Why EV Code Signing? EV Code Signing vs. Regular Code Signing

Written by Radu Popescu · January 13th, 2023


By now, we all know the importance of a digital signature to secure our applications and how standard code signing certificates work.

In this article, we’ll talk about the EV Code Signing Certificate, a more advanced method to code sign your certificates.

Let's see what it is, its pricing, and how it varies from regular code signing. We’ll discuss how it differs from regular code signing, its pricing and the requirements for acquiring an EV Code Signing Certificate.

What is an EV Code Signing certificate?

An EV Code Signing stands for Extended Validation Code Signing certificate. This type of certificate requires an extensive audit of the publisher by the Certification Authority that issues the certificate. Additionally, the private keys in EV code signing certificates are stored externally to prevent any unauthorized use.

You can use EV Code Signing certificates to digitally sign your applications. When an application is not digitally signed and the user tries to install it, the User Account Control (UAC) will trigger the below message, informing the Publisher that the application is considered Unknown.

User Account Control

How is an EV code signing certificate different from a regular code signing certificate?

A regular code signing certificate usually stores its private key on the same hard drive of the computer where the application is developed or is going to be signed. This is different from EV code signing certificates, as the private key for these certificates is kept secret using a hardware token on a separate hard drive.

Both EV and regular code signing certificates offer SHA-2 Encryption and 3072-bit or 4096-bit RSA Key.

Here's how the process looks for each of the certificate types:

Process of Code Signing using regular certificate

Process of Code Signing using regular certificate

Process of Code Signing using EV certificate process

Process of Code Signing using EV certificate process

When you purchase an EV Code Signing certificate, the delivery time is longer than when purchasing a regular certificate.

In the case of regular certificates, it can take between one to three days to be delivered, while an EV certificate can take up to a week. Be aware that your EV certificate will only be provided in hardware format, saved on the USB token.

Another important point about EV Code Signing when compared to regular signing, is the instant SmartScreen Reputation. What is that? Let’s find out below.

What is SmartScreen Reputation?

Microsoft SmartScreen is a cloud-based protection solution for malware and phishing attacks that can be found in various Microsoft products. When you execute your application, SmartScreen scans its digital signature and detects if it comes from a reputable source.

When you digitally sign your application with a regular certificate for the first time, you are considered a new entity with no reputation. Thus, SmartScreen will still detect your application as a potential danger.

However, when you digitally sign your application with an EV certificate, you are granted an instant reputation.

EV Code Signing Certificates are SHA256 only, which is one of the strongest hash functions available and the one recommended by Microsoft (Secure Hash Algorithm 256-bit is used for cryptographic security).

Signing kernel drivers for Windows 10 and Windows 11

In the past, you were able to sign kernel drivers using a regular certificate.

Now, to focus more on IT security, starting with Windows 10 and Windows 11, you can only digitally sign kernel drivers using an EV code signing certificate.

Is USB eToken necessary for EV Code Signing?

Yes. As mentioned earlier, one of the characteristics of an EV Code Signing certificate is the storage of the private key on a separate USB.

When you are using an EV Code Signing certificate, the USB eToken you must insert into the computer where the signing action is happening.

Advanced Installer offers full support for EV Code Signing.

Follow our full guide on How to use the USB eToken for Extended Validation Code Signing, and digitally sign your application using an EV Code Signing Certificate.

EV Code Signing Pricing

Compared to the regular Code Signing Certificate, the price of an EV Code Signing Certificate is generally higher. And here is why:

  • The verification process of an entity that wants to obtain an EV Certificate is more complex and rigorous.
  • The extra benefits and instant reputation you get always mean extra cost.
  • The need for external hardware (USB token) to store the certificate.

TipYou can expect the final price of an EV Code Signing Certificate to be around four times the price of a regular certificate.

What are the requirements for acquiring an EV Code Signing Certificate?

When you want to buy a regular Code Sign certificate, you can do so directly from a website, which is a pretty straightforward transaction.

When it comes to EV Code Signing Certificate, the process is not that straightforward, and there are some requirements that need to be met in order to receive the EV Certificate.

Here is what you should know before purchasing an EV Code Signing Certificate:

  • EV Code Signing can only be issued to Registered organizations. It cannot be issued to Individual publishers/Developers.
  • PO Box, Care of, mail stop/forwarding, virtual office or a registered agent address as Company address is not accepted.
  • Company and phone number validation is required. You need to complete a form containing legal information that will be submitted for validation.

Is EV Code Signing mandatory?

It all depends on your software and your end goal. If you develop kernel drivers for Windows 10 and 11, definitely yes! If you are in a rush and need instant reputation for the SmartScreen, again, YES! But keep the price in mind.

On the other hand, in the majority of cases, if no driver is involved, a regular certificate is all you need to digitally sign your Windows application.

For instance, let’s take a look at Advanced Installer, which has been on the market for some time now and is digitally signed with a regular certificate. On top of that, the tool is not a kernel driver, so there is no justification for us to use the Extended Validation Code Sign certificate.

Did you find this helpful? What other topics would you like us to cover?

Subscribe to Our Newsletter

Sign up for free and be the first to receive the latest news, videos, exclusive How-Tos, and guides from Advanced Installer.