Hello,
I'm not an expert whatsoever in what regards Digital Signing, but I have done some research and you are partially right.
The source of research:
GlobalSign Code Signing FAQ
In the above article, it states that:
Are there different types of Code Signing Certificates?
Yes. GlobalSign offers both Standard and Extended Validation Code Signing Certificates.
What is the difference between Standard and EV Code Signing?
Standard Code Signing Certificates undergo standard organization validation. EV Code Signing Certificates undergo strict Extended Validation vetting requirements set by the CA/B Forum.
EV Code Signing Certificates have an added benefit of providing instant reputation with Microsoft Smart Screen. Standard Code Signing Certificates must build up reputation with the Smart Screen program before Smart Screen warnings disappear.
EV Code Signing Certificates are also required to access the Windows Hardware Developer Center Dashboard Portal through which all kernel-mode drivers targeting Windows 10 (Build 1607 and later) must be signed.
Can I sign a file remotely?
Both the Standard Code Signing Certificates and EV Code Signing Certificates cannot be accessed through Remote Desktop (RDP). The USB token must be plugged in to the local computer.
A local USB token can be used to sign a file on a remote machine but a remote USB Token cannot be used for signing at all.
Here, they state that a local USB token can be used to sign a file on a remote machine.
Now, the other problem you have encountered here is the fact that someone had to enter the password.
We might be able to help in this matter. Recently, we have added support for using a custom signing tool at your disposal. This basically means that you can use your own command line for signing ==> you can pass the password through the command line.
For instance, if you go to
"Digital Signature" page -->
"Enable Signing" -->
"Custom" --> select your SignTool.exe tool, you will be able to provide your own command line that the tool should use:
- customsign.png (28.01KiB)Viewed 5086 times
As you may know, the SignTool.exe tool accepts the following parameter:
The above specifies the password to use when opening a PFX file.
sign Command Options
Another interesting thing that they mention in the article is:
Are there different ordering options for Standard and EV Code Signing Certificates?
Yes. Both, the Standard Code Signing Certificates and the EV Code Signing Certificates have 3 ordering options and can be delivered to SafeNet tokens, HSMs as well deployed with Azure Key Vault. Please refer to the 'Key Storage Options' on the table comparison here
Once again, recently (the last release), we have implemented support for signing your package using
Azure Key Vault as it was requested by our users.
In the
"What is a Code Signing Certificate" article, they mention that:
GlobalSign allows standard and EV Code Signing Certificates to be installed on customer HSMs or in Azure Key Vault. Contact us for more information about these deployment options.
Note: USB token not included in HSM or Key Vault deployments.
To be fully honest with you, I believe you should contact their support team and ask for more information about that.
Hope this information helps somehow.
Best regards,
Catalin