Code Signing Certificates & How It Works | Venafi Skip to main content


<---Back to Education Center

Code Signing



Code Signing Certificates [Your In-Depth Guide]




Passing information over the internet by uploading and downloading files probably isn’t something you think about on a day-to-day basis. While you might not worry about someone overhearing a simple exchange of information, like an email to your mom, other information, such as your bank account password, is much more sensitive. This is where code signing comes into play to help keep your internet information safe.

Browse a specific section by clicking on any of the quick links below:
  1. What is Code Signing?
  2. How Does Code Signing Work?
  3. What Does Code Signing Do?
  4. Where is Code Signing Used?
  5. How To Add Certificates To Trusted Sites
  6. What Are the Strengths of Code Signing?
  7. What Are the Weaknesses of Code Signing?
  8. Keep Your Information Secure with Venafi

1. What is Code Signing?

Code signing is simply a guarantee that the code of a program or download has not been corrupted and changed after it was signed by the distributor. While this is a short explanation, let’s delve a little bit deeper to learn more about how code signing works and why it’s important.

Just as you want to be certain when you log into your bank account that you’ve given your password to the bank and not a man-in-the-middle attack, it’s best to be sure that the programs and updates you download are safe to install. To do that, we use the same public key infrastructure (PKI) used in HTTPS. When it’s used to verify a program, though, it’s called code signing.

Benefits of Code Signing

Code signing is a method of putting a digital signature on a program, file, software update, or executable, to verify its authenticity and integrity. Like the wax seal of old, it guarantees to the recipient who the author is, and that it hasn’t been opened and tampered with. Developers, programmers, and software engineers use code signing to prove, for instance, that your Windows 10 update actually came from Microsoft, and not a hacker who’s trying to invade your computer.

Code Signing Example

If you’ve ever seen that little popup that comes up when you try to run a program you’ve downloaded, the one that lists who the publisher is and asks “Are you sure you want to run this?” then you’ve seen code signing in action. That dialogue box is telling you that it really is a software patch for your Mac OS from Apple Inc., and that it’s still in the same condition it was when they signed it.

Code signing is what allows us to be sure we’re downloading a file from the right sender instead of a hacker who wants to take our information. Essentially, code signing lets you know that the code hasn’t been changed by a hacker so you know it’s safe to download.

2. How Does Code Signing Work?




Code signing is a process that involves several different steps to verify and secure code from a developer. Let’s delve into how code signing works and take a look at the steps developers must take in order to get a code signing certificate.

Enrollment Process

Today, many third-party publishers require software to be signed before they will distribute it. If you want your content to be more widely available, it’s in your best interest to enroll your data through a valid CA (certificate authority) to get a security certificate. This provides your users with proof that your downloads are safe for their computer.

Users know your content is safe because your certificate authority provides two keys for code signing: one private key and one public key. The public key is already installed on most browsers. It allows everyone to unlock the private key and identify who the distributor is when they go to download a program or file. The private key is only used by the distributor to encrypt the data so people know if the data has been corrupted before reaching them. If it has been tampered with, the person attempting to download the program or file will receive a warning that the code signing certificate cannot be authenticated.

Public Key Encryption

Encryption is any time encode a message to protect it from unwanted viewers. Usually this is done by passing it through a mathematical function (called a “key”) to change values, and decoding the message depends on having the key that returns the values back to their original state, allowing the message to be read.

In public key encryption (or asymmetric encryption), the key that encodes the message and the one that decodes it are different (hence asymmetrical). It’s called public key, because one key is made widely available (the “public key”) while the other is kept private (the “private key”) to ensure the security of the message. This kind of encryption relies on private keys being kept safe and away from those who would intercept or adulterate messages.

Whether the public key is used to encode or decode the message depends on the nature of the transmission. If you want everyone reading it, but you don’t want anyone tampering with the message, you encode with the private and decode with the public key. If you want everyone to be able to send a message, but don’t want them intercepted by the wrong person, you encode with the public, but decode with the private key.

Hash Function

Hash functions are a method of cryptography that isn’t designed to be reversible. Rather than encoding with a key and using a key to decode, hash functions are meant to be one-way, using a mathematical function which changes the values in a way that can’t be undone. The most common analogy is that of mixing paint. For example, you can mix blue (the original values) with yellow (the hash function) to get green (the new values), and you’ll get green every time you mix them, but there’s no way to separate the two colors and recover the blue.

Hash functions are used whenever you need a set value, and don’t need to read the information a second time. Login passwords are the most common example: websites often hash them for storage, so that if there’s ever a breach, all the hacker has stolen is a bunch of gibberish values. Meanwhile, when you log into the website, it hashes your password again and compares it to the stored hash value. If what you entered matches what they have on file, they let you in. They don’t need to read the password, they just need the value.

Code Signing Certificates

Now back to code signing. When a developer is ready to “sign” their work to prove its authorship and such, they take all the code they wrote, and they hash it. The value that spits out is then encoded using a private key (usually obtained from a trustworthy Certificate Authority), along with a message proving who encoded it (proving the authorship). It’s then added to the software to be shipped out. This constitutes a code signing certificate.

When a user downloads the software, they use the public key to first verify the identity of the developer by reading the message in the certificate. Once the authorship is verified, the public key is used to decode the hash. Then, the software is hashed again, and the new value is compared to the decoded one. If the user’s hash value and the developer’s hash value match, then the software hasn’t been corrupted or tampered with during transmission. The user is then alerted that the software is as the developer last left it, and (if the developer is to be trusted) it’s safe to install.

Root Certificates

Although there are certificates to ensure your safety when downloading software, you should also be aware that anyone can create a signing key and make it appear as though they have a valid certificate authority. If anyone can create a certificate authority, how do you know which CA’s are actually trustworthy? Great question. This is where root certificates come in.

You can think of code signing certificates sort of like a family tree. In order to verify where they have come from, you can trace them back to see what signing certificate is at the root of the tree—your root certificate. The root certificate determines if the other code signing certificates are trustworthy because you can trace the “chain of trust” back to the original signing authority. This root authority could be a company like Microsoft or Apple.

If your software cannot find a trustworthy root certificate, then the system will advise you not to trust the code signing certificate you are attempting to download. Sometimes even a trusted authority may not be recognized because it has not been installed on a browser. In these instances, you will need to manually install the root certificate on your server so the server recognizes the root certificate as trustworthy and valid.

3. What Does Code Signing Do?



Code signing has a couple different functions that can help users know if they can trust software downloads and other interactions on the internet. The main purpose of code signing is to authenticate the author of the software, download, or file. For example, a download file sent from Microsoft appears much more trustworthy than a file from Joe Schmoe and you’re more likely to download it on your computer.

Code signing also allows you to see if there is a valid security certificate. Think of the certificate as sort of like having a wax seal on your download. If the seal is broken, you know the material has been tampered with or compromised. If it is intact, you know the message inside is from the original sender, and the integrity of the original content has not be altered.

When you download software onto your computer, you are sure to have at least some updates in the future. When these updates are code signed with the same key used to encrypt your initial downloads, you can trust that future updates are coming from the same source and are therefore safe to download as well.

What Are the Types of Digital Certificates?

Different systems require different types of authentication. What works on a desktop is likely unsuitable for mobile systems and vice versa. Here are a few examples of the different certificates for both desktop and mobile software.

Desktop Certificates:

  • Microsoft
  • Java
  • Microsoft Office and VBA
  • Adobe AI

Mobile Certificates:

  • Windows Phone
  • Windows Phone Private Enterprise
  • Java Verified
  • Android
  • Brew

If you’re looking to encrypt and secure your data, you should first know what kind of software or system you are starting with and work from there.

What is the Use of a Digital Certificate?

The obvious answer when it comes to wondering what the use of a digital certificate is, is that it is meant to secure and encrypt data so third parties can’t get ahold of sensitive information. With a digital certificate, users can authenticate the software publisher. These digital certificates also inspire user trust in publishers because they are issued by certificate authorities. Digital certificates are also extremely useful for software publishers because they allow the publisher to track their software and track how many copies are downloaded.

How Long is a Digital Certificate Valid?

Another common question for those looking to get their own digital code signing certificate is how long a certificate is valid. Although the exact time frame varies depending on the issuer, digital certificates are typically only valid for a year or two. This is for a couple of reasons:

  • Revenue: A short time frame for renewal means guaranteed revenue for the certificate authority.
  • Increased Security: Security certificates and private keys can and do get compromised. Renewing and changing certificates every year or two renders any previous certificates invalid—even stolen ones.
  • Changing Technology: The world changes fast, and technology changes even faster. What was secure 5 years ago isn’t nearly as secure today. Changing code signing certificates and updating them helps ensure the certificate security is up to date.

One important thing to remember when updating any security certificates is that if you delete any expired certificates you will no longer be able to read encrypted messages that corresponded to that key. Make sure you save any information you need as unencrypted copies so you still have access after an update. Alternatively, if you believe your certificate security has been compromised, you can request to have your certificate revoked early and get a new one.

4. Where is Code Signing Used?



Code signing is used any place a developer wants a user to be sure of the source of a piece of software. This includes:

  • Windows applications and software patches
  • Apple software
  • Microsoft Office VBA objects and macros
  • .jar files
  • .air or .airi files
  • Essentially any executable

Be aware that, because of the distributed nature of Linux development, code signing is often not used for Linux-based software, meaning that software will come unsigned, and your computer will (if it gives any notice) will tell you it’s from an “unknown developer,” or something along those lines. Here are a few other applications and software that utilize code signing to increase their security.

  • Code Signing in iOS: Code signing in iOS for the App Store is done using Xcode. The purpose of singing your app is simply to let iOS know who signed the app originally and to make sure it hasn’t been altered since it was originally signed by the developer. If you need to revoke your iOS certificate, you will need to use your developer account or Xcode to complete the process.
  • Software Signature: Software signatures use asymmetric cryptography when code signing to secure data that is transferred online.
  • Code Signing in Xcode: Xcode is used by iOS to code sign apps and ensure their security. Before any device can be uploaded and approved for the iTunes store it must have a valid Apple Developer ID, with a valid certificate or profile. To successfully integrate your app, you will need to use a development certificate. In order to run the app on any device, you must use a distribution certificate to send out the app and test it.
  • Code Signing C#: Visual C# uses strong name signing to get a unique sign code that is not available to anyone else in the world and cannot be spoofed. When using Visual C#, you can simply sign your deployment using the sn.exe tool. This functions as your signature by using sigcheck tool printing “Strong Name: Signed.”
  • Windows Code Signing Certificate: Nearly any executable can be signed with a digital signature to verify the security and integrity of the file. For the file to be considered secure in Windows, it must be signed by a recognized certificate authority. Anyone who distributes malware under a valid certificate is held legally accountable for the software they distribute.
  • Visual Studio Code Signing: Visual Studio is particularly helpful when it comes to strong name signing for assemblies—a notoriously difficult task. Strong name signing through Visual Studio allows other computers to trust the software developer.
  • DigiCert Code Signing: DigiCert is a trusted certificate authority that provides code signing for Microsoft and supports dozens of server platforms and browsers including mobile browsers, applications, and operating systems. It is simple to integrate and provides a high level of trust for developers looking to add additional security to their software.

Essentially, any executable file or software can use code signing to verify authenticity and provide additional security for users.

5. How To Add Certificates To Trusted Sites

Before you jump in and add code signing certificates to trusted sites, you’ll want to make sure you can trust the resource it’s coming from. As we’ve mentioned before, looking at the root certificate will let you know if you are attempting to download software from a trusted source, or whether it has been corrupted or altered.

If the certificate has expired and you need to install the updated one, Microsoft recommends simply clicking through the “continue to this website (not recommended)” button, clicking, “Certificate Error,” then “View Certificates,” then “Install Certificate.” When the warning message pops up again you simply need to click “Yes” and you’re good to go.

This does carry risks of course, and you would never want to follow this process for any site you were unfamiliar with. To avoid this issue with your own websites, you should always go through a certificate authority to verify the security of your website.

6. What Are the Strengths of Code Signing?

Code signing does a couple of very important things. It ensures the identity of the developer (the authorship), meaning a random hacker can’t pass off some malware as being a software patch from Microsoft or Apple. It also double-checks the software to ensure that it hasn’t degraded, become corrupted, or been tampered with. Comparing the user-generated hash against the developer-generated value ensures that the code looks the same now as it did when the certificate was signed.

If a developer is using a private key it acquired from a certificate authority (CA), then code signing also extends the trust of the CA to the developer, meaning a relatively unknown software company can still be reasonably trusted by the public.

7. What Are the Weaknesses of Code Signing?

The biggest downsides to code signing come when the system isn’t used properly. First, certificates are only good if the private key (the one used to encode the certificate) are kept safe. If unscrupulous individuals gain access to the private key, they can potentially encode their own messages and software as if they were the developer, and the public key will verify the identity, with leaves the user with no way of guaranteeing it was really from the developer. To this end, these keys are usually stored in Hardware Security Modules (HSM).

Second, any hacker or developer with malicious intent can obtain a private key from a CA, if they really want to. What deters most of them is that they have to register with the CA to obtain one, which makes the crime easier to pin on them if they distribute malicious code. Potentially, though, a developer with a valid certificate could distribute harmful code to the public.

Lastly, code signing is really only as good as a user’s judgment. If a user is willing to accept and install software of unverified integrity or identity, code signing is useless. Like the warning label on a bottle of bleach, it’s only effective if the user heeds the cautions listed there.

Keep Your Information Secure with Venafi



Hopefully, you now understand how code signing works as well as the answer to the questions, “what is code signing?” and “what is a code signing certificate?” With this information tucked securely under your belt, you can see why code signing certificates are not only useful for software developers, but also for anyone who sends secure information online.

All-in-all, though, when used properly, code signing is an effective security measure that protects users from malicious software and code.

For more information on code signing and how to keep your systems safe from hackers, check out our risk assessment tool or contact Venafi today.

Up to Top




Continue learning with the next suggested topic:

What is DevOps




Main Navigation

}
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat