How Does Extended Validation (EV) Code Signing Work?

EV Code Signing signs with a key stored on an external hardware token

You're interested in an Extended Validation Code Signing Certificate—but how does it work? Maybe you've heard about the fact that the key is saved on an external hard drive. Maybe you haven't heard anything. Don't worry, we can help. Pull up a chair – or perhaps more accurately, lean back in one – and let us walk you through how EV Code Signing works.

Private Keys on External Hardware

One of the biggest differences between a standard code signing and an EV Code Signing certificate is the way that the private key is stored. The private key is important because it's what's used to digitally sign your software. If it's ever compromised it can be used to sign malicious code—or for some other malfeasance that hasn't even occurred to us. Suffice it to say the security of your private key is of supreme importance.

Comodo EV Code Signing solves this problem by requiring that the private key be stored on an external hardware token (provided by Comodo). This prevents any unauthorized personnel from accessing the key and using it to sign unauthorized software. The only copy of the key will be physically located on the device, drastically reducing the number of people that will come into contact. Just don't lose that hard drive.

Get the highest assurance by Microsoft.

How does EV Code Signing Work?

Ok, now that you understand the key storage, let's talk about the code signing process. If you're a visual learner, we've drawn you this picture to help you understand the process better.

How does EV Code Signing Work

Now let's walk you through it step-by-step. After you create your software, the software is then hashed so that it cannot be easily tampered with or altered.

Following this, the private key – which is stored on an external hardware token (did we mention that?) – is used to digitally sign the software and add a timestamp. A digital signature is a type of electronic signature that uses encryption to help validate the authenticity and integrity of a file, document or program.

Once the software is signed and timestamped, it can be made available for download. Anyone downloading said software will have no issues, the browsers will trust you, the publisher, and the user will see that the software's integrity has not been compromised.

Or, put another way, there will be no doubt left in your customers' minds—nothing to prevent them from going through with the download.