5 Things You Should Know About Code Signing Certificates
Many years ago, we had to go to brick-and-mortar stores to purchase the software. It was not as convenient as today, where you download it from the internet, but it assured you that it was a genuine product.
How can you be sure the software or code you download today is from a legitimate developer? Is it possible to tell if it has been tampered with?
The answer lies in a revolutionary idea- a Code Signing Certificate. This is a digital signature that enables software publishers to sign their content, thus authenticating the product.
This article focuses on five things you should know about code signing certificates from a developer’s perspective.
Table of Contents
1. Are Code Signing Certificates Necessary?
Yes. Very much so. Code signing certificates serve two primary purposes:
Authenticity: The certificate openly tells the user (and their computer) exactly who the software came from. It shows the company or individual’s identity and links it to the key used to sign it.
Integrity: Just like you wouldn’t want to buy contaminated fuel from a gas station, you don’t want to purchase software that has been tampered with.
The certificate confirms to the user that the code has not been modified in any way. It is precisely as it was when it was signed and released.
2. Public Key Infrastructure Technology
Code signing certificates operate based on PKI (critical public infrastructure) technology. It consists of a pair of keys referred to as private and public keys.
The publisher uses the private key to sign the data, and public access is used to confirm it.
Once the publisher creates a digital signature, any alterations made to the data will cause the signature to change. When it is executed, the computer picks up the alteration and immediately flags it as questionable.
The computer then displays a warning message to alert the user that the software could be unsafe.
Even with code signing certificates in hand, it is sad that many holders don’t take appropriate steps to protect them. According to Venafi.com, only 29% of holders have and enforce code signing security policies. This leaves them exposed to theft and forgery of security keys.
3. Types of Code Signing Certificates
You could get one of two types of code signing certificates. If you are an organization, then you will need to buy an organization’s certification. If you are an individual, you will get one specific for individual programmers.
In both instances, the issuing company must undertake an authentication process to prove identity and legitimacy.
So what’s the difference between an organization and an individual code signing certificate?
The two work in the very same way. The difference is in the vetting process undertaken by the issuing company.
4. Top Code Signing Certificate Providers
There are three primary providers, also known as certificate authorities. These are:
All provide OV (organization validation) code signing certificates, business validation, and multiple-year options. It takes about three days for a certificate to be issued, and there is a 30-day return policy.
Sectigo is the cheapest of the three. It is the only company that secures software created by both organizations and individuals.
DigiCert is on the other end of the spectrum. It is the most expensive provider and is ideal for IT companies looking to establish a position in a highly competitive market. It is believed to deliver the highest level of trust from potential and existing clientele.
5. Code Signing Certificates vs. SSL Certificates
What is the difference between code signing certificates and SSL certificates?
Both are digital certificates that use public-key encryption but used to serve very different purposes.
An SSL certificate is software that uses public-key encryption to enable HTTPS on a website. It gives you the ‘Secure’ label and padlock in your browser.
It creates a secure connection by authenticating the server to web browsers. This gets accomplished by encrypting communication between the user and the website.
All SSL certificates offer equal levels of encryption but could provide different levels of authentication. Some only authenticate the website, while others authenticate both the website and the corresponding organization.
What else should you consider?
Timestamping is optional for software developers but is an essential part of the code signing process.
Code signing certificate validity
You see, code signing certificates have a validity period. It would usually be three years with yearly increments. Once it expires, it becomes invalid. You can’t use one unless it has been timestamped.
How it’s done
You can timestamp by adding a piece of information to the signature to tell devices exactly when signed. Devices then compare the date of signing with validity. If signing was within the validity period, the signature remains valid in perpetuity.
Timestamping is critical as it ensures continued usability for years. It also makes selling code cheaper because you don’t need to renew it if you are not signing anything new.
Code signing certificates are something you want to have, whether you look at it from a developer’s perspective or as an end-user.
As a developer, it endorses you as a trusted source and helps you sell better. As an end-user, it assures you of quality and security when downloading software, so your computer is safe from malware.