Is this the same as Sectigo EV Code Signing? Yes. Comodo CA rebranded to Sectigo in November 2018. This certificate is issued by Sectigo under the legacy Comodo product name. The root chain, validation process, and technical specifications are identical to the Sectigo-branded version. If you’ve searched for “Comodo code signing” or “Comodo EV certificate,” you’re in the right place.
Comodo EV Code Signing Certificate Benefits
- Microsoft SmartScreen reputation. Signing with the Comodo EV certificate attaches your verified publisher name to every download, replacing the “Unknown Publisher” warning Windows users see when installing new software. Note: since March 2024, EV certificates no longer instantly bypass SmartScreen warnings, but they remain the highest-trust certificate type for building file reputation over time.
- Tamper-proof digital signatures. Each signature applies a SHA-2 hash to your code, encrypted with your private key. If anyone modifies your software after signing, injects malware, or alters functionality, the signature breaks, and the user’s OS displays a warning. Your brand reputation stays protected.
- Hardware-based private key protection. Unlike standard OV code signing, the Comodo EV certificate requires your private key to live on a FIPS 140-2 Level 2 compliant device. Choose between a preconfigured USB token (shipped to US, Canada, and international addresses) or installation on your existing HSM (Luna, YubiKey 5 FIPS, Google Cloud KMS, and other compliant modules). The key is non-exportable — it never leaves the hardware. You sign code using tools like Microsoft SignTool alongside the SafeNet Authentication Client that interfaces with your token.
- Timestamping included. Every signature can include a trusted timestamp that preserves its validity indefinitely, even after your certificate expires. Without timestamping, your users would see warnings the moment the certificate’s validity period ends.
- Cross-platform signing. One certificate covers Microsoft Authenticode (.exe, .dll, .cab, .msi, .ocx: 32-bit and 64-bit), Windows kernel-mode drivers, Java, Adobe AIR, Apple applications and plug-ins, Mozilla objects, Microsoft Office VBA macros, and Silverlight, with 99.3% browser compatibility.
- CA/B Forum compliant encryption. RSA 3072-bit signature key (minimum), SHA-2 hashing, and optional Elliptic Curve Cryptography (ECC), meeting the latest NIST and CA/Browser Forum security standards.
- Required for Windows kernel-mode drivers. An EV code signing certificate is the only certificate type accepted to register with the Windows Hardware Developer Center Dashboard. All kernel-mode drivers targeting Windows 10 (Build 1607+) must be submitted through the Dashboard for Microsoft co-signing, and that access requires a valid EV certificate on your account.
- Annual reissuance on multi-year plans. Since February 2026, the CA/Browser Forum caps all code signing certificates at 459 days per issuance. If you purchase a multi-year plan, you’ll reissue once per year, the certificate and private key remain on your existing hardware token or HSM. We send reminders 30 days before each reissuance is due.
Comodo EV vs. OV Code Signing
| OV Code Signing | Comodo EV Code Signing | |
|---|---|---|
| Validation | Basic organization check | Full legal, physical, and operational verification |
| Private key storage | FIPS 140-2 hardware required (since June 2023) | FIPS 140-2 Level 2 hardware required |
| SmartScreen reputation | Builds organically | Builds organically (post-March 2024) |
| Kernel-mode drivers | Not accepted by Microsoft | Required for Windows Hardware Developer Center |
| Publisher details shown | Organization name | Organization name, address, and jurisdiction |
| Issuance | Typically faster | 1–2 business days |
Frequently Asked Questions
Is Comodo EV Code Signing the same as Sectigo EV Code Signing?
Comodo CA rebranded to Sectigo in November 2018. This certificate is issued by Sectigo under the legacy Comodo product name. The validation process, root trust chain, and technical specifications are identical to the Sectigo-branded version.
Can I sign Windows kernel-mode drivers with this certificate?
Yes. An EV code signing certificate is required to access the Windows Hardware Developer Center Dashboard, where all kernel-mode drivers for Windows 10 (Build 1607+) must be submitted for Microsoft co-signing.
Does EV code signing still bypass Microsoft SmartScreen instantly?
No. As of March 2024, Microsoft changed SmartScreen’s behavior. EV certificates no longer grant instant reputation. However, they remain the highest-trust certificate type and are still the recommended choice for building SmartScreen reputation.
What happens to my signed software when the certificate expires?
If you timestamped your code at signing (standard practice), the signature remains valid indefinitely. Code signed without a timestamp will trigger warnings after the certificate expires.
Can I export the private key from the USB token?
No. The private key is non-exportable by design. This is a CA/Browser Forum requirement for all code signing certificates since June 2023. If your signing workflow requires remote or CI/CD access, choose the HSM installation option instead.
I bought a multi-year plan. Do I need to do anything annually?
Yes. Since February 2026, code signing certificates are capped at 459 days per issuance. You’ll need to reissue annually. We send email reminders 30 days in advance, and the revalidation process is typically faster than the initial issuance.
Can I use this certificate in a CI/CD pipeline or automated build environment?
Yes, with one important constraint. If your certificate lives on a USB token, signing requires the token to be physically connected to the machine running the build — it cannot be accessed over Remote Desktop (RDP). For automated pipelines (GitHub Actions, Azure DevOps, Jenkins), choose the HSM installation option, which supports remote and cloud-based signing workflows. Contact support before ordering if you need to confirm HSM compatibility with your environment.
What file formats can I sign with this certificate?
The certificate supports all major executable and script formats: .exe, .dll, .cab, .msi, .ocx, .xpi, and .xap (32-bit and 64-bit), Windows kernel-mode and user-mode drivers, Java applets, Adobe AIR applications, Apple applications and plug-ins, Mozilla objects, Microsoft Office VBA macros, and Microsoft Silverlight applications.
