What is Code Signing?
Code signing certificates are used by content publishers to append digital signatures to their products. These digital signatures prove to consumers of the content the identity of the creator and validate that content has not been tampered with since it was originally distributed. Code signing digital signatures can be used to sign content including software components, macros, firmware images, virus updates, configuration files or other types of content for secure delivery over the Internet or other mechanisms. Code signing has becoming increasingly important, with the rapid growth of Internet distribution of content and tightened security settings in many newer browsers and/or operating systems.
The Process
- The software publisher requests a code signing certificate from us.
- A public key will be created on requestor's machine, either in a file or in the Windows/Internet Explorer certificate store. We never receive the private key.
- Once the information provided has been validated and the certificate has been issued, we will send an email containing a link to download the certificate file.
- The publisher creates the software component or other content to be signed.
- The publisher uses a code signing tool, supplied by platform vendor, to add a digital signature to the content. An optional time stamp can also be added to the digital signature, to extend the life of the software component beyond the validity period of the code signing certificate. The digital signature contains an encrypted hash of the software component, which is used to verify that the code has not been tampered with after it is signed.
- SignTool.exe from Microsoft is used for signing most standard Windows code (.exe., .ocx, .dll, .cab,). The publisher will need to specify the code to be signed, the private key file, the code signing certificate and optionally the time stamping server URL.
- jarsigner is used for signing Java applications. Starting with Java 5, jarsigner added support for time stamping.
- If a time stamp is to be added to the code, an Internet connection is required.
- The software publisher verifies the digital signature, before distributing the product.
- SignTool.exe from Microsoft is used for verifying digital signatures for most standard Windows code formats.
- Newer versions of jarsigner can be used to verify the digital signature in a Java software component.
- An end user attempts to execute the software component. The browser or Operating System will inspect the software to make sure it has not been tampered with, since it was signed. If a time stamp is present, the time stamp will be used to verify that the code signing certificate was still valid (had not expired or been revoked) at the time the time stamp was added to the digital signature on the software component.
For more information, see Microsoft's Introduction to Code Signing.