We’ll quickly explore three ways you can get a code signing certificate to secure your software and supply chain right away Since 2023, code signing certificates must be installed on secure hardware. For all code signing certificates, this means you can choose from one of…
Blogging About Everything Software Security – Threats, Updates, Best Practices, Tips, & More
Software touches the everyday lives of billions of people around the world. They rely on us (the software industry) to deliver dependable, safe applications for them to use. This blog is dedicated to working together to do our part to make the (software) world a better place…one piece of software at a time!
Learn all about the SafeNet Authentication Client — an authentication and secure key storage tool that minimizes malware infection and code tampering risks in your software by protecting your private signing key and securing your code…
Escape the file not found error. Help SignTool to find a way to your file through your folders maze File not found. How many times have you seen this warning, even when you weren’t using SignTool.exe?…
Unable to sign your code due to this intermittent SignTool.exe error? We’ve got the answer No matter how good you are at code signing, intermittent warnings can be difficult to identify and resolve. Here, we’ll explore…
This is one example of the 08008* code signing-related errors that happen quite often and ends with an error code that looks like a toll-free phone number: SignTool Error: An Unexpected internal error has occurred. Error…
This quick guide will help you resolve this size-related issue in a snap Let’s check another ambiguous but pretty common code signing-related error on Windows: But wait, isn’t this a SignTool error? Not exactly. It’s technically…
Not sure how to become a verified publisher with Microsoft? No worries — we’ll break down what a Microsoft-verified publisher is and how you can start publishing Windows-trusted desktop applications and drivers in no time. Are…
In 2021, PowerShell was the number one attack vector with 35% of organizations impacted. The solution? Code signing your scripts. Discover how to activate world-class security and protect your PowerShell scripts with a code signing certificate…
SonicWall’s 2023 report reveals that nearly one in three detected malicious files were executables. Prove to your clients that your .exe files are authentic and malware-free. Here’s our no-fluff, step-by-step guide on how to sign an…
While it’s possible to generate and use a self signed code signing certificate, this is a practice you should avoid doing for uses outside your organization’s internal testing environment Technically speaking, it’s possible to use self…
This step-by-step guide will walk you through how to install a .pfx certificate on Windows 10 Certificate Manager (i.e., how to import a .pfx certificate file). This process works for importing code signing certificates as well…
Learn how to restyle your SignTool command to successfully add a timestamp to your Windows code and eliminate this error Uh-oh. It looks like you forgot to define the algorithm. Cryptographic algorithms are a fundamental part…
Does the following Jarsigner code signing certificate chain error leave you perplexed? Let’s find out how to fix it. During the code signing process, all signing tools (e.g., Jarsigner) access the Keystore to ensure that it…
Are you frustrated by this SignTool error? Shake it off and learn how to fix it by following our quick, practical tips “SignTool Error: No File Digest Algorithm Specified. Please Specify the Digest Algorithm with the…
Learn the double meaning behind this Jarsigner alias error message and our handy tips to help you fix it Jarsigner is notorious for blurting out ambiguous warnings, as is the case with the error “only one…
To sign a Java code with Java Jarsigner, you need to know your private key’s alias that can be identified with a simple command line (CMD) script: However, you might end up receiving an error message…
New users – if this is your first time purchasing a cloud signing product from us, check the email address entered during enrollment for a message from DigiCert. Create your password and follow this guide.
Existing users – if you’ve purchased a cloud signing certificate in this account before, you already have an account. We’ve update your DigiCert CertCentral account to allow another Code Signing Certificate request. Login to your account here.
suspension note
In order to comply with U.S. export control and economic sanctions laws and regulations, as well as our corporate policies, we do not support users accessing our applications from Cuba, Iran, North Korea, Syria, and the regions of Crimea, Donetsk People’s Republic (DNR) and Luhansk People’s Republic (LNR) of Ukraine without prior approval from the U.S. government.
Please be aware that these restrictions apply even when a user is on temporary travel to embargoed regions although the user may not normally reside there. If you believe that you have reached this page in error, please reach out to support.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Token + Shipping
This is the simplest option and what we recommend for most customers. DigiCert will ship a USB eToken to you, then you’ll use DigiCert’s provided software to download and install the certificate onto your USB Token.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Use an Existing Token
If you already own a compatible USB eToken (SafeNet 5110 CC, SafeNet 5110 FIPS, or SafeNet 5110+ FIPS), you can use DigiCert’s provided software to download and install the certificate onto your USB token.
Advanced Option: Install on a Hardware Security Module (HSM)
If you use a cloud or on-prem hardware security module (HSM), you can choose this option to download and install your certificate onto your HSM. DigiCert will send you an email asking you to confirm that your HSM meets the security standards, then they’ll deliver the certificate to you digitally for installation.
Any FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent HSM is compatible for this option. You can use an HSM you manage directly or you may use a key storage/vault solution that uses a compliant HSM (for example, Azure Key Vault or AWS KMS).
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Sectigo on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose this option to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Google Cloud KMS (Cloud HSM)
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Comodo CA on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose “Install on Existing HSM” to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Google Cloud KMS (Cloud HSM)
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.