Certificates, Digital Signatures, and IEAK
Web browsers have security features that help protect users from downloading harmful programs. Depending on the security level and the platform that you are using, the user may be prevented from, or warned against, downloading programs that are not digitally signed. Digital signatures show users where programs come from, verify that the programs have not been altered, and ensure that users do not receive unnecessary warnings when installing the custom browser.
Because of this, the custom .cab files created by the Windows® Internet Explorer® Customization Wizard 9 should be signed, unless you pre-configure the Local intranet zone with a Low security setting. Any custom components you distribute with your browser package for these platforms should also be signed.
To sign your package and custom programs digitally, you must first obtain a digital certificate. You can obtain a certificate from a certification authority or a privately-controlled certificate server. For more information about obtaining certificates or setting up a certificate server, see the following:
Microsoft-trusted certification authorities (http://go.microsoft.com/fwlink/?linkid=59547).
Certificates overview documentation (http://go.microsoft.com/fwlink/?linkid=68942).
Public key infrastructure (PKI) documentation (http://go.microsoft.com/fwlink/?linkid=68943).
When you get a certificate, you should note the public and private keys, which are a matched set of keys that are created by the software publisher for encryption and decryption. They are generated on your computer at the time the certificate is requested, and your private key is never sent to the certification authority or any other party.
Understanding code signing
- If you plan to distribute custom packages over the Internet, you must sign all custom components and the CMAK profile package (if used). Before you start the Internet Explorer Customization Wizard 9, make sure that both are signed. Typically, their respective manufacturers will have signed them. Otherwise, you can sign these using the Sign Tool (SignTool.exe) (http://go.microsoft.com/fwlink/?LinkId=71299). You can also use the File Signing Tool (Signcode.exe)(http://go.microsoft.com/fwlink/?LinkId=71299). You should read the documentation included with these tools for more information about all of the signing options.
In addition, after you run the Internet Explorer Customization Wizard 9, we highly recommend that you sign the IEAK package and the Branding.cab file (if you are using it separately from the package). You can do this also using the tools mentioned above.
For more information, download Code-Signing Best Practices (http://go.microsoft.com/fwlink/?LinkId=71300).
- If you plan to distribute your custom packages over an intranet, sign the custom files or preconfigure the Local intranet zone with a Low security setting, because the default security setting does not allow users to download unsigned programs or code. For more information about security zones, see Internet Explorer Security and IEAK.