance, certificate installation, or have any questions, do not hesitate to contact our customer support, which will advise and help you. Our experts with DigiCert Security Sales Expert Plus certification are available every weekday during normal working hours.
You can also contact us directly from your customer account by sending a request from the Authorized Request menu.
FAQ - Frequently Asked Questions
Is the Code Signing certificate tied to my domain name?
No. Code Signing is not issued for a domain but for a specific organization. The name of this organization is in the Common name.
What can I sign?
With a DigiCert Code Signing certificate, you can sign various types of software and scripts to ensure they come from a trusted source and have not been changed after being issued.
✅ What can be signed:
- Executable files: .exe, .dll, .ocx, .msi, .cab
- Windows drivers (WHLK/HLK)
- Java applications: .jar
- Macros and VBA scripts in Microsoft Office
- PowerShell scripts: .ps1
- macOS applications and bundles (via Apple Developer ID)
- Adobe AIR applications
- .NET applications and libraries
- Scripts and installers in various environments
⚠️ What cannot be signed:
- Code requiring a qualified electronic signature according to eIDAS
- Files not intended for distribution
- Formats and platforms that do not support digital signatures
Is a timestamped code valid even after the Code Signing certificate expires?
Yes, a timestamped code remains valid even after the certificate expires. If you use a timestamp when signing, the system verifies that the code was signed during the certificate's validity period. Therefore, the signature remains trustworthy. Without using a timestamp, the code must be re-signed with a new certificate.
How can I timestamp VBA projects?
See the article Instructions for timestamping VBA code at DigiCert.com
Is there a limit to the number of applications I can sign with a Code Signing certificate?
No, you can sign an unlimited number of applications with the certificate. If you have a Code Signing certificate on a token, you can sign indefinitely. The number of signatures is only considered in cloud services:
- DigiCert KeyLocker - you have 1000 signatures for the duration of the certificate's validity, additional signatures can be purchased.
- Software Trust Manager - signatures are licensed for the duration of the contract.
How do you sign with a certificate in the cloud?
Signing using a Code Signing certificate is simple and fast. It utilizes hash-based signing, where the hash is initially calculated from the file and then sent to the cloud for signing. The actual file is not transferred anywhere — only the signed hash is returned for the signature. This makes the entire process secure and efficient.
Hash signing using the cloud can be used with these products:
We are sorry that you did not find the required information here.
Please help us to improve this article. Write us what you have expected and not found out.