Other Parts Discussed in Thread: UNIFLASH, SHA-256
After countless hours of head scratching and forum searching hopefully this question will be useful for others. I have read all relevant docs for code signing. I understand the requirements ( CA must be in catalogue, SHA-384 or SHA-512 are unsupported etc). My question is about what to choose when we want to purchase a code signing certificate. Typically we are offered code signing for different platforms like Java, EV etc. If I read the Comodo store description of the process
- Publisher obtains a Code Signing Digital ID from Comodo.
- Using the SIGNCODE.EXE utility, the publisher is able to create a digital signature and apply it to their executable
- The end user downloads or runs the executable.
- The end user's browser or operating system (depending on the scenario) examines the publisher's certificate and signature. Comodo's Root certificate, which is recognized and trusted by major platforms allows the platform to recognize the certificate and confirm the signature comes from a trusted Certificate Authority.
- The end user's software verifies the signature by comparing the signed data to a locally-computed hash. If they are identical, the platform knows that the executable file it has is identical – down to each bit – to the executable signed by the publisher. This provides cryptographic proof that there have been no malicious or accidental alternations to the code.
None of that is relevant to us! Please give us REAL WORLD guidance as to how to purchase a code signing certificate so we can somehow RELATE what we are purchasing to our simplelink project!
