Menu Show

What is Code Signing?

Rate this article: 1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00)
Loading...

Code signing ensures a software publisher’s identity and assures the software’s integrity

How do you know whether or not you can trust a piece of software you’re trying to download off the internet? How do you know the software was really created by the company you think, and that no malware has been inserted into the executable since? Code Signing!

What is code signing? A Code Signing certificate is a piece of software that gives developers the ability to digitally sign their code, which provides two important benefits:

  • It verifies the publisher’s identity
  • It assures the integrity of the software

There is no substitute for Code Signing, it’s the only way to get web browsers to trust your downloads.

Code Signing gets your software past browser filters and antivirus programs

Downloading something from the internet has the potential to be very dangerous. All it takes is one malicious file and you could be out a computer. Because of the risk involved, browsers and antivirus programs look for certain assurances before allowing a user to download something. Code signing is one of the major factors anti-malware features check to determine whether software should be trusted or not.

When you purchase a Code Signing certificate from a trusted Certificate Authority, it can be used to apply a digital signature to your software. When a browser filter or antivirus program comes across the download, it can tell that the software was signed with a valid Private Key that was issued by a trusted CA. Because the CA had to vet you before issuing the certificate, the browser or antivirus program knows it can trust you, too.

What happens if I don’t Code Sign my software?

Anyone who tries to download the executable you’ve created, provided it’s not signed, will be greeted with an intrusive browser warning advising against installing the software. People tend to trust these messages, which will have a negative impact on your software installation rate. The only way to get by the warnings is to Code Sign your software.

What is code signing - get rid of Unknown Publisher Install Warning

Windows displays Unknown Publisher warnings like this for unsigned executables.

How does Code Signing work?

When you finish working on a piece of software and it’s time to sign it, you will use the Private Key that was created alongside your Code Signing certificate and apply a digital signature. This digital signature is then hashed along with the rest of your code. When a user attempts to download the code, their Operating system/browser/antivirus software will perform a series of checks:

  • Check the digital signature and make sure it links back to a trusted Code Signing certificate.
  • Perform the same hashing technique the was applied during the signing.
  • Compare the current hash to the signed hash. If it produces the same hash value, it knows that the software has not been tampered with– even the smallest change would result in a different value.
  • Now the user’s computer knows the identity of the publisher and that the integrity of the software is in tact.
  • It will now proceed with the download and show the user the verified publisher of the software.

Do Code Signing certificates expire?

Yes, a Code Signing certificate expires after a 1-3 years. This is for security reasons. If Code Signing certificates stayed good forever, there would be substantial risk of old certificates from now-defunct software companies being used for nefarious purposes. It’s much safer to give them an expiration date. Provided you add a timestamp at the time of the signing, though, the digital signature will stay good forever. That’s because a timestamp provides the client proof that the software was signed while the certificate was still valid. Without a timestamp the digital signature dies with the certificate.

Do Code Signing certificates work on all platforms?

Code signing works across many different platforms require code signing, but not all code signing certificates work across all platforms. Generally, most will work on most platforms, the one major exception is with Apple and its iOS and macOS platforms. Apple requires you to purchase a .p15 certificate directly from them.

Most other platforms are agnostic. Common platforms code signing is used for include Microsoft Windows, Microsoft Office, Adobe AIR, Java, and Mozilla.

What Is Code Signing: A Summary

If you’re asking what is code signing, you’re asking the right question! Code signing is the best way to:

  • ensure your software integrity (protect your users from fake software and malware)
  • smooth out the install process for your users (remove security warnings when installing your software)

Code Signing Certificates

42% Off Comodo Code Signing Certificates

Save up to 42% on Comodo Code Signing Certificates. Works on any platform except Apple.
Compare Comodo Code Signing Certificates