We use cookies to ensure you get the best experience.By using our website you agree to our Cookie Policy.

Code Signing Validation

Putting your software online provides a medium for consumers to obtain it. However, as the internet is extensively crowded with malicious applications, and no one would dare to download any file which comes from an unknown publisher.

Although a program created by the company is authentic, a user would have no reason to believe it. If it appears suspicious, the browser will send a warning message to the user suggesting that he must cancel the download, or it may harm the system and its data.

This can cause a huge loss to a business because of fewer downloads. Therefore, a developer won’t get what he deserves even if the application is remarkable. The straightforward solution to create a credible image of your company and product is code signing which will surely help to build trust in users’ minds, and eventually, it will lead to more downloads and better business.

What is Code Signing?

As we have mentioned above, code signing delivers credibility to your software. Before learning about its working, we must like to let you know what exactly it is.

Code signing allows you to provide a signature to your software which validates its source. With its help, a downloader will know who has created the application, and when it was edited last time.

In case, besides the developer, if any other third-party tampers with the provided application then it will inform the software owner as well as users. Because of this, you can easily keep a check on your product.

If a hacker implements a malware in your product it will notify you immediately, and you can act accordingly. In the absence of code signing, users will download the infected program which can damage an individual's data causing a fall in the company's reputation.

The code Signing helps to strengthen your presence as users will know who the publisher of a program is. This directly helps to uplift your business.

Code signing certificate is of two types depending upon the validation. Organizational code signing certificate verifies the organization who created software. But in case, an individual has generated the program, he can go for Individual code signing certificate which only verifies the individual’s identity.

How do I get verified?

The validation process for both the certificates (organizational and individual) differs. However, the objective remains the same- to find out whether the application creator is legitimate or not.

The certificate authority (CA) will provide proof that your business is recognized and give you a tag of a trustworthy entity. The browsers will not show warning messages to your users, and they will download the application without worrying about malware. Therefore, CA would not want to take any risk of providing this certificate to an inappropriate business or individual. For that reason, you will need to go through a thorough check.

The process isn’t hectic and done without taking much of your time. One must remember that it is worthy enough as it provides protection to your program and users who download it. Furthermore, it will help to grow the number of downloaders by maintaining the reputation.

Organizational Validation

For getting an organization code signing certificate, there are just four requirements which we have mentioned below. You can read about them in detail by finding links to their respective pages.

  • Step 1: Organization Authentication
  • Step 2: Locality Presence
  • Step 3: Telephone Verification
  • Step 4: Final Verification Call

Individual Validation

The validation process differs because the entity whom certification authority wants to verify is different in this case. In organizational validation, you need to prove that the business you own is legitimate. But in a situation where an individual wish to purchase code signing certificate for his application, he needs to go for individual validation. There are specific documents required to submit and verification steps need to be followed:

  • Step 1: Identity Verification
  • Step 2: Telephone Verification
  • Step 3: Final Verification Call

Individual validation also depends upon the certification authority whose code signing certificate you purchase. But in the end, the primary aim remains the same- finding out the credibility of an individual.

Let’s Begin!

There should not be any reason to have second thoughts while buying code signing certificate. It will protect your software, provide assurance to your users, and informs you whenever any tampering takes place. We are here to help you out on every validation step making the purchase easier.

So, without putting more time here, let’s go ahead with the validation process!

Organization Validation Steps

Step 1: Organization Authentication

It is the primary step which is mandatory for every company seeking Organization code signing certificate. Here, the certificate authority (CA) will judge the legitimacy of your organization based on documents provided by a business.

What is Organization Authentication?

This step usually demands a lot of involvement from the CA’s side. The CA checks if your organization is legally registered and active within the mentioned state or country. The requirement that every piece of listed information from the organization’s registration must match with the details that you have provided to the CA is nonnegotiable. The information about the trade name, assumed names or DBAs needs to be provided and should be latest and accurate.

The usual way that the CA’s resort to, for verifying the information is by tapping into the Government Database. This database could be a property maintained by your local municipality, state or country or whatever website that displays your business registration and is owned by the government there.

If all the details discussed above match, this step of organization authentication is done for you. If it doesn’t, then there are alternative methods also.

Alternative Method: Below listed are the 3 alternate methods that are used for organization authentication.

Official Registration Documents

Documents issued by the local government can be used here. Such documents can include,

  • chartered licenses
  • articles of incorporation
  • dba statements
  • anything from the government that shows your company is a legal entity
Dun & Bradstreet

DUNS Credit Report can be used since it verifies the specific details associated with the business.

Legal Opinion Letter

Often known as the Professional Opinion Letter or POL, the Legal Opinion Letters are usually come with a lot of hassle. However, these come in handy in times like such. They help verify four out of five requirements.

Step 2: Locality Presence

The next step to Organization Validation is proving the Locality Presence. During this phase, the CA is required to check for an active legal presence of the company in its registered location.

What is Locality Presence?

For this criterion to be satisfied, the CA needs the absolute verification of organization’s presence at a legitimate physical location and this location should match with the registered address.

Usually, the certificate authority extracts this information from an Online Government Database. This database could be a property maintained by your local municipality, state or country or whatever website that displays your business registration and is owned by the government there.

If all the criteria are satisfied, then this step is finished.

In case when anything doesn’t work out as instructed, you can resort to additional methods.

Alternative Method:

Official Registration Documents

Documents issued by the local government can be used here. Such documents can include,

  • chartered licenses
  • articles of incorporation
  • dba statements
  • anything from the government that shows your company is a legal entity
Dun & Bradstreet

DUNS Credit Report can be used since it verifies the specific details associated with the business.

Legal Opinion Letter

Often known as the Professional Opinion Letter or POL, the Legal Opinion Letters are usually come with a lot of hassle. However, these come in handy in times like such. They help verify four out of five requirements.

Any of the above-mentioned methods can be used to prove the Locality Presence.

Step 3: Telephone Verification

Telephone Verification is rather a straightforward step of this entire process. All you need to really have is a listed telephone number or a number that is verifiable by any third-party directory.

What is Telephone Verification?

For satisfying the telephone verification requirements, you need to have,

  • An active telephone number
  • This number should be listed by an acceptable telephone directory online
  • This listing needs to display the exact business name that you verified
  • The listing must display exact physical address that you verified

The first place where the CA’s resort to go is the Online Government Databases. So, the process won’t create any hazard for you if your number is listed there and if it satisfies the above-mentioned criteria.

As not many government databases display a number, there are other alternative methods devised to reduce the hassle for you.

Alternative Method: If the government database does not include your phone number, these are the options you can opt to.

Third-Party Directory

The CA can be made to look up an acceptable third-party directory such as Yellow Pages, Scoot, 192.com, etc. But here also, the condition that the business name and physical address should match remains.

** PLEASE NOTE: Comodo considers third-party listings only from Dun and Bradstreet or the Better Business Bureau (US businesses only).

Legal Opinion Letter

Often known as the Professional Opinion Letter or POL, the Legal Opinion Letters are usually come with a lot of hassle. However, these come in handy in times like such. They help verify four out of five requirements.

Any of the above listed methods can be employed for Telephone Verification Requirement.

Step 4: Final Verification Call

This is the last and the final step of the process of Code Signing Certificate’s validation process. During this, the CA calls at the telephone number registered with your organization. All the details acquired during the above-mentioned processes are verified during this call.

In case if the registered telephone number doesn’t directly get the CA to your touch, the CA will try to get to you via call using different methods.

Alternative Method:

Extension or IVR

The CA will be able to work through your phone system if it uses extensions or IVR (Interactive Voice Response).

If any alternative number is provided to the CA via registration, e.g. of the receptionist or the manager, then these sources can also provide the CA your actual number.

Individual Validation Steps

Step 1: Identity Verification

If you are an individual who wants to purchase an individual code signing certificate, then you need to verify your identity. Regardless of CA, all individual needs to go through this process so that certificate only goes to legitimate individuals.

What is Identity Verification/Authentication?

The certification authorities strive to find out that all details provided to the government matches the details provided to them. Complete verification of an individual's identity can be done using a Notary ID form. This ID form will be provided by certification authority via email. From a licensed public notary, you need to notarize this form.

Besides this form, CA will ask you to send some documents also. The information in the notarized form must match with the documents that you provide. Different CAs require different documents to conduct their validation process. We have provided you with a detailed description of the essential documents you need to send.

Thawte and Symantec Identity Authentication Process

The easiest way to get your identity verified is to provide them a copy of a valid passport containing your photograph and full name. In case you don’t own a passport, there is another way which asks for ID proofs. The first ID form must be selected from the following options which are considered as the primary ID.

  • National or State ID card
  • Military ID card
  • Driver’s License

After you deliver them with any one of the IDs, you also need to send a secondary ID in addition to the primary ID, it can be one of the IDs placed in the list below:

  • Utility Bill
  • Social Security Number
  • Student ID Badge
  • Medical Card

Send these ID proofs in case you don’t have a valid passport. Also, don’t forget to send the notarized form along with these documents. After this, they will start their identity check and if you are found to be a legitimate individual, you will get the certificate soon.

Comodo Identity Authentication Process

Comodo’s individual identity verification is much more demanding than what you have seen for Symantec and Thawte. Comodo, in total, asks for three documents- one government-issued ID proof, a financial document and a non-financial document.

You can choose one among all ID proofs provided in the below-added list:

  • Personal ID card
  • Military ID
  • Driver’s License
  • Passport

Work isn’t finished yet. Now you need to select one financial and one non-financial proof. Both the documents must contain your full name.

List of financial documents:

  • Debit Card Statement
  • Tax Bill
  • Lease Agreement
  • Utility Bill

All these three documents must be provided along with the notarized ID form mailed which was mailed by Comodo. The verification process from their end will only start as soon as they receive these documents. After they get satisfied with your legitimacy, the certificate will be provided.

Step 2: Telephone Verification

Telephone Verification is rather a straightforward step of this entire process. All you need to really have is a listed telephone number or a number that is verifiable by any third-party directory.

What is Telephone Verification?

For satisfying the telephone verification requirements, you need to have,

  • An active telephone number
  • This number should be listed by an acceptable telephone directory online
  • This listing needs to display the exact business name that you verified
  • The listing must display exact physical address that you verified

The first place where the CA’s resort to go is the Online Government Databases. So, the process won’t create any hazard for you if your number is listed there and if it satisfies the above-mentioned criteria.

As not many government databases display a number, there are other alternative methods devised to reduce the hassle for you.

Alternative Method: If the government database does not include your phone number, these are the options you can opt to.

Third-Party Directory

The CA can be made to look up an acceptable third-party directory such as Yellow Pages, Scoot, 192.com, etc. But here also, the condition that the business name and physical address should match remains.

** PLEASE NOTE: Comodo considers third-party listings only from Dun and Bradstreet or the Better Business Bureau (US businesses only).

Legal Opinion Letter

Often known as the Professional Opinion Letter or POL, the Legal Opinion Letters are usually come with a lot of hassle. However, these come in handy in times like such. They help verify four out of five requirements.

Any of the above listed methods can be employed for Telephone Verification Requirement.

Step 3: Final Verification Call

This is the last and the final step of the process of Code Signing certificate’s validation process. During this, the CA calls at the telephone number registered with your organization. All the details acquired during the above-mentioned processes are verified during this call.

In case if the registered telephone number doesn’t directly get the CA to your touch, the CA will try to get to you via call using different methods.

Alternative Method:

Extension or IVR

The CA will be able to work through your phone system if it uses extensions or IVR (Interactive Voice Response).

Transfer or Alternative Number

If any alternative number is provided to the CA via registration, e.g. of the receptionist or the manager, then these sources can also provide the CA your actual number.