Most of us have encountered an “Unknown Publisher” warning more than once in our lives while attempting to download and run software on our systems. However, you’ll note that these security warnings are not displayed for reputed developers or widely recognized organizations. A code signing certificate is particularly useful for new developers or organizations that haven’t yet built a strong brand reputation. After you purchase any digital certificate, a certificate signing request (CSR) must be filled in by the applicant and submitted to the issuing certificate authority (CA). For a code signing certificate as well, the developer or the organization must generate a CSR that’ll contain information about the applicant or the applicant’s organization.
Code signing is the process of adding a digital signature to a program, verify its author, and ensure that the code has not been altered or corrupted since it was last signed. Software developers use code signing certificates to digitally sign applications, drivers, configuration files, and so on. This enables end-users to ascertain that the code they are executing has not been tampered with by an attacker or third-party. The application includes the signature, the name of the organization, the algorithm applied, and if used then a timestamp.
The way code signing works is that the programmer on receiving the certificate from a trusted CA will –
The private key is known only to the applicant and must be stored securely. The hash along with the certificate and the executable file is then shipped to the customers.
The users on receiving this bundle decrypt the hash using the public key. They also create a new hash of the downloaded file and then compare the two. If the two hashes match, it indicates that the file has not been modified since it was last signed by the developer.
Signing your applications is a fairly simple process and is highly beneficial for your organization’s reputation because it creates a greater sense of trust in your brand and associated products. Since end-users can now trust that the application was published by a verified publisher and does not contain malware, it is likely to drive up downloads considerably.
On creating a certificate signing request, an encoded message detailing specific information about the requestor is submitted to the certificate authority containing key data such as:
Once you’ve purchased a code signing certificate from the certificate authority of your choice, follow the steps below to generate a certificate signing request (CSR).
Begin by opening your selected web browser. We recommend using Firefox for this process since it facilitates CSR generation in a simple, secure, and prompt manner.
Enter the credentials you created while purchasing your certificate and login to your account on your code signing certificate provider's website.
Find your recently purchased “Incomplete” code signing certificate.
Click on the “Generate CertNow” option.
Enter all the information required to generate and complete the CSR.
Click on “Submit” to send your certificate request to your CA.
Next, the browser will generate a key pair that’ll be stored in the browser’s certificate manager folder. Save your order number and wait for your CA to complete the validation process. Once that’s done, they’ll issue your code signing certificate that you’ll need to install before you can begin signing applications.
Though there are several benefits to code signing, it is not without its failings. One of the greatest troubles to manage is when third-parties gain unauthorized access to private keys if they’re left lying around on server devices, or discoverable by other insecure storage means. Another cause for concern is that users with malicious intent may obtain a code signing certificate and distribute potentially dangerous software. However, since the validation process requires the mandatory submission of identity information, it is a less likely scenario. At the end of the day, code signing benefits both developers and end-users alike, and the advantages far outweigh the weaknesses that are easily manageable by using the technology responsibly.