What is a Code Signing Certificate?
Code signing certificates are digital certificates that contain information that fully identifies an entity and are issued by a Certificate Authority such as GlobalSign. The digital certificate binds the identity of an organization to a public key that is mathematically related to a private key pair. The use of private and public key systems is called Public Key Infrastructure (PKI). The developer signs code with its private key and the end user uses the developer’s public key to verify the developer's identity.
Signing Code with a Code Signing Certificate
The digital certificate is marked for the specific use of digitally signed code, in PKI this is referred to as Key Usage. Below is an example of a GlobalSign digital certificate marked for code signing.
When a digital signature is applied, a timestamp is also recorded. This timestamping feature acts to ensure the signed code remains valid even after the digital certificate expires. Unless you’re adding additional code or making changes to the code, a new signature does not need to be applied (even if the digital certificate used to initially sign the code expires).
Code Signing helps prove...
Code signing identifies that the software or application is coming from a specific source (a developer or signer). When software is downloaded from the internet, browsers will exhibit a warning message stating the possible dangers of downloading data, or display an “unknown publisher” warning. Code signing removes the “Unknown Publisher” security warnings and identifies the Publisher’s name (ie. organization name).
Code signing ensures that a piece of code has not been altered and determines whether code is trustworthy for a specific purpose. If the application/ software code is tampered with or altered after digitally signing, the signature will appear invalid and untrusted. Signing code is beneficial for users downloading applications and beneficial for developers. Users are assured who they are downloading software from and can decide whether or not to trust the source. Developers can mark their “brand” and protect their software from unwanted changes.