What is a Microsoft Authenticode Code Signing Certificate?

Rate this article: 1 Star2 Stars3 Stars4 Stars5 Stars (10 votes, average: 3.90)
Loading...

A rundown on code signing with an Authenticode certificate

Using Microsoft Authenticode to sign your software isn’t just something that the biggest software companies need to do — nowadays, it’s basically a requirement for any software. Authenticode is a Microsoft-specific signing technology that allows developers to sign their code and users to authenticate the signature.

It’s kind of similar to the way that different companies and networks use different software libraries for SSL/TLS. The underlying premise, the use of PKI and X.509 digital certificates is still the same — it’s just how it’s all executed that differs a little bit.

Today we’re going to discuss code signing, Authenticode code signing certificates, and how and why you should acquire one.

A Quick Rundown on Code Signing

When you create a piece of software, ideally, you would like to have people purchase or obtain it, and then use it. And in a perfect world it would all be that simple. But criminals and hackers have ruined that and, nowadays, any device or system has been designed closer to a zero-trust model. After all, executing the wrong program can prove disastrous.

This is where code signing enters the picture. Before running a new piece of software — or updating an old one — the device or system is going to need some kind of assurance about the legitimacy of said software. Specifically, it needs to know who the publisher is and whether it’s been altered since it was signed.

Code signing accomplishes both with a digital signature and a hash function. The digital signature authenticates the developer; the hash serves as a checksum to ensure the integrity of the software hasn’t been compromised. Quickly, from a technical standpoint, the code signing certificate and the code itself are both hashed together and then the resulting hash value is digitally signed with the certificate’s private key.

When a user receives the software, their system will first repeat the hash value that was created when the certificate and code were both hashed together during the signing. No two disparate inputs can create the same output in hashing, so if the values match, you can safely assume the software’s integrity is intact.

Then the system takes the public key that was presented alongside the code signing certificate and uses it to verify the signature.

When done properly, the result is this:

Windows Authenticode code signing certificate, used properly, shows a verified publisher message.

If not done properly, the user gets warned instead:

A Windows Authenticode code signing certificate, used improperly, shows an unknown publisher warning message.

Nowadays, you can’t get away with not signing code. Now let’s talk about how to obtain an Authenticode Code Signing certificate.

How to Obtain a Microsoft Authenticode Code Signing Certificate

Unfortunately, unlike SSL/TLS, there is no free variant of a code signing certificate. Owing to the amount of trust given to a digital signature made by a trusted signing certificate, the certificate authorities (CAs) need to spend time vetting your organization (or the individual developer) before they’re willing (or allowed) to issue a code signing certificate.

There are two variants of a code signing certificate:

  • Standard Code Signing
  • Extended Validation (EV) Code Signing

SSL Certificates for www and without

Save Up 42% On Comodo Code Signing Certificates

Need to sign your software to assure users and make installation easier? We sell all Comodo code signing certificates at up to 42% off.
View Code Signing Certificates

 

EV code signing requires more extensive vetting, but it pays off in the form of a reputation boost with Microsoft SmartScreen filter, and your private key comes stored on an external hardware token for better security. This is a great option for newer developers.

As for getting an Authenticode code signing certificate, some are specifically marketed that way but any trusted code signing certificate CAN be used to sign Authenticode. Such certificates would include Comodo authenticode certificates for code signing. You may have to change the file format/encoding, but they can all be configured for use with Authenticode.

While you can buy direct from a certificate authority, you’re going to get better pricing if you work through a reseller. Resellers such as ComodoSSLstore.com purchase in bulk — well below MSRP — and can sell at lower price points than the CAs because of it. CAs also prefer to work with larger companies, so for SMBs, a reseller is definitely the way to go.

Purchase Comodo Code Signing Certificates & Save Up to 42%

We offer the best discount on all types of Comodo Code Signing Certificates, which work with Microsoft Authenticode. Shop Comodo Code Signing Certificates and Save Up to 42%

Making Authenticode Signatures

The best option for making Authenticode signatures, provided you’ve already purchased and installed the certificate, is to use the SignTool.exe program that came with your software development kit (SDK). Depending on the version you have, it might require some manual tweaking, or it might just be a matter of clicks

The best option for making Authenticode signatures, provided you’ve already purchased and installed the certificate, is to use the SignTool.exe program that came with your software development kit (SDK). Depending on the version you have, it might require some manual tweaking, or it might just be a matter of clicks

Best Practices for Signing Authenticode

First and foremost, it’s important to timestamp every signature. Like any other PKI digital certificate, code signing certificates have a finite lifespan. This is for both security and technical reasons. Without timestamping, any signature left by a now-invalid code signing certificate will no longer be trusted.

When you timestamp a signature, it does require a couple of other functions — calls to time servers — but it keeps your signatures valid in perpetuity. This saves you money and saves your reputation in the long run, too.

Second, sign both the installer and the application. As Microsoft’s Eric Law says:

“When downloading installation packages from the Internet, the browser and/or Windows Shell will only check the digital signature on the installer itself. However, as a best practice, you should also sign the main executable of your application as well. This helps prevent tampering, but more importantly, it helps ensure that any security tools on the user’s machine can more readily identify your code. For instance, many anti-malware or firewall tools will treat unsigned executables with suspicion, and may even block them if they happen to share the same filename as a malicious program.”

Remember, it’s up to you to sign your code. You still have the option not to if you really want to shirk security and responsibility. Just don’t expect many people to use your software.

Save Up to 75% On

Comodo SSL Certificates