Extended Validation (EV) Code Signing (in Windows 8)

Extended Validation (EV) Code Signing is a new code signing method that is supported by Windows 8 and Internet Explorer 9 and Internet Explorer 10. It is considered to be more safe than the traditional method for code signing. In this article we will discuss the new EV code signing method.
Code signing is important
It is very important to code sign (digitally sign) your software. That's for two main reasons:
n Increased level of security. A code signed program can normally not be altered without the system discovers it. A checksum (hash value) is stored with the code signing information, and if somebody makes any changes in the program file, the checksum will not be the expected one and Windows will warn the user and refuse to start the program.
n Fewer warning messages. Windows will very likely warn the user if a program is not code signed. A code signed program will not get so many warning messages. And the warning messages that are shown will not be so deterrent.
The traditional code signing method
Software developers have code signed (digitally signed) their software, for example applications, components, drivers etc., for many years now. The traditional way of code signing software has been considered as a very safe method for a long period of time, but lately there have been reports on that there are security gaps. Stolen code signing certificates (digital certificates) have been used to code sign malware, and the operating system has thought that the software is "friendly" because it was code signed.
One famous malware that was code signed in this way was the Stuxnet computer worm. Stuxnet was code signed by using keys of two certificates that were stolen from two well-known companies in Taiwan.
Extended Validation (EV) Code Signing
There is now a new method available to code sign software. The name of the new method is Extended Validation (EV) Code Signing and it is considered to be safer than the traditional method. That's for the following two reasons:
n More rigorous vetting. A more comprehensive identity verification and authentication process is used.
n Hardware is used. A hardware token and an associated PIN code is used to increase the security.
The hardware token and the PIN code add a physical factor to the signing process which increases the security level a lot. The digital certificate’s private key is stored on the hardware, so even if the computer is hacked it is impossible to steal the private keys. Without the private keys it will not be possible to code sign any application, driver, or other type of software. The EV code signing method is hacker safe.
The code signing process and the verification process
The images below show how the EV code signing process and verification process is made. The first image shows the EV code signing process and the second image the verification process:
EV Code Signing
The EV Code Signing process
A hash value of the code is calculated. The hash is then encrypted with the digital certificate’s private key which is retrieved from the hardware token. The information is then attached to the code (for example a Windows application).
The verification process
The verification process works in a similar way as with traditional code signing. A function calculates the code´s hash value, and compares it with the stored (and encrypted) hash value. Both hash values must be the same, otherwise the system will not allow the program to be launched.
Symantec and DigiCert
Currently EV code signing certificates are only issued by the two certificate authorities Symantec and DigiCert. An EV code signing certificate costs more than a traditional certificate. Currently Symantec charges $995 (US dollars) for a 1 year EV code signing certificate, $1,790 for 2 years and $2,585 for 3 years. DigiCert sells its 3 year EV code signing certificate for $331.67 for 3 years, but with the hardware token included the price is $995. The price is higher, but the security will be stronger.
Windows SmartScreen
The Extended Validation (EV) Code Signing co-operates with SmartScreen (the SmartScreen Application Reputation technology) in Windows 8, Internet Explorer 9 and Internet Explorer 10. An application signed with an EV Code Signing certificate can immediately establish a good initial reputation with SmartScreen even if no prior reputation exists for that application or publisher. In Windows 8 this means that a warning message like the one below will very likely never be shown for the user, not even the first time the application is run:

Windows SmartScreen: Windows protected your PC (3) - With the name of the Publisher displayed

The more stringent developer authentication and the more secure hardware-based code signing will make Windows to threat the application differently than an application with a traditional digital signature.
More about Windows SmartScreen
Windows SmartScreen is a reputation-based security system from Microsoft. Currently it is included in Windows 8 and Internet Explorer 9/10. Downloaded files are automatically assigned a reputation rating based on different algorithms that consider many objective criteria, such as antivirus results, download traffic, download history, and URL reputation. A downloaded application that has no positive reputation (no positive download history) will result in a warning message is shown for the user when he/she try to start the application. No such a warning message is shown if the user try to run an application with established reputation.
EV Code Signing is not required for SmartScreen
It is not required to use EV code signing certificates to build and maintain reputation for the files that you distribute. Also traditional code signing certificates can be used, but it will take more time for SmartScreen to accept the files. But if your files have a positive download history for a period of time, no warning messages will be shown in Windows 8 and Internet Explorer after a while.
More information
More information about Extended Validation (EV) Code Signing, Microsoft SmartScreen and Windows 8 is available in the Microsoft SmartScreen & Extended Validation (EV) Code Signing Certificates blog post on MSDN.

See also:
How to install a desktop application / desktop app in Windows 8
Related products:
SamLogic Visual Installer
Do you want to read more articles and tips?
If you want to read more articles and tips about Windows and related topics you can follow us on Facebook or Twitter, or subscribe on our newsletter. You can also read our blog.
Visit our Facebook page Follow us on Twitter Visit our video channel on YouTube
Other articles
More articles are available from the article index page.

The information in this article is also valid for Windows 8.1.

Related Articles




Article written by: Mika Larramo