A code signing certificate allows you to affix a digital signature to a script or executable, proving to end-users that your software is safe to download and install. When a user’s computer receives the signed file, it can check the authenticity of the signature to ensure it knows who signed it and whether the final product has been tampered with.
One of the key benefits of code signing is that it reduces security warnings for your users, making it easier and faster for users to install your software.
A lot of people compare code signing to the shrink wrap that used to cover physical software when purchased from a retail store. That shrink wrap lets you know whether the software has been tampered with. Code signing is similar. It helps assure your customers the software hasn’t been tampered with, asserting the software’s integrity and the developer’s identity.
Do you see this browser warning? This is the mark of death for any piece of software. People trust their browsers to keep them safe, so when they get a warning about the lack of identity of a publisher or a lack of integrity for the program—they listen. Code Signing is the only surefire way to avoid these kinds of warnings.
Digitally sign your scripts and executables to assert publisher identity and ensure file integrity.
The Sectigo Code Signing certificate is one of the most trusted digital signing certificates in use today by software developers and engineers.
How does Code Signing work?
A digital signature is really just a string of letters and numbers that can be affixed to a file or program. When the signature is added, the program and the signature are both hashed and that hash value, along with the signed program, are then made available for download.
When a customer decides to download the software, their browser will take a look at the digital signature and authenticate it; once this is done, the browser will perform the same hash function and compare the value to the one that came with the program. If the two values match, the file hasn’t been tampered with.
This can be determined with confidence because of the way hashing works. Hashing is the practice of mapping data of any length to a fixed-length output. For instance, SHA-256 is the standard hashing algorithm used in SSL/TLS. SHA-256 outputs hashes that are 256 bits long, this is usually represented by a 64 character hexadecimal string. No two pieces of data can ever produce the same hash value. If they do, this is called a collision and it renders the entire hashing algorithm worthless.
Customers need two things before downloading your software
Before anyone downloads your software, they need two assurances:
- They need to know the software was developed by a reputable party
- They need to know the software hasn’t been altered or tampered with
Only a Code Signing certificate can accomplish this. By adding your digital signature to your script or executable, you’re proving both your identity and monitoring the file for compromise. These assurances are the difference between converting and missing out on a download.
What Platforms can I Sign On?
Sectigo Code Signing certificates are compatible with a wide range of major file types:
- Adobe AIR
- Apple applications and plug-ins
- Mozilla Objects
- Microsoft Authenticode
- Microsoft VBA
- Java
- MS Office Macros
Customers can tell who published the software, and they can see whether the package has been opened. These factors enable customers to make decisions about what software to purchase and how much to „trust” those products. Customers who download digitally signed Active X controls, dynamic link libraries, .cab files or HTML content from your site can be confident that code really comes from you and hasn’t been altered or corrupted since it was created and signed. Digital IDs serve as virtual „shrink wrap” for your software: after you sign your code, if it is tampered with in any way, the digital signature will break and alert customers that the code has been altered and is not trustworthy.
A code signing certificate allows software developers to add digital signatures to code and to include information about themselves and the integrity of their code within their software. The end users that download digitally signed 32-bit or 64-bit executable files (.exe, .ocx, .dll, .cab, and more) can be confident that the code really comes from a verified developer and there was no tampering by a third party since it was signed.
- Meet CA/Browser Forum authentication standards and Microsoft specifications
- Establishes reputation in Windows, Microsoft Edge, and Microsoft SmartScreen® Application Reputation filter
- Increase user confidence by showing the identity of the signing party before applications are run
- Supports all major 32-bit/64-bit formats, including Microsoft Authenticode (kernel and user mode files, like .exe, .cab, .dll, .ocx, .msi, .xpi, and .xap), Adobe Air, Apple applications and plug-ins, Java, MS Office Macro and VBA, Mozilla object files, and Microsoft Silverlight applications
- Includes timestamp functionality for continued operation even after the code signing certificate has expired
There are certain requirements that need to be fulfilled to validate one’s code signing certificate. The three main things that must be verified before issuance of a code signing certificate are:
1. The legal existence of the organization or individual named in the Organization field of the certificate must be verified.
2. The email to which the code signing certificate is to be sent must be someone@domain.com, where domain.com is owned by the organization named in the certificate.
3. A callback must be made to a verified telephone number for the organization or individual named in the certificate in order to verify that the person placing the order is an authorized representative of the organization.
As of June 1, 2023 Code Signing certificates will be:
- Installed on a Sectigo token and shipped securely to the customer
- Available as a download to be installed on the customer’s own HSM. The hardware devices (e.g. tokens, HSMs, etc.) must be FIPS-compliant and support externally verifiable key attestation.
There are no reviews yet.