Code signing is used to authenticate the originator and authenticity of a file. The identity is inserted directly into a program via code or with an executable file (.exe) by creating a digital signature through hashing a private key. The corresponding public key can be used to verify that the file is intact, original, and unmodified.
What Is Code Signing?
By code signing a program, a developer is simply attaching a particular type of digital certificate, known as a code-signing certificate, which uses public-key cryptography just like any other type of digital certificate. Code signing is used across operating systems in many different types of platforms, from mobile to desktop. You can find it used in Windows, Mac OS X, Linux, and even iOS and Android environments. Each platform has its own process to read and understand the code-signing certificates. Microsoft, for instance, uses a program called SmartScreen to filter out phishing and malware attempts.
What is a Code Signing Certificate?
Code signing certificates are executable files generated from public/private key pairs using various software tools. Developers give the public key and the organization’s identity information provided to a trustworthy CA like Sectigo. The CA verifies the authenticity of the identity information and then issues a code signing certificate to the developer. The certificate simply indicates it was signed by the CA’s hashed private key, contains the developer organization’s identity, and can be unlocked using the developer’s public key.
Code Signing certificates are used to digitally sign applications and software programs to verify the source code of the file along with code integrity. Digitally signing the executable software with a publicly trusted X.509 certificate increases confidence in the software.
Different types of code signing certificates
There are two major categories of code signing certificates. Some certificate authorities, like Sectigo, offer both types of code signing certificates. The two certificate types include:
- A standard certificate requires limited validation of the requester of the certificate and their company information by the Certificate Authority that issues it. Keys are usually stored in software or the filesystem, with a lower level of protection than EV certificates.
- An Extended Validation (EV) Code Signing Certificate requires a much higher degree of vetting by the trusted Certificate Authority in order to be issued. The keys must be stored in well-protected places in order to properly secure them. The vetting process is mandated by the CA/Browser Forum and must meet stricter requirements designed to discourage fraudsters from attempting to obtain an EV certificate. EV code signing certificates are not unlike SSL/TLS certificates. In fact, research from Georgia Tech’s Cyber Forensics Innovation Lab shows that the issuance and use of EV SSL certificates make it 99.99% likely to be free of phishing attacks and abuse. The research study, which was sponsored by Sectigo, can be downloaded here.
Different systems require different types of authentication. What works on a desktop is not necessarily suitable for mobile systems and vice versa. Here are a few examples of the different certificates for both desktop and mobile software.
- Microsoft Office and VBA
- Adobe AI
- Windows Phone
- Windows Phone Private Enterprise
- Java Verified
- Xcode (used for code signing in the iOS App Store)
Why code signing is important
When a program begins installation, the operating system will not allow it to continue before checking if the program contains a code signing certificate within its installation files. If there is not a certificate present and the installation comes from a recognized source, the user will receive warnings about the dangers associated if they proceeded. It will not stop the installation outright, but it will concern any user that is not fully trusting of the source of the installation files. These warnings will occur on any modern operating system.
Code signing certificates allow users to authenticate that the file being downloaded truly does come from the originator rather than a malicious actor that has inserted something unknown. This reinforces the concept of trust within the system, allowing developers to assure the end-users downloading and using the code that the source can be trusted and is safe.
Many organizations protect themselves using secure vaults and Hardware Security Modules (HSMs) to increase the degree of security their private keys are getting. This goes a long way towards promoting the integrity of private keys and other encryption assets.
Code signing use cases
Code signing allows the end-user to understand if the executable file belongs to Apple or Microsoft and includes the update they wanted from their app store.
This can be vital in circumstances where the end-user is less likely to be computer savvy, with IoT devices, or with other smart devices. Updates for these devices are often pushed without authentication from the end-user, thus software developers and software publishers need to understand that it is possible for tampering to occur without any way to guard against it.
Windows and other operating systems include lists of Trusted Root Certificates issued by certificate authorities that meet their requirements, and so any file signed by a certificate issued under one of these trusted roots is trusted by the operating system. All authentications based on PKI assume that the certificate authority has not issued certificates improperly and manages the certificate lifecycle responsibly
Code signing in DevOps environments
Code signing enables application developers to add a layer of assurance, indicating to users that the software they’re receiving can be trusted. Using certificates that allow developers to digitally sign software before distribution, Code Signing lets end users downloading digitally signed 32-bit or 64-bit programs know the code actually comes from the developer's business and has not been modified by a third party since it was signed.
The Automation Certificate Management Environment (ACME) eases the certificate management burden and is supported by over 150 million websites and more than 130 open source tools. Sectigo Certificate Manager can be used with a wide variety of DevOps environments such as Kubernetes, Chef, Ansible, Salt Stack, Terraform, Puppet, Istio, and Docker, all of which support ACME natively to easily and scalably secure your public-facing servers.
How do code signing certificates work?
A unique private key is needed so that it can be properly hashed, and the encryption/decryption cannot easily be defeated. Within public-key cryptography, the public and private key combination is the heart of the process, allowing communication without access.
Most modern operating systems are programmed to automatically scan and identify the presence of a code signing certificate before an application or program is allowed to be installed. The OS will automatically start a series of steps designed to prevent any malicious code from unknowingly slipping through.
First, it will confirm the existence of the certificate. After generating the new key pair, the public key is sent to a certificate authority, who verifies the identity of the developer and affixes their own public key to the code signing certificate. The certificate and code are sent back to the original developer that requested the certificate.
Next, it will use the public key provided by the CA to decrypt the certificate digest. Now that the developer is in possession of a signed code certificate and an encryption key pair, they must hash the software’s code before they can encrypt and sign it. Hashing is a procedure in which a hash function is used to convert code into an arbitrary fixed value. The output of hashing, called a digest, is then encrypted using the private key. Next, the developer combines this digest with the code-signing certificate and the hash function to create something called a signature block, which is essentially all of the above items combined into a piece of code that can be conveniently inserted into software.
Next, the OS uses the same hash function used by the developer to create another digest from the code. The new digest is compared to the original. If they are identical, the OS takes it as proof that the public key corresponds to the private one used to encrypt the code – this can be extrapolated to the logical assumption and fact that the code has not been tampered with since it was distributed by the developer and is not malware.
Do developers need to use code signing certificates?
To answer concisely, YES!
Code signing certificates are an integral part of ensuring the integrity of software across all popular programming environments. Development organizations that fail to use code signing certificates or follow these steps can find their users beset by the errors and warnings delivered by their operating systems, resulting in a poor user experience at best and complete distrust of the application at worst.