Rate this article: (3 votes, average: 5.00)
How do you know whether or not you can trust a piece of software you’re trying to download off the internet? How do you know the software was really created by the company you think, and that no malware has been inserted into the executable since? Code Signing!
What is code signing? A Code Signing certificate is a piece of software that gives developers the ability to digitally sign their code, which provides two important benefits:
There is no substitute for Code Signing, it’s the only way to get web browsers to trust your downloads.
Downloading something from the internet has the potential to be very dangerous. All it takes is one malicious file and you could be out a computer. Because of the risk involved, browsers and antivirus programs look for certain assurances before allowing a user to download something. Code signing is one of the major factors anti-malware features check to determine whether software should be trusted or not.
When you purchase a Code Signing certificate from a trusted Certificate Authority, it can be used to apply a digital signature to your software. When a browser filter or antivirus program comes across the download, it can tell that the software was signed with a valid Private Key that was issued by a trusted CA. Because the CA had to vet you before issuing the certificate, the browser or antivirus program knows it can trust you, too.
Anyone who tries to download the executable you’ve created, provided it’s not signed, will be greeted with an intrusive browser warning advising against installing the software. People tend to trust these messages, which will have a negative impact on your software installation rate. The only way to get by the warnings is to Code Sign your software.
When you finish working on a piece of software and it’s time to sign it, you will use the Private Key that was created alongside your Code Signing certificate and apply a digital signature. This digital signature is then hashed along with the rest of your code. When a user attempts to download the code, their Operating system/browser/antivirus software will perform a series of checks:
Yes, a Code Signing certificate expires after a 1-3 years. This is for security reasons. If Code Signing certificates stayed good forever, there would be substantial risk of old certificates from now-defunct software companies being used for nefarious purposes. It’s much safer to give them an expiration date. Provided you add a timestamp at the time of the signing, though, the digital signature will stay good forever. That’s because a timestamp provides the client proof that the software was signed while the certificate was still valid. Without a timestamp the digital signature dies with the certificate.
Code signing works across many different platforms require code signing, but not all code signing certificates work across all platforms. Generally, most will work on most platforms, the one major exception is with Apple and its iOS and macOS platforms. Apple requires you to purchase a .p15 certificate directly from them.
Most other platforms are agnostic. Common platforms code signing is used for include Microsoft Windows, Microsoft Office, Adobe AIR, Java, and Mozilla.
If you’re asking what is code signing, you’re asking the right question! Code signing is the best way to:
Save up to 58% on Comodo Code Signing Certificates. Works on any platform except Apple.
Compare Comodo Code Signing Certificates