Code Signing Certificates

Sectigo code signing certificates allow software publishers to digitally sign their code, including applications, executables, scripts, and programs, to confirm that the software has not been altered after release.

Without a digital signature verified by a trusted Certificate Authority (CA), major operating systems like Microsoft Windows will show end users a warning message before installation. This reduces downloads and adoption and leaves unsigned or weakly signed code vulnerable to tampering and supply-chain attacks.

Sectigo Code Signing Certificates build user trust, protect against unauthorized modification, and support faster releases with streamlined issuance and reduced operational friction.

4.2
Star rating on

Trustpilot
25%
Savings off list price with
Free Token with 5-year purchase deal
5
Years of worry-free

code signing
Free
FIPS-Compliant token will be shipped to you each year, for the duration of your package.

Item 1 of 4

OV Code Signing Certificate

FIPS-Compliant Device Delivery

Organization Validation (OV) offers baseline trust and fast issuance
Free token will be shipped to you each year
Meet CA/Browser Forum authentication standards and Microsoft specifications
Establishes reputation in Windows, Microsoft Edge, and Microsoft SmartScreen® Application Reputation filter
Increase user confidence by showing the identity of the signing party before applications are run
Supports all major 32-bit/64-bit formats, including Microsoft Authenticode (kernel and user mode files, like .exe, .cab, .dll, .ocx, .msi, .xpi, and .xap), Adobe Air, Apple applications and plug-ins, Java, MS Office Macro and VBA, Mozilla object files, and Microsoft Silverlight applications
Includes timestamp functionality for continued operation even after the code signing certificate has expired

EV Code Signing Certificate

Highest level of Security

Extended validation (EV) offers highest level of security
Free token will be shipped to you each year
Meet CA/Browser Forum authentication standards and Microsoft specifications
Establishes reputation in Windows 8.0 and later, Internet Explorer 9 and later, Microsoft Edge, and Microsoft SmartScreen® Application Reputation filter
Increase user confidence by showing the identity of the signing party before applications are run
Protects private key from theft via hardware token and PIN
Supports all major 32-bit/64-bit formats, including Microsoft Authenticode (kernel and user mode files, like .exe, .cab, .dll, .ocx, .msi, .xpi, and .xap), Adobe Air, Apple applications and plug-ins, Java, MS Office Macro and VBA, Mozilla object files, and Microsoft Silverlight applications
Includes timestamp functionality for continued operation even after the code signing certificate has expired

Secure Code Signing Without Slowing Down Your Releases

Code signing shouldn't block releases or scare away users. Sectigo's verified certificates boost install rates, eliminate signing delays, and protect every build from unauthorized tampering.

OS Security Warnings + Lost Installs

The Problem: Users abandon downloads when Windows or browsers warn them that your software is unknown or untrusted.
How We Help: Sectigo verifies your publisher identity and signs your software so operating systems recognize you as trusted.
What You Get: Fewer security warnings lead to higher install rates, stronger user confidence, and smoother adoption of your application.

Slow Releases and DevOps Friction

The Problem: Developers waste time navigating validation steps, hardware requirements, and manual signing workflows that slow releases and disrupt pipelines.
How We Help: Sectigo streamlines validation and supports modern DevOps workflows so code signing integrates directly into your release process.
What You Get: You ship faster, reduce manual overhead, and keep development moving without security becoming a bottleneck.

Risk of Tampered Code and Supply Chain Attacks

The Problem: Security teams worry about malware injection and compromised builds that can damage customer trust and brand reputation.
How We Help: Sectigo protects private keys with FIPS-compliant hardware and verified identity checks to prevent unauthorized signing.
What You Get: Your software stays protected from tampering, giving customers confidence in every release while safeguarding your brand.

Updated code signing regulations

Starting February 23, 2026, the CA/B Forum has changed the maximum certificate lifecycle for Code Signing certificates. Industry regulations require all Certificate Authorities to issue certificates no longer than 459 days (approximately 15 months). Certificate Authorities must ensure that the subscribers private key is generated stored and used in suitable FIPS-compliant hardware.

Why the Change?

Requirements for private keys used with EV code signing certificates have been stronger than OV code signing certificates which are more relaxed.

The new rules are intended to reduce the potential misuse of code signing certificates and to further protect those certificates from getting into the wrong hands by making key protection requirements for OV code signing certificates the same as EV code signing certificates.

Important Dates for Code Signing Timeline

As of February 23, 2026, you will no longer be able to issue a single multi-year Code Signing certificate on a single FIPS-compliant device. Instead, if you purchase a multi-year Code Signing product from Sectigo you will receive a new compliant hardware device with a new certificate each year.

How do code signing certificates work?

The code signing process works by using public key cryptography and cryptographic hashing to create a digital signature that binds a software package to a verified publisher identity. When code is signed, a unique fingerprint of the software is created, encrypted with the publisher’s private key, and attached to the code along with the code signing certificate so it can be verified before distribution.

When an end user downloads or installs the software, the operating system verifies the signature using the corresponding public key. If the signature is missing, invalid, or untrusted, the end user will receive an error or warning message.

Intuitive dashboard

In our customer dashboard, you'll be able to view all products you have with Sectigo, view their lifecycle status, issue or reissue, and renew expiring certificates, saving you time and fear that an expired certificate may down your site at an unexpected time.

Trusted by Leading Brands Globally

Securing some of the world’s largest and best-known brands.

FAQs

Have another question?

Reach us by chat in the lower-right corner.

What is a Code Signing Certificate?

A code signing certificate is a type of digital certificate that allows software developers to add digital signatures to code and to include information about themselves and the integrity of their code within their software. The end users that download digitally signed 32-bit or 64-bit executable files (.exe, .ocx, .dll, .cab, and more) can be confident that the code came from the verified developer and was not tampered with by a third party.

What is the difference between OV and EV code signing?

Sectigo offers two types of code signing certificates, Organization Validation and Extended Validation, to match different security and distribution requirements.

OV code signing is best suited for internal applications and B2B software where faster issuance and baseline trust are sufficient. This option also offers a lower cost entry point.

EV code signing certificates provide the strongest identity verification and high end user confidence. This option is recommended when software is distributed to large audiences, for public-facing software, and in environments where security is critical.

What is a Code Signing Service?

A code signing service is an online cloud-based solution which provides signatures for code binaries. The developer’s certificate is maintained securely in the cloud. The developer or signee does not have to send the entire file to be signed, a hash code will suffice. The service provides security, convenience, and scalability.

How Do I Get a Certificate for Code Signing?

There are certain requirements that need to be fulfilled during the code signing certificate validation process. The three main things that must be verified before issuance include:

1. The legal existence of the organization or individual named in the Organization field of the certificate must be verified.

2. The email to which the code signing certificate is to be sent must be [email protected], where domain.com is owned by the organization named in the certificate.

3. A callback must be made to a verified telephone number for the organization or individual named in the certificate in order to verify that the person placing the order is an authorized representative of the organization.

As of June 1, 2023 Code Signing certificates will be:

Installed on a Sectigo token and shipped securely to the customer.
Available as a download to be installed on the customer’s own HSM. The hardware devices (e.g. tokens, HSMs, etc.) must be FIPS-compliant and support externally verifiable key attestation.

Product Refunds

Code Signing certificates are installed on a physical token and shipped to your location. We can only provide full refunds for products that have not been shipped. Once a product has shipped and within 30-days from order, we will refund the product cost, less shipping and token cost.

How Much Does a Code Signing Certificate Cost?

A Sectigo® code signing certificate starts at $536.25 per year when customers choose the five-year option. The cost goes up for shorter time periods and for EV code signing certificates.