Introduction:

Code signing is now mandatory for all Windows* applications submitted to the Intel AppUp(SM) Developer Program. Developers registered through the program can for a limited time get a code signing certificate for free from Comodo. Through this blog, we would like to provide a list of issues that developers have experienced during certificate application, applicant verification and signing process and also provide solutions to these known issues.

All known issues are classified under three broad categories:
A: Applying for a code signing certificate
B: Exporting the certificate and signing applications
C: Support

A: Applying for a code signing certificate:
1: I am an individual developer and do not have a registered organization. Can I still apply for a code signing certificate?
Yes. Comodo allows for both individuals and organizations to apply for a code signing certificate. If applying as an organization, make sure that the name and address of the organization are accurate and match the documents that you submit to Comodo for verification. If you observe that the organization name is incorrect while creating an account in appdeveloper.intel.com, please return to your homepage and create a new organization that matches your registered org before proceeding with certificate application.

If you are an individual, please make sure that you enter your first name, last name and address accurately on the form. If your name is spelled incorrectly, you can correct it directly on the certificate application form. The name and address should match the documents submitted to Comodo for verification.

2: What browsers are supported for code signing?
Comodo recommends using Internet Explorer(IE) or Firefox on a Windows machine. While Chrome may be the browser of choice with some developers, we have seen issues with retrieving the certificate through Chrome. In order to avoid this situation, we strongly suggest that developers use IE or Firefox.

3: I used Internet Explorer and received the message “member not found” during the certificate application process. Why did that happen?
The code signing process is based on concept of public key cryptography. Generating a certificate request requires generating a key pair. The above error could mean that the ActiveX controls are not loaded. If your browser security settings do not allow ActiveX controls to run, which is essential for key pair generation, please enable loading of the controls before proceeding further.

4: I have submitted my certificate request to Comodo. What documents will I need to prove my identity?
The documents you provide will differ between individuals and organizations. Please refer to the appropriate section below:
For individuals:

1. A government issued photo ID (Passport, drivers license) AND
   1. IF the address on photo ID matches order info, THEN one of the following ELSE two of the following (Address on doc MUST match order details)
      1. Major utility bill
      2. Bank statement
      3. Government issued documents such as business license, tax documents, etc.

For organizations:

Submit any two of the following
1. Articles of Incorporation (with address)
2. Government Issued Business License (with address)
3. Copy of a recent company bank statement (you may blacken out the Account Number)
4. Copy of a recent company phone bill
5. Copy of a recent major utility bill of the company (i.e. power bill, water bill, etc.) or current lease agreement for the company

Comodo requires a call back phone number whose name and number matches the order information (for both individuals and organizations)

B: Exporting the certificate

1: I received an email from Comodo with a link to retrieve the certificate. Is there anything I need to be careful about while exporting the certificate?
Please note that to successfully export the certificate, you will have to use the same browser and same computer you used to place the order. For example, if you used IE on machine A to place the order, you will need to use IE on machine A to export it as well. Using any other combination will not work.

2: Can I use a Mac to get a certificate?
If you are using a Mac, please ensure that you use Firefox to place the certificate request and export the certificate. The process will not work with Safari. However, you will need to use a Windows machine to sign the application.

C: Signing applications

1: Can other developers in my organization use the certificate I received? Should I use the same computer to sign application?
Yes. Once you have the certificate exported, you can save it on multiple computers and use them to sign apps. All developers who will use the certificate will have to have access to the password used while exporting the certificate.

2: Is there a restriction on the number of apps I can sign with one certificate?
No. One certificate can be used to sign as many apps as you wish as long as the certificate has not expired.

3: Articles on Code Signing refer to certificates in .pfx format. However, Comodo gave me a certificate in a different format. What do I do?
The format of the certificate is browser dependent. If you used IE, you will have received a .pfx certificate. If you used Firefox, you will receive a certificate in .p12 format. .pfx and .p12 are both essentially PKCS12 file formats. So you can simply rename a .p12 certificate to .pfx and use it to sign your application.

However, if you used a Mac and Firefox, the certificate you will receive is in .p7s format. Please refer to the corresponding question on instructions to convert .p7s to .pfx.

4: Can I use a .p12 or .p7s certificate to sign my Windows app?
No. Signtool, the tool provided by Windows SDK to sign apps uses certificates in .pfx format only. So you will be required to convert a .p12 or .p7s certificate to .pfx before proceeding with signing.

5: Oops! I used Chrome to place an order and now I cannot export the certificate. What do I do?
Do not panic. You will need to reapply using IE/Firefox. Use the "Apply for a code signing certificate" link through Intel AppUp(SM) Developer Program portal using the same credentials and note down the order number. Write to premiumsupport@comodo.com with both the first order number and the new order number explaining the situation and request that they use the same set of documents already submitted for validating your new order. This will reduce the validation time and a new certificate will be issued that you can export from the browser through which the new order was placed.

6: I used a Mac and received a .p7s certificate. How can I convert it to a .pfx?
Please check back to this article for updates.

7: I am new to code signing. How do I get a code signing certificate?
Visit the following website for detailed instructions on how to get a code signing certificate:
http://appdeveloper.intel.com/en-us/article/how-do-i-get-code-signing-certificate-certifying-authority

8: How do I sign my files?
For signing .MSI files, visit the following website:
http://appdeveloper.intel.com/en-us/article/signing-msi-files
For signing .JAR files, visit the following website:
http://appdeveloper.intel.com/en-us/article/signing-jar-files

D: Support

1: I have questions regarding my certificate request. Is there any technical support available?
You can write to premiumsupport@comodo.com for questions during the application, verification and export process.