Rate this article: (3 votes, average: 2.33)
While you technically can self-sign a Code Signing certificate, a self-signed code signing certificate won’t work for its intended purpose.
Code Signing is extremely important, and it’s misuse could potentially be catastrophic, so there are some good reasons why you can’t create a self-signed code signing certificate.
The process for purchasing a Code Signing certificate requires an organization or an individual to undergo validation. This is a way for the issuing Certificate Authority to vet you and make sure you’re legitimate. The browsers don’t trust your software, but they trust the CAs. When a CA issues you a Code Signing certificate that lets you sign your software, the browsers will trust it because they can see the certificate the private key is paired with and they trust the entity that issued it. The CA is essentially vouching for you.
If a CA doesn’t issue the Code Signing certificate, why should a browser trust your signature?
Good question. It shouldn’t. You can’t vouch for yourself, that doesn’t work anywhere– especially not on the internet. Browsers are skeptical by default, designed to only trust a select few entities. You are not one of those entities. You can’t just sign your own Code Signing certificate in the same way that you can’t just issue yourself a driver’s license. It’s only good if it comes from someone trusted.
If you distribute your software with a self-signed certificate, your users will get various warnings when they attempt to install the software. Here’s one example warning screen users will see on Windows if your executable is self-signed:
Pretty much the same thing that would have happened if you created a self-signed code signing certificate. As soon as anyone tries to download your software the browser will see that it wasn’t issued by a trusted entity and issue you a browser error. Nobody clicks through a browser error about potentially malicious software. So just assume that your conversion will fail and the person will leave the site. That’s not good.
Code Signing certificates aren’t as cost prohibitive as you might think. And Comodo also sells Individual certificates for developers that work independently. Take a look at some of our Code Signing options, and remember– if you find a better price we’ll beat it.