We are a german software-company which develope for years successful software for a very big german company xxx, which sells the package to their customers - so, we are the producer and xxx is the owner.
The question is now, who has to order a code signing certificate?
If we get a certificate for our company, anyone will see our company as the source of the software and that is clearly not int the terms of xxx.
On the other hand, if xxx apply for a certificate (which is certainly a long term procedure in cause of the complex, bureaucratic structure), and the forward the certificate to us, we can sign any code in the name of xxx and noone can see this.
Is there a suitable standard-solution for this problem - e.g. we fill in xxx as the registered company (which appear in the windows-dialogs) and fill in our company as a technical contact or administrative contact? Which kind of documents do comodo need for this - and of which company?
Something like “our company signs on behalf of the xxx” seems to be, what I’m looking for - is there something similar available in the Code Signing Process - especially with comodo?
I think the certificate would need to be in the name of the company perceived to be the developer of the software. Otherwise it would create confusion, and a sharp, security conscious user might even suspect that the software had been modified and re-signed.
Thanks for you answer, but the problem is, that our company is (more or less) unknown to the customer of the software and should not be announced to all the customers, i.e. we only develope “in the background” behind the big company.
For example: AT&T has a specific problem, which should be developed by an external software-company xyz, because AT&T themself hasn’t the time (and know how) to make it, but after finishing the software, it should be deployed in the name of AT&T.
I think it would be very confusing, if you buy the software of the big AT&T and when trying to install the package, it appears a dialog with “xyz” as the certified company. In my example, AT&T is responsible for the product and so I think it would be consistent to see AT&T as the company - maybe with a hint for the company xyz - but AT&T should be the prominent one.
That’s what I meant. It should be in the name of the company whose name is on the software, or who the user buys it from, not your name as the developer. The user will think the big company was the developer, even though you were.
Ok - the first fact seems to be, that the certificate should be issued on the big company xxx.
Cause every binary should be signed it is not practicable, to send these binary after compiling/linking to xxx for signing - especially in the beta-stage, if multiple versions are created a day.
On the other hand, if xxx provide the certificate to us, so we can sign the binary, it has two problems:
a) is it allowed, to provide the certificate “outside” the company, which the certificate is issued on?
b) we can sign ANY binary in the name of xxx - so perhaps, some people in xxx don’t like that
But it seems to me, as if there is no REAL solution for the problem
If there is a remark-field or something in the certificate, we can solve problem b) when adding something like “produced by steff-company”, so the whole certificate would:
company: xxx ltd.
city: xxx-city
remark: produced by steff-company
