Introduction

The Intel® Developer Zone requires that all Windows*-based Intel AppUp® applications (.MSI, .EXE, .JAR and .AIR) be signed by a certificate from a Certificate Authority (CA). This is to ensure that applications do not contain any malware and it also provides an additional trust to end users downloading applications from the Intel AppUp® center. Subsidized code signing certificates are available to developers through the Intel Developer Zone portal. This article guides developers through the process of obtaining a subsidized certificate.

Note for Macintosh* developers: If you are using a Macintosh* system to develop your Intel AppUp® app for Windows*, note we will have more instructions for you. Stay tuned on this site for further instructions. Meanwhile if you have a Windows* system available you can follow these instructions for code signing your application.

Note for Windows* developers already owning a certificate: Developers who already own a code signing certificate can skip to the end of this article for instructions on signing applications. Please note that Intel has a designated list of CAs that developers are required to own certificates from. They are: Chosen Security, Verisign, Globalsign, Thawte, Trust Center, Go Daddy Secure Certification Authority and Comodo. All of these CAs provide code signing certificates for Adobe AIR*, Microsoft Authenticode* and Java* applications. An Authenticode certificate can be used across Adobe AIR*, MSI and JAR applications.

Browser Support: Comodo recommends using Microsoft Internet Explorer* or Firefox for submitting a certificate application and retrieval. Chrome* browser may not work as desired. Developers are encouraged to read through the Comodo support page for more information on browser support: https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=419&nav=0,96

Overview

1. Obtain a certificate from the Intel Developer Zone portal
2. Install the certificate to the Certificate Store on PC

Obtain a certificate from Intel® Developer Zone portal:

The Process:

1. Login to your Intel Developer Zone account. Under "My Dashboard", you will find a link - "Apply for code signing certificate". This will take you to an application form to request a code signing certificate. 

1. The CA will ask for the organization / individual details and contact details. This is required for the validation process. Follow the steps in the application process. Select Organization if you are applying as a registered business. Select Individual if you are an individual developer without a registered organization. The list of documents you will need to submit for validation is listed in the application form. Once you place an order, a certificate request will be generated on the developer's behalf to the CA.
2. Once the validation process is successful, you will receive an email with a link to download and install the certificate. The vetting process takes between 5-7 business days.

Download and install the certificate:

You will need to use the same computer and browser that you used to send a request to download the certificate using the link you receive. Most CAs allow the use of popular browsers like Microsoft Internet Explorer*, Firefox* and Chrome*, but it is always best to check on the CA's website for browser-specific instructions. The article illustrates the steps for Microsoft Internet Explorer*.

1. Click on the link you received in the email. The certificate will get installed in the certificate store in your computer. You will be able to see the certificate under "Personal -> Certificates" section of the Console Root when you execute the mmc.exe application from command line:
2. The certificate with the private key can now be exported and saved on your hard disk
   1. Open a browser session.
   2. Click on Tools -> Internet Options -> Content -> Certificates -> Personal.
   3. Highlight the certificate you would like to export. Click “Export”.
   
   1. The Certificate Export Wizard now opens. Click "Next".
   2. In the Export Private Key section, select "Yes, export the private key". Click "Next".
   
   1. In the "Export file format" section, select "Personal Information Exchange - PKCS #12 (.PFX)" format and select "Include all certificates in the certification path if possible" check box. Click "Next".
   
   1. In the "Password" section, type and confirm your password. Remember this password, since you will need to type this in at the time of signing applications with this private key. Click "Next".
   
   1. In the "File to Export" section, choose the file path and name where you wish to save the certificate file. Click "Next".
   
   1. The Completion Wizard screen now shows all the selections you have made. When you click on "Finish", the certificate is saved in the path you specified.

If your code signing certificate is about to expire or has already expired, you can optionally renew your certificate and resubmit your application for validation. For more information on code signing certificate renewal, see: Maintaining Valid Certificates

Additionally, it is strongly recommended to timestamp your application once you sign it. This will ensure that your signature remains valid even after it expires. An update to your application would require fresh signing.

Now you have a code signing certificate that you can use to sign your applications. The following two articles provide specific instructions on signing MSI/EXE and JAR files:

• http://software.intel.com/en-us/articles/signing-msi-files
• http://software.intel.com/en-us/articles/signing-jar-files
• App Signing Tool