The Code Signing Certificate Stamp of Approval

Stamping the Identity and Trustworthiness of Software Programs

Effectively using a Code Signing Certificate will increase consumer trust by establishing a foundation of knowledge for the consumer to rely on. Before anyone decides to install a software program there is the final exit decision that is prompted on the dialog box asking for the user’s permission to install the software. Because of the public’s general nature to make their decisions based upon facts, they have come to require that developers should provide them in the form of identity and integrity.

Code Signing Certificates provide the facts that the users desire so they can confidently make their decision to install the software, it is in a sense, a stamp of approval. Since many users are not technological wizards they demand accountability and Code Signing Certificates provide this by verifying author identity or publisher identity.  When software is distributed by a company that the user doesn’t know very well (or at all) this certificate promotes consumer confidence because it discloses the certificate authority and a timestamp showing that the software has not been maliciously tampered with.

Using the Codes Signing Certificate prevents hackers from getting away with distributing software under a false name and spreading viruses disguised as something else. The publishers of content and software are able to employ a certificate-based digital signature to verify their identities to the users of the code, which then will allow the user to decide if they want to install the softwares based off of the trust of the publisher.

Earning the Stamp of Approval

A Code Signing Certificate is not given, but rather earned by:

1. A developer must apply to a Certificate Authority for the Code Signing Certificate.

2. A Certificate Authority (as a trusted third party) must verify the developer’s identity.

3. After a successful verification, a public/private key is made.

4. The private key remains with the applicant and the public key is sent to the Certificate Authority.

5. When the certificate is issued, the developer signs the code with their private key.

After a user downloads the signed code they get a certificate copy which verifies the author’s identity.  The user’s web browser verifies the signature so they know the code came from the appropriate developer. If the code has been tampered with, then the code will change and the digital signature will become invalid. It is that signature which ensures the codes integrity and the author/distributor/publisher authentication.

In addition to creating confidence in the consumer about the identity of the publisher, code signing certificates allow the user to trust updates, since it uses the same key as the original application.

Trusting the Stamp of Approval

Microsoft Windows, Linux, Apple Operating Systems, and all other major operating systems and web browsers support code signing certificates.

Code Signing doesn’t necessarily mean that the code can be trusted, but only that it was signed by a specific legal entity. However, as mentioned before, in order to be granted the code signing certificate they must have completed the application process.

A signed application will show a dialog box that allows the viewing of the Certificate Authority and the timestamp. An unsigned application will not.  When the author isn’t obvious and/or updates are needed, code signing certificates become extremely valuable.

Acquiring the Stamp of Approval

Developers should strongly consider acquiring a code signing certificate to encourage user trust. Users continue to become more cautious about infecting their computers when their computers have become such an integral part of their lives and contain so much of their sensitive information. Furthermore, the code signing certificate can protect developers from users relying on any hacker false claim that might attempt to illegally offer software under the developer’s own name.