Previous slide
Next slide
GST Suvidha Center WB093 offers Digita Signature services designed to streamline your business operations. Visit us to experience professional, reliable, and personalized solutions.

“being a business owner or even a salaried employee, you can not deny the fact the present Digital Era is a period in human history. business activities that are based on digitization are now considered as more reliable, authenticated and easier as compared to former.”

Tweet

Digital Signature

Digital signatures are electronic signatures that provide authenticity, integrity, and non-repudiation to digital documents. They are widely used in various sectors, including e-commerce, banking, and government services. A digital signature is essentially a cryptographic method that verifies the identity of the signer and ensures that the document has not been tampered with. A digital signature is a method used to confirm the authenticity and honesty of a message, software or digital document. Compared to a handwritten signature or stamped seal, a digital signature offers far more internal security, and it is designed to solve the problem of tampering and imitation in digital communications.

Digital signatures can provide the added assurances of evidence of origin, identity, and status of an electronic document, transaction or message and can acknowledge informed consent by the signer

Digital Signature

GST Suvidha Center: A Gateway to Digital Signature Services

GST Suvidha Center, is one such center that offers digital signature services. By providing a convenient and accessible platform, the center helps individuals and businesses obtain digital signatures for various purposes.

Gate Way of DigitalSignature

Benefits of Obtaining Digital Signatures Through GST Suvidha Center

  • Convenience: The center is located in a convenient location, eliminating the need for individuals and businesses to travel long distances to obtain digital signatures.
  • Efficiency: The center streamlines the process of obtaining digital signatures, reducing the time and effort required.
  • Security: Digital signatures are highly secure and provide a strong level of authentication.
  • Legal Validity: Digital signatures are legally recognized in India, making them valid for various purposes.
  • Cost-Effective: Obtaining digital signatures through GST Suvidha Center is often more cost-effective than other options.
  • Digital Signature Certificates help authenticate the personal information details of the individual holder when conducting business online.

    Reduced cost and time : Instead of signing the hard copy documents physically and scanning them to send them via e-mail, you can digitally sign the PDF files and send them much more quickly. The Digital Signature certificate holder does not have to be physically present to conduct or authorize a business

     Data integrity : Documents that are signed digitally cannot be altered or edited after signing, which makes the data safe and secure. The government agencies often ask for these certificates to cross-check and verify the business transaction.

 Authenticity of documents : Digitally signed documents give confidence to the receiver to be assured of the signer’s authenticity. They can take action based on such documents without getting worried about the documents being forged

Benefits of Obtaining Digital Signatures1

Fulfilling statutory compliances

Individuals and entities who are required to get their accounts audited have to file their income tax return compulsorily using a digital signature. Furthermore, the Ministry of Corporate Affairs has made it mandatory for companies to file all reports, applications, and forms using a digital signature only.

 Under GST also, a company can get registered only by verifying the GST application through a digital signature. The use of a digital signature is necessary even for filing all applications, amendments and other related forms.

Fulfilling Satutory Complaiances

Certifying Authorities for Digital Signature Certificate

 The Controller of Certifying Authority to issue digital signatures in India has authorized eMudhra as one of the certifying authority for issuance of Digital Signature Certificate.

 Other certifying authorities may include (n) Code Solutions, National Informatics Centre, Safescrypt and Institute for Development and Research in Banking Technology.

Certifying Authorities for Digital Signature Certificate

Classes of Digital Signatures Offered at GST Suvidha Center

The type of applicant and the purpose for which the Digital Signature Certificate is obtained defines the kind of DSC one must apply for depending on the need. There are three types of Digital Signature certificates issued by the certifying authorities.

 Class 1 Certificates : These are issued to individual/private subscribers and are used to confirm that the user’s name and email contact details from the clearly defined subject lie within the database of the certifying authority.

 Class 2 Certificates : These are issued to the director/signatory authorities of the companies for e-filing with the Registrar of Companies (ROC). Class 2 certificate is mandatory for individuals who have to sign manual documents while filing returns with the ROC.

 Class 3 Certificates : These certificates are used in online participation/bidding in e-auctions and online tenders anywhere in India. The vendors who wish to participate in the online tenders must have a Class 3 digital signature certificate.

 

  • Digital Signature Certificates: The center can also issue digital signature certificates, which are used to create and verify digital signatures.
Types of Digital Signature

How to Obtain a Digital Signature at GST Suvidha Center

  1. Visit the Center: Locate the center’s address and timings on the official GST portal or local government websites.
  2. Submit Required Documents: Provide the necessary documents, such as proof of identity, address, and business registration (if applicable).
  3. Verification Process: The center will verify your identity and eligibility for a digital signature.
  4. Digital Signature Certificate Issuance: If approved, you will be issued a digital signature certificate.
  5. Activation: Follow the instructions provided to activate your digital signature certificate.
How to Obtain a Digital Signature

Applications of Digital Signatures

Digital signatures have a wide range of applications, including:

  • E-commerce: For secure online transactions and payments.
  • E-filing: For filing income tax returns, GST returns, and other government forms electronically.
  • Electronic Contracts: For signing contracts and agreements digitally.
  • Digital Documents: For verifying the authenticity and integrity of digital documents.
  • Online Banking: For secure online banking transactions.
Applications of Digita Signature

Conclusion

GST Suvidha Center has emerged as a valuable resource for individuals and businesses seeking digital signature services. By providing a convenient, efficient, and secure platform, the center has simplified the process of obtaining digital signatures. Whether you need a digital signature for e-commerce, e-filing, or other purposes, visiting GST Suvidha Center can save you time and effort.

Conclusion

FAQ's

E - Sign
What is an electronic signature?

An electronic signature is a data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign, where the signatory is a natural person.

Like its handwritten counterpart in the offline world, an electronic signature can be used, for instance, to electronically indicate that the signatory has written the document, agreed with the content of the document, or that the signatory was present as a witness.

In case you want to seal a document as a legal person (e.g. as a business or organization), you might be instead interested in an electronic seal (What is an electronic seal?)

What is an electronic seal?

An electronic seal is a data in electronic form, which is attached to or logically associated with other data in electronic form to ensure the latter’s origin and integrity, where the creator of a seal is a legal person(unlike the electronic signature that is issued by a natural person).

In this purpose, electronic seals might serve as evidence that an electronic document was issued by a legal person, ensuring certainty of the document’s origin and integrity. Nevertheless, across the European Union, when a transaction requires a qualified electronic seal from a legal person, a qualified electronic signature from the authorized representative of the legal person is equally acceptable.

What are the levels (simple, advanced and qualified) of electronic signatures?

The eIDAS Regulation defines three levels of electronic signature: ‘simple’ electronic signature, advanced electronic signature and qualified electronic signature. The requirements of each level are built on the requirements of the level below it, such that a qualified electronic signature meets the most requirements and a ‘simple’ electronic signature the least.

‘Simple’ electronic signatures

An electronic signature is defined as ‘data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign’. Thus, something as simple as writing your name under an e-mail might constitute an electronic signature.

Advanced electronic signatures (AdES)

An advanced electronic signature is an electronic signature which is additionally:

  • uniquely linked to and capable of identifying the signatory;
  • created in a way that allows the signatory to retain control;
  • linked to the document in a way that any subsequent change of the data is detectable.

The most commonly used technology able to provide these requirements relies on the use of a public-key infrastructure (PKI), which involves the use of certificates and cryptographic keys.

Qualified electronic signatures (QES)

A qualified electronic signature is an advanced electronic signature which is additionally:

  • created by a qualified signature creation device (QSCD);
  • and is based on a qualified certificate for electronic signatures.
What are the levels (simple, advanced and qualified) of electronic seals?

Like the electronic signature, the eIDAS Regulation defines three levels of electronic seal: ‘simple’ electronic seal, advanced electronic seal and qualified electronic seal. The requirements of each level are built on the requirements of the level below it, such that a qualified electronic seal meets the most requirements and a ‘simple’ electronic seal the least.

Nevertheless, levels of electronic seals don’t have the same definitions, requirements, nor legal effects than levels of electronic signatures:

‘Simple’ electronic seals

An electronic seal is defined as data in electronic form, which is attached to or logically associated with other data in electronic form to ensure the latter’s origin and integrity”.

Advanced electronic seals (AdES)

An advanced electronic seal is an electronic seal which is additionally:

  • uniquely linked to the creator of the seal;
  • capable of identifying the creator of the seal;
  • created using electronic seal creation data that the creator of the seal can, with a high level of confidence under its control, use for electronic seal creation;
  • linked to the data to which it relates in such a way that any subsequent change in the data is detectable

The most commonly used technology able to provide these requirements relies on the use of a public-key infrastructure (PKI), which involves the use of certificates and cryptographic keys.

Qualified electronic seals (QES)

Similar to a qualified electronic signature, a qualified electronic seal is an advanced electronic seal which is additionally:

  • created by a qualified seal creation device (QSCD);
  • and is based on a qualified certificate for electronic seals.
What is a certificate for electronic signatures?

When signing a document, a pair of keys might be needed (i.e. when the signature relies on the use of public-key infrastructure), namely a ‘public key’ and a ‘private key’. The public key can be publicly shared while the private key shall be securely stored. Especially, the private key is used by the signatory to sign a document while the public key is used by anyone verifying that it is actually the private key of the signatory that has been used to sign the document.

A certificate for electronic signatures, issued by a Certificate Authority (CA), is an electronic attestation which links electronic signature validation data to a natural person and confirms at least the name or the pseudonym of that person. This way, the certificate, usually linked to the signed document, can be used to verify the identity of the signatory and whether the document has been signed using the corresponding private key.

Qualified certificates for electronic signatures, by following stricter requirements laid down in eIDAS, provide, for instance, higher guarantees regarding the identity of the signatory and therefore higher legal certainty regarding the created electronic signatures. Especially, qualified certificates are provided by qualified trust service providers (QTSP) which have been audited as such and granted a qualified status by a national competent authority, as reflected in the national Trusted List. Those lists, and therefore QTSPs listed in it, can be browsed in a user-friendly way using the Trusted List Browser (the actual content of these Trusted Lists is managed and published by each Member State and ‘Trusted List Browser’ is “merely” browsing these Trusted Lists).

Usually, providers of qualified certificates for electronic signatures deliver the corresponding private key on a qualified signature creation device (QSCD).

What is a certificate for electronic seals?

When sealing a document, a pair of keys might be needed (i.e. when the seal relies on the use of public-key infrastructure), namely a ‘public key’ and a ‘private key’. The public key can be publicly shared while the private key shall be securely stored. Especially, the private key is used by the creator of the seal to seal a document while the public key is used by anyone verifying that it is actually the private key of the creator of the seal that has been used to seal the document.

A certificate for electronic seals, issued by a Certificate Authority (CA), is an electronic attestation that links electronic seal validation data to a legal person and confirms the name of that person. This way, the certificate, usually linked to the sealed document, can be used to verify the identity of the creator of the seal and whether the document has been sealed using the corresponding private key.

Like qualified certificates for electronic signatures, qualified certificates for electronic seals, by following stricter requirements laid down in eIDAS, provide, for instance, higher guarantees regarding the identity of the creator of the seal and therefore higher legal certainty regarding the created electronic seals. Especially, qualified certificates are provided by qualified trust service providers (QTSP) which have been audited as such and granted a qualified status by a national competent authority, as reflected in the national Trusted List. Those lists, and therefore QTSPs listed in it, can be browsed in a user-friendly way using the Trusted List Browser (the actual content of these Trusted Lists is managed and published by each Member State and ‘Trusted List Browser’ is “merely” browsing these Trusted Lists).

Usually, providers of qualified certificates for electronic seals deliver the corresponding private key on a qualified seal creation device (QSCD).

What is a qualified signature/seal creation device (QSCD)?

Signature/seal creation devices come in many forms to protect the electronic signature/seal creation data (e.g. private key) of the signatory/creator of the seal, such as smartcards, SIM cards, USB sticks. A qualified signature/seal creation device (QSCD), by following stricter requirements laid down in eIDAS, offers higher guarantees regarding the protection (e.g. mitigating any kind of replication or forgery) of the electronic signature/seal creation data (such as the private key) and therefore higher legal certainty regarding the created qualified electronic signatures/seals.

For example, a smartcard (e.g. ID card), when following specific requirements, can be seen as a QSCD as, in order to “unlock” the electronic signature creation data, the signatory shall physically possess the smartcard and know the associated PIN code.

A QSCD is not necessarily in the physical possession of the signatory/creator of the seal but can also be remotely managed by a qualified trust service provider (QTSP). This kind of QSCD is known as “remote QSCD”. Those remote QSCD offer an improved user experience while maintaining the legal certainty offered by qualified electronic signatures/seals.

What are the legal effects of an electronic signature?

Across all EU Member States, the legal effects of electronic signatures are laid down in Article 25 of eIDAS.

An electronic signature (either simple, advanced or qualified) shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.

Regarding qualified electronic signatures, they explicitly have the equivalent legal effect of handwritten signatures across all EU Member States.

What are the legal effects of an electronic seal?

Across all EU Member States, the legal effects of electronic seals are laid down in Article 35 of eIDAS.

Like an electronic signature, an electronic seal shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic seals.

Regarding qualified electronic seals, they explicitly enjoy the presumption of integrity of the data and of correctness of the origin of that data to which the qualified electronic seal is linked across all EU Member States.

Do I need a qualified electronic signature?

While different levels of electronic signatures may be appropriate in different contexts, only qualified electronic signatures are explicitly recognized to have the equivalent legal effect of hand-written signatures all over EU Member States.

Moreover, as a general rule, if a certain level of electronic signature (e.g. advanced signature) is required, a higher level will probably be accepted (e.g. advanced signature with a qualified certificate, qualified electronic signature).

Do I need a qualified electronic seal?

While different levels of electronic seals may be appropriate in different contexts, only qualified electronic seals explicitly enjoy the presumption of integrity of the data and of correctness of the origin of that data to which the qualified electronic seal is linked, all over EU Member States.

Moreover, as a general rule, if a certain level of electronic seal (e.g. advanced seal) is required, a higher level will probably be accepted (e.g. advanced signature with a qualified seal, qualified electronic seal).

Nevertheless, when a transaction requires a qualified electronic seal from a legal person, a qualified electronic signature from the authorised representative of the legal person is equally acceptable.

How can I create an advanced or qualified electronic signature?

In the first place, in order to sign documents as a natural person (in order to seal documents as a legal person, you might be instead interested in electronic seals), a certificate for electronic signatures is needed. And, using this certificate, electronic signatures can be created. As part of the eIDAS Regulation, these certificates can be purchased from specific providers, named Trust Service Providers (TSP).

Obtain a digital certificate from a TSP

In the case of an ‘advanced electronic signature’, the certificate can be or not qualified. In the case of a ‘qualified electronic signature’, the certificate shall be qualified and the private key related to the certificate shall be stored on a ‘qualified electronic signature creation device’ (QSCD).

As laid down in eIDAS, a qualified electronic signature explicitly has the equivalent legal effect of a handwritten signature.

Providers of qualified certificates for electronic signatures, as an eIDAS legal obligation, are mandatorily listed in the corresponding national Trusted List. But providers of non-qualified certificates for electronic signatures could be but are not mandatorily listed in these Trusted Lists.

Trusted Lists, and therefore the providers listed in it, can be browsed in a user-friendly way using the Trusted List Browser. The actual content of these Trusted Lists is managed and published by each Member State and Trusted List Browser is “merely” browsing these Trusted Lists.

Choose your TSP using Trusted List Browser

Using Trusted List Browser, go to “Search by Type of service” (top left of the screen).

Select “Certificate for electronic signature” and/or “Qualified certificate for electronic signature” and click “Next”.

Then, select any country you may found appropriate and click “Search”.

Finally, click on any TSP you may found appropriate and, via the “Electronic address” multi-part field of the “Detailed information”, you will find a link to a website providing more information about this provider and the products it provides.

Sign your document

Once you have a certificate for electronic signature, you will be able to sign documents. TSPs might offer their own step-by-step process for signing digitally.

How can I create an advanced or qualified electronic seal?

In the first place, in order to seal documents as a legal person, a certificate for electronic seals is actually needed. And, using this certificate, electronic seals can be created. As part of the eIDAS Regulation, these certificates can be purchased from specific providers, named Trust Service Providers (TSP).

  • Obtain a digital certificate from a TSP

In the case of an ‘advanced electronic seal’, the certificate can be or not qualified. In the case of a ‘qualified electronic seal’, the certificate shall be qualified and the private key related to the certificate shall be stored on a ‘qualified electronic seal creation device’ (QSCD).

As a general rule, if a certain level of electronic seal (e.g. advanced seal) is required, a higher level will probably be accepted (e.g. advanced seal with a qualified certificate, qualified electronic seal).

As laid down in eIDAS, a qualified electronic seal explicitly enjoys the presumption of integrity of the data and of correctness of the origin of that data to which the qualified electronic seal is linked.

Providers of qualified certificates for electronic seals, as an eIDAS legal obligation, are mandatorily listed in the corresponding national Trusted List. But providers of non-qualified certificates for electronic seals could be but are not mandatorily listed in these Trusted Lists.

Trusted Lists, and therefore the providers listed in it, can be browsed in a user-friendly way using the Trusted List Browser. The actual content of these Trusted Lists is managed and published by each Member State and ‘Trusted List Browser’ is “merely” browsing these Trusted Lists.

  • Choose your TSP using Trusted List Browser

Using Trusted List Browser, go to “Search by Type of service” (top left of the screen).

Select “Certificate for electronic seal” and/or “Qualified certificate for electronic seal” and click “Next”.

Then, select any country you may found appropriate and click “Search”.

Finally, click on any TSP you may found appropriate and, via the “Electronic address” multi-part field of the “Detailed information”, you will find a link to a website providing more information about this provider and the products it provides.

  • Seal your document

Once you have a certificate for electronic seal, you will be able to seal documents. TSPs might offer their own step-by-step process for sealing digitally.

 

 

When signing/sealing a document, which format of signature should I use?

Three formats of advanced signature and one format of signature container are specified in the European Telecommunications Standards Institute (ETSI) standards, namely:

  • XML advanced electronic signature (XAdES), based on XML signatures;
  • PDF advanced electronic signature (PAdES), based on PDF signatures;
  • CMS advanced electronic signature (CAdES), based on Cryptographic Message Syntax (CMS);
  • Associated Signature Container (ASiC) based on ZIP format and supporting XAdES and CAdES signature formats.

Especially, following CID 2015/1506, these formats shall be recognised by European public sector bodies.

Advanced electronic signatures and advanced electronic seals being similar from the technical point of view, the standards for formats of advanced electronic signatures apply mutatis mutandis to formats for advanced electronic seals.

When signing/sealing a single document, the format of signature to choose typically depends on the format of the document to sign:

  • XML documents are suggested to be signed/sealed using XAdES signature format (either with enveloped or enveloping packaging);
  • PDF documents are suggested to be signed/sealed using PAdES signature format;
  • Binary files are suggested to be signed/sealed with XAdES or CAdES signature formats (with enveloping packaging).

When signing/sealing multiple documents, it is suggested to use ASiC containers.

Above suggestions are intended for basic usage of the signature/seal of documents. Other formats of signatures might be more appropriate in other specific contexts.

What is an electronic time stamp, and do I need one?

An electronic time stamp is a data in electronic form which binds other data in electronic form to a particular time establishing evidence that the latter data existed at that time.

For example, a signatory can use an electronic time stamp to bind a signed document to a particular date and time and prove in the future that the signed document existed at this particular date and time.

As part of eIDAS, a time stamp can be qualified. Following stricter requirements laid down in eIDAS, a qualified electronic time stamp enjoys the presumption of the accuracy of the date and the time it indicates and the integrity of the data (e.g. signed document) to which the date and time are bound.

What are the legal effects of an electronic time stamp?

Across all EU Member States, the legal effects of electronic time stamps are laid down in Article 41 of eIDAS.

An electronic time stamp (qualified or not) shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements of the qualified electronic time stamp.

Regarding qualified electronic time stamps, they enjoy the presumption of the accuracy of the date and the time it indicates and the integrity of the data to which the date and time are bound, across all EU Member States.

How can I get a qualified electronic time stamp?

Qualified time stamps are provided as part of a service, provided by qualified trust service providers (QTSP). QTSP, as an eIDAS legal obligation, are mandatorily listed in the corresponding national Trusted List.

Trusted Lists, and therefore the providers listed in it, can be browsed in a user-friendly way using the Trusted List Browser. The actual content of these Trusted Lists is managed and published by each Member State and ‘Trusted List Browser’ is “merely” browsing these Trusted Lists.

Using Trusted List Browser, go to “Search by Type of service” (top left of the screen):

  1. Select “Qualified time stamp” and click “Next”.
  2. Then, select any country you may found appropriate and click “Search”.
  3. Finally, click on any QTSP you may found appropriate and, via the “Electronic address” multi-part field of the “Detailed information”, you will find a link to a website providing more information about this provider and the products it provides.
How do I validate an electronic signature/seal is qualified?

 

Using DSS Demonstration WebApp

 

In order to easily validate on any format of document whether a signature/seal is qualified, you might be interested in the “Validate a signature” feature of DSS Demonstration WebApp. This demo is based on the open-source library Digital Signature Software (DSS). DSS supports the creation and verification of interoperable and secure electronic signatures/seals in line with the eIDAS Regulation. More information is available in the documentation.

 

Using Adobe Acrobat Reader (for signatures only)

 

When the signed document is a PDF, you can also use the “Adobe Acrobat Reader” software. If, via the Signature Panel, the software indicates “This is a Qualified Electronic Signature according to EU Regulation 910/2014”, you can assume the signature is qualified.

 

Via a qualified trust service

 

Some qualified trust service providers (QTSP) also offer “qualified validation service for qualified electronic signature/seal” services. When using this kind of service, users ensure the validation service follows requirements laid down in eIDAS and benefit therefore of higher legal certainty.

QTSP, as an eIDAS legal obligation, are mandatorily listed in the corresponding national Trusted List. Trusted Lists, and therefore the providers listed in it, can be browsed in a user-friendly way using the Trusted List Browser. The actual content of these Trusted Lists is managed and published by each Member State and ‘Trusted List Browser’ is “merely” browsing these Trusted Lists.

Using Trusted List Browser, go to “Search by Type of service” (top left of the screen):

  1. Select “Qualified validation service for qualified electronic signature” or “Qualified validation service for qualified electronic seal” and click “Next”.
  2. Then, select any country you may found appropriate and click “Search”.

Finally, click on any QTSP you may found appropriate and, via the “Electronic address” multi-part field of the “Detailed information”, you will find a link to a website

When validating a qualified certificate, what is the related Trust Anchor?

As defined by RFC 5280, a Trust Anchor is the end point of a certificate validation process.

As part of the EU Trusted List, when validating a qualified certificate (i.e. QC for electronic signatures, QC for electronic seals, QC for website authentication), the Trust Anchor is the Service digital identity (Sdi) of a trust service entry (cf. ETSI TS 119 612 v2.1.1). It means that, when validating a certificate, there is no need to chain up to the Root CA of a qualified certificate but only to the related CA/QC issuer entry within the Trusted List.

In order to extract the certificate chain from a qualified certificate to its issuer, you may find interesting the “certificate validation” feature of DSS Demonstration WebApp. This demo is based on the open-source library Digital Signature Software (DSS). DSS supports the creation and verification of interoperable and secure electronic signatures in line with the eIDAS Regulation. More information is available in the documentation.

You will also find more document information about this certificate validation in the “Introduction to the Qualified electronic signature (QES) validation algorithm” webpage.

What does AdES mean?

AdES is the acronym for either an advanced electronic signature or an advanced electronic seal. It is the second level of electronic signatures/seals defined in eIDAS.

More information → What are the levels (simple, advanced and qualified) of electronic signatures? + What are the levels (simple, advanced and qualified) of electronic seals?

What does QES mean?

QES is the acronym for either qualified electronic signature or qualified electronic seal. It is the third and most secure level of electronic signature/seal defined in eIDAS.

More information → What are the levels of electronic signatures? Do I need a qualified electronic signature? What are the levels (simple, advanced and qualified) of electronic seals? Do I need a qualified electronic seal?

What does (Q)TSP/(Q)TS mean?

A trust service provider (TSP) is a natural or a legal person who provides one or more trust services (TS) either as a qualified or as a non-qualified trust service provider.

A qualified trust service provider (QTSP) is a TSP who provides one or more qualified trust services (QTS) and is granted the qualified status by the national supervisory body. The decision of the supervisory body to grant the qualified status is reflected in the corresponding national Trusted List. In this respect, QTSPs are mandatorily listed in the corresponding national Trusted List while TSP could be but are not mandatorily listed in these Trusted Lists.

Trusted Lists, and therefore the providers listed in it, can be browsed in a user-friendly way using the Trusted List Browser. The actual content of these Trusted Lists is managed and published by each Member State and ‘Trusted List Browser’ is “merely” browsing these Trusted Lists.

What does QC mean?

QC stands for a qualified certificate. As part of eIDAS, a qualified certificate can either be a:

  • Qualified certificate for electronic signature
  • Qualified certificate for electronic seal
  • Qualified certificate for website authentication

More information → What is a certificate for electronic signatures? + What is a certificate for electronic seals?

What does QSCD mean?

QSCD stands for a qualified electronic signature/seal creation device.

 

 

What is a digital signature?

digital signature is used to help authenticate the identity of the creator of digital information. Digital signatures are based on digital certificates. Digital certificates are verifiers of identity issued by a trusted third party, which is known as a certification authority (CA). Digital signatures help establish the following authentication measures:

  • Authenticity
  • Integrity
  • Non-repudiation

How can I digitally sign my application?

In the Digital Signature page you can sign your application. By digitally signing your installers and products in Advanced Installer, you will increase your user’s confidence in you and your company, giving them peace of mind about your software.

Why the SHA-2 digital signature is not recognized?

This may happen on a machine with OS lower than Windows 7 -> XP/Vista and if the application is signed using a SHA-2 digital signature. This is happening because the SHA-2 digital signature is recognized only from Windows 7.

Why the digital signature is not recognized by the SmartScreen or by the Internet Explorer?

Starting with January 1st, 2016 Microsoft is implementing a mandatory update of the Digital Signature system from SHA-1 to SHA-2 in order to deal with the decreasing security of the SHA-1 digital signatures.

All applications signed with SHA-1 certificates will still be accepted until January 1st, 2017. The UAC prompt will still show the correct vendor information but the browser, i.e. Internet Explorer, will warn the users about an invalid signature. Also, the Windows SmartScreen will not recognize the SHA-1 signature and try to prevent the users from running it.

What timestamp service URL should I choose when signing the application with a SHA-2 certificate?

Since not all CA vendors support SHA-2 timestamp for the SHA-2 digital signature you can still use a SHA-1 timestamp. However, all applications signed with a SHA-2 signature and a SHA-1 timestamp will be accepted until January 1st, 2017. After this date, you must use a SHA-2 timestamp for the SHA-2 signature.

Why do I get a random name for a digitally signed package?

The information displayed on the security dialog (UAC prompt) is collected from the digital signature of the package. In this particular case if you set the Description field from the Digital Signature Page it will display the correct package name.

Why does the SmartScreen prevent a signed setup from running and report it as an unrecognized application?

It seems that SmartScreen Protection shows the above message when you try to run a newly released program or an application that has not yet established a reputation. Reputation is established by SmartScreen® service intelligence algorithms based on how an application is used by Windows and Internet Explorer users.

For details, check the passing the smart screen on Win8 when install a signed application? thread that debates this subject.

This can also happen if the setup package is signed with a SHA1-based certificate and timestamped after January 1st, 2016.

Why does the “Unknown Publisher” message appear during the install of a digitally signed package?

This problem occurs only if the SignTool.exe from Windows SDK v.7.0 or later is used to sign the package and the “File From Disk” option is enabled in Advanced Installer’s Sign EXE, MSI or MSP files with a digital signature. The package will appear as signed, but upon a closer inspection the certificate used in the signing process will be reported as invalid. Because of this, the “Unknown Publisher” message will be displayed on Windows Vista or above, during installation.

As a solution, Microsoft recommends importing the certificate in the system store and automatically use it from here everytime a package is being digitally signed, instead of manually selecting the certificate file. In this case, the option “Automatically get certificate from system store” should be used in Advanced Installer’s Digital Signature Page. Another solution, not recommended by Microsoft, is to use the SignTool.exe from an older version of Windows SDK along with the “File From Disk” option enabled in Advanced Installer Digital Signature Page.

Why does the “Unknown Publisher” message appear during the uninstall of a digitally signed package?

When a package is installed, Windows caches the MSI by placing it in the Windows\installer folder. During this process, all the unnecessary information (including the digital signature) is removed in order to decrease the size of the file. When an uninstall is launched from “Add or Remove programs” or through the Uninstall shortcut, Windows Installer uses the cached MSI. Since this file doesn’t have a digital signature, the “Unknown Publisher” message will be shown. A solution for this is to make sure the user can uninstall the package only by launching the original file.

Why do I get the “Unmatching digital signature between EXE bootstraper and MSI database” message?

This error occurs when the signature from the .CAB or .MSI does not coincide with the one from the .EXE. This is an authentication security check done automatically by the .EXE boostrapper when the Enhanced User Interface is enabled.

ImportantIf you need to sign the installation package outside Advanced Installer then you can select the EXE setup with resources next to it as a package type and sign both .MSI and .EXE.

Why do I get the “Disk1.cab has an invalid digital signature” error during installation?

There are several reasons why you may get this error:

  • When the target machine has no internet connection and Windows Installer fails to verify online the digital signature. Since Windows installation is unable to contact the certificate provider that can verify the installer’s security certificate, it will prompt with that error during installation. This error sometimes disappears if you switch to using a different time stamp URL.
  • When is not be possible to compute the digital signature. This usually happens when you are using a SHA256 certificate or a SHA256 signature algorithm as a digest algorithm at signing time. Setup packages signed with a SHA256 certificate or digest algorithm will not have their digital signature recognized on XP and Vista operating systems. There is an official Windows issue regarding the computation failure of SHA256 certificates on Vista operating systems. So, if your setup package still targets Windows XP and Windows Vista operating systems it is recommended to disable the option “Sign only for modern operating system (Windows 7 or newer)” from Sign EXE, MSI or MSP files with a digital signature.
  • When the CAB file has a large size. On Windows XP and Windows Server 2003 there is an operating system bug which consists in the operating system inability to compute the digital signature of the large installation files. So, if your setup package still targets Windows XP and Windows Server 2003 operating systems, as a workaround you can package your installation files into multiple CAB files of a smaller size (e.g. 64 MB) by using our Multiple volumes option.

Why the “Are you sure you want to cancel installation” message is thrown after clicking the [ Install ] button?

When you build an EXE setup package with resources inside our EXE bootstrapper checks at install time his signature and its embedded MSI signature. If there is a signature mismatch between the EXE and its embedded MSI file or the digital signature cannot be computed, then the above error will be spawned during installation after the [Install] button is pressed.

The signature mismatch may appear when the EXE setup package is signed outside of Advanced Installer. Since the MSI is embedded in the EXE, only the EXE will be signed and, therefore the MSI will remain unsigned. This will generate the conflict at install time.

Also, there are situations when may not be possible to compute the digital signature. This usually happens when you are using a SHA256 certificate or a SHA256 signature algorithm as a digest algorithm at signing time. Setup packages signed with a SHA256 certificate or digest algorithm will not have their digital signature recognized on XP and Vista operating systems and, thus the installation will fail. There is an official Windows issue regarding the computation failure of SHA256 certificates on Vista operating systems. So, if your setup package still targets Windows XP and Windows Vista operating systems it is recommended to disable the option “Sign only for modern operating system (Windows 7 or newer)” from Sign EXE, MSI or MSP files with a digital signature.

Why does the installation exit without any notification after clicking the [ Install ] button?

Starting with Advanced Installer 13.0 if you have Enhanced UI enabled and you built an EXE setup type without signing it from the Sign EXE, MSI or MSP files with a digital signature, the installation can end right after you click on [ Install ] button without any prompt or error dialog. This is the case of many developers that build the EXE installer without having access to the digital certificate. Then, when someone signs the EXE manually outside the Advanced Installer project, the MSI inside doesn’t get signed. Basically, when launching a signed EXE with an unsigned MSI inside it, this behavior occurs.

The workaround is to use any (dummy/test) certificate to sign the EXE from the Advanced Installer project at build time. This will also sign the MSI inside it and once signing the EXE with the correct signature afterwards, the MSI dummy signature will be kept. With both EXE and MSI inside it signed, you won’t get this behavior anymore.

Why do I get the “An attempt was made to load a program with an incorrect format.” error message when building a signed package?

This may happen when creating a test installation package and adding an empty file (its size is 0 KB) in the test project. The build error should be fixed if the empty file is removed from the project and a valid one is added.

Why do I get the -2147467259/0x80004005 SignTool error at build time?

This error appears when you’re trying to add an invalid PE file(i.e. EXE, DLL, etc.) to your package, and the binary has a broken certificate. Meaning the executable considers it exists but in reality is either missing or corrupted. The SignTool won’t allow you to add an executable with a broken signature.

Why do I get the 0x800700C1 SignTool error at build time?

This error happened because one or more of your binary files has already been signed and has an invalid digital signature. The SignTool cannot resign a file, so you must first remove its previous signature before using the tool. An excellent way to do this is presented by Martin Kunc in his blog post SignTool.exe returned error 0x800700C1.

Why signing fails with no error: “The digital signing of the file failed. Error message: “?

This can happen when using “SignTool.exe” to sign the package if you only selected the “Windows SDK Signing Tools for Desktop Apps” feature when installing the Windows 10 SDK. The resolution is to also install the “Windows SDK for UWP Managed Apps” feature.

How cam I use my own signing tool to sign the files before being packed (DLLs, EXEs), and then installer?

In order to achive this you can use the build events support. To sign the files before being packed, a pre-build event is required.

To sign the result .MSI package a post-build event is required. If the result setup package is an .EXE setup package, two post-build events are required:

  • Use a post-build event to sign the MSI package and the CAB files. Also, make sure that you enable the “Execute this before EXE packing” option from the edit events dialog;
  • Use another post-build event to sing the .EXE setup package.

Why is the publisher name displayed during the installation process but when I try to install on another PC it is displayed as unknown?

Make sure that your certificate exists in the Member List of the Windows Root Certificate Program. To fix the issue follow the Import a Certificate tutorial and add your certificate in the Certificate Store of your target machines.

Why do I get the “SignTool Error: Invalid options: /fd” message?

You are using an older version of the SignTool SDK that does not support SHA256 encryption. To fix this issue, you can install the latest version of the Windows Standalone SDK, or you could use Advanced Installer SignTool by going to File > Settings > External Tools > Digital Signatures and unchecking “Use an external tool”.

Why does the extended validation certificates (with USB Token) require the password multiple times during the signing process?

When using a USB token certificate our build process will trigger the USB password prompt multiple times. A prompt will be triggered each time the installation files are signed (setup files, CAB archive, MSI/EXE package, etc).

The only way to avoid the multiple certificate password prompt during build is to contact your certificate vendor and check if they have a Single password prompt per session option you can enable for your USB token.

For example you could use the “Enable single logon” option from SafeNet Authentication Client, a software for authentication management.

Why do I get “The specified timestamp server either could not be reached or returned an invalid response.” error when building a signed package?

This error may occur if you are using a timestamp server URL that is no longer valid.

To get this fixed we recommend to use the DigiCert timestamp service url: http://timestamp.digicert.com

What is Batch Digital Signing and how can I use it?

Files contained by the project can be signed before putting them into the final package.

The default implementation is to sign these files one-by-one.

There is also an optional Batch Signing which involves signing multiple files at once (in the same SignTool call) for speed improvement. This method has the drawback that during signing Advanced Installer may become unresponsive.

Batch signing can be activated through the following DWORD registry entry:

HKEY_CURRENT_USER\Software\Caphyon\Advanced Installer\Settings\UseBatchSigning

If this entry exists and its value is “1” then batch signing will be used. Otherwise, one-by-one signing will be used.

NoteEven if batch signing is used there are multiple signing operations involved. For example, three signing operations are executed for a dummy test file to validate the selected digital certificate (e.g. it is not expired, it is of Microsoft Authenticode type – can be used to sign MSI and CAB files). Then there is one signing operation for all files (bulk signing) included in “Files and Folders” page, one signing operation for the CAB file, one for the MSI file and one for the EXE setup file (in case of EXE setup packages).

Why do I get “Win32 Error [2148073497]: The keyset is not defined.” error during build operation?

This is happening when the Cryptographic service provider (CSP) is invalid

Why do I get “Win32 Error [2148073494]: Keyset does not exist” error during build operation?

This is happening when the Private key container (PKC) is invalid.

How the Cryptographic service provider (CSP) list is populated?

The list of all available cryptographic service providers (CSP) can be checked by executing certutil -csplist command:

Provider Name: Microsoft Base Cryptographic Provider v1.0
Provider Type: 1 - PROV_RSA_FULL

Provider Name: Microsoft Enhanced Cryptographic Provider v1.0
Provider Type: 1 - PROV_RSA_FULL

Provider Name: Microsoft Strong Cryptographic Provider
Provider Type: 1 - PROV_RSA_FULL

Provider Name: Microsoft Smart Card Key Storage Provider
CertUtil: -csplist command FAILED: 0x80090030 (-2146893776 NTE_DEVICE_NOT_READY)

CertUtil: The device that is required by this cryptographic provider is not ready for use.

Only providers of PROV_RSA_FULL type can be used for digital signature. Those are installed by default.
If an eToken is connected (and has been installed) you’ll see it’s CSP (ex. eToken Base Cryptographic Provider) in the list too.

How the Private key container (PKC) list is populated?

One can check if the eToken fields are correct by executing certutil -csp “CRYPTO_PROVIDER” -key command with the below example output:

cbData: 17 ==> 40
eToken Base Cryptographic Provider:
  C25F5EC3CA53AEB0
  RSA
    AT_KEYEXCHANGE

  64DB908B84BD89FE [Default Container]
  RSA
    AT_SIGNATURE

CertUtil: -key command completed successfully.

Why do I get “SignTool Error: No certificates were found that met all the given criteria” message

Signtool.exe can only search for the most suited certificate under Current User\Personal or Local Machine\Personal stores. Certificates stored under Current User\Trusted Root or Local Computer\Trusted Root are not scanned by Microsoft’s Signtool.exe. Please make sure you place your certificate under the correct Personal store if you want to allow Signtool.exe to use the most suited certificate to sign your package.

Did you find this page useful?

Please give it a rating:

 

Report a problem on this page

Information is incorrect or missing

Information is unclear or confusing

Something else

 

Cookies help us deliver you a better web experience. By continuing to use our website, you agree to our use of cookies.
 

Book Service Now

Facebook
X
LinkedIn
Pinterest
Tumblr
Telegram
WhatsApp
Email
Print