All,

as you probably know, SetupBuilder 2019 supports both Standard Code-Signing
and Extended Validation (EV) Code Signing.

"Comodo EV Code Signing gives you the tools to have your software trusted
across all browsers. The place you'll see the most gains is with Microsoft
users behind the SmartScreen filter. EV Code Signing established instant
application reputation with SmartScreen, effectively killing those
download-killing browser warnings and paving the way for more
conversions-more money. EV Code Signing also comes with an added layer of
security. To prevent unauthorized access to your private key, it is stored
on an external hardware token. The Extended Validation process is easy to
navigate and can be completed quickly. And the benefits are undeniable."

If you're looking for a "Standard" or "EV" Code-Signing certificate, why not
save some money and make use of the "SetupBuilder Deal".

http://www.lindersoft.com/order_codesigning.htm

- Comodo Standard Code Signing
1-Year : $79
2-Years : $143
3-Years : $200

- Comodo Extended Validation (EV) Code Signing
1-Year EV : $279
2-Years EV : $489
3-Years EV : $628

Note: since the private key is stored on the hardware token, for security it
cannot be copied or exported to create a PFX file.

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
Voice: +1.954.537.3701 | Fax: +1.954.537.3702

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

Two interesting "reputation building" threads (for "Standard" Code-Signing
Certificates)

http://www.lindersoft.com/forums/showthread.php?47928-Reputation-building-may-I-ask-you-for-a-favor&p=90067#post90067

http://www.lindersoft.com/forums/showthread.php?47837-Need-Help-SetupBuilder-certificate-2018-reputation-(screenshots-attached)

Friedrich

Hi Friedrich,

> ......To prevent unauthorized access to your private key, it is stored
> on an external hardware token......
What does that mean?
Sounds almost like we're back to dongles again.

Graham

Smart Card Tokens, according to this 3rd party vendor.

Although it sounds inconvenient, I can see how this would be a good
thing.

https://comodosslstore.com/code-signing/how-to-sign-comodo-ev-code-signing-certificate

Jeff Slarve
www.jssoftware.com

Ones and Zeros are my Heroes

Hi Jeff,

Seems the Safe-NET token comes on USB

https://support.globalsign.com/customer/en/portal/articles/1727343-download-and-install-ev-code-signing-certificate

Graham

And unlike other certificates, in this case Comodo has a copy of your
private key (since they're writing it onto the device that they mail
to you.)

With a regular certificate, the private key stays on your computer and
never gets sent to them.

jf

Hi Graham,

>> ......To prevent unauthorized access to your private key, it is stored
>> on an external hardware token......
>
> What does that mean?
> Sounds almost like we're back to dongles again.

Ohhh yes :-( USB dongle...

Friedrich

Hi Jeff,

> Smart Card Tokens, according to this 3rd party vendor.
>
> Although it sounds inconvenient, I can see how this would be a good
> thing.

But the moment you hook it up to the computer it's fair game for
hackers. Just putting the stuff on a card doesn't make it any more
secure.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

On 2.4.2019 4.08, Arnor Baldvinsson wrote:

> But the moment you hook it up to the computer it's fair game for
> hackers. Just putting the stuff on a card doesn't make it any more secure.

Once the EV certificate private key is installed on the USB security
token, it cannot be extracted or copied from the device, since it is
stored securely in a tamper-proof memory area on the device (write-only
/ write-once in that sense). Signature operations are completed on the
device itself with a certificate password used to unlock the private
key, so the token must be plugged in for the certificate to be available
for operations.

So hackers can't copy your certificate and they would need to physically
steal the token to use it.

Cheers,
--
Timo

Hi Timo,

> Once the EV certificate private key is installed on the USB security
> token, it cannot be extracted or copied from the device, since it is

Somehow it must be read from the stick.

> So hackers can't copy your certificate and they would need to physically
> steal the token to use it.

Those things can be duplicated. Seen it done. Disappearing a USB stick
isnt's much of a challenge - I manage that all by myself it seems!<bg>

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

>> Once the EV certificate private key is installed on the USB security
>> token, it cannot be extracted or copied from the device, since it is
>
> Somehow it must be read from the stick.

The point is that the private key isn't and cannot be read from the
security token. Signature operation is completed on the token hardware
itself (it has a onboard processor for that) - it is not a normal USB
storage device. Data to be signed (usually a hash) is sent to the USB
security key and signature is generated onboard without the private key
ever leaving the token.

> Those things can be duplicated. Seen it done. Disappearing a USB stick
> isnt's much of a challenge - I manage that all by myself it seems!<bg>

Normal USB storage devices and (some) license dongles can be duplicated.
FIPS 140-2 certified smart card tokens, no, unless you are a state-level
actor having a team of scientists armed with an electron microscope and
a billion dollar budget. To extract the private key, one would need the
physical hardware token at hand and then could try to read the protected
memory area by peeling the memory chips atomic layer at a time. This is
further hindered by cryptographic modules having physical security
mechanisms which erase private keys if tampering is detected.

Cheers,
--
Timo

>unless you are a state-level
>actor having a team of scientists armed with an electron microscope and
>a billion dollar budget.

Jeff Slarve
www.jssoftware.com

Ones and Zeros are my Heroes

>>> Once the EV certificate private key is installed on the USB security
>>> token, it cannot be extracted or copied from the device, since it is
>>
>> Somehow it must be read from the stick.
>
> The point is that the private key isn't and cannot be read from the
> security token. Signature operation is completed on the token hardware
> itself (it has a onboard processor for that) - it is not a normal USB
> storage device. Data to be signed (usually a hash) is sent to the USB
> security key and signature is generated onboard without the private key
> ever leaving the token.
>
>> Those things can be duplicated. Seen it done. Disappearing a USB
>> stick isnt's much of a challenge - I manage that all by myself it
>> seems!<bg>
>
> Normal USB storage devices and (some) license dongles can be duplicated.
> FIPS 140-2 certified smart card tokens, no, unless you are a state-level
> actor having a team of scientists armed with an electron microscope and
> a billion dollar budget. To extract the private key, one would need the
> physical hardware token at hand and then could try to read the protected
> memory area by peeling the memory chips atomic layer at a time. This is
> further hindered by cryptographic modules having physical security
> mechanisms which erase private keys if tampering is detected.
>
> Cheers,

Very interesting and informative discussion Timo. Thanks for chipping
in and sharing.

Andre Labuschagne

>
> Very interesting and informative discussion Timo. Thanks for chipping
> in and sharing.
>
>

+1

Peter Hermansen