Before we get to what a code signing certificate is and what it does, let’s first go through a couple of familiar photos.
You would definitely relate to those images unless you’re an alien. Chances are, without giving a thought, you would have pressed Yes / Ok. But what is the explanation for those warnings? Who are they really worried about?
Let’s get it across.
Code Signing Certificate and Why We Need It
A Code Signing Certificate is a digital certificate that vouches for code, software, app and executables being legitimate. A Code Signing certificate, based on Public Key Infrastructure, signatures the code and guarantees it is not changed or compromised on the way from the developer’s system to the end user’s system. Code Signing thus helps end-users to determine whether or not software / app is trustable.
We can therefore say that Code Signing fulfills two fundamental goals-validation and integrity. Validation, because it shows that a legitimate and verified publisher has written software. Code signing certificate does not let any third party alter the code behind any software and corrupt it. Thus, it serves code integrity purposes.
For example, you’ll see Google Inc. as the publisher if you download Chrome from its official web site.
How does Code Signing work?
A Code Signing Certificate works on the Public Key Infrastructure ( PKI) encryption technique which is similar to the method used in SSL / TLS certificates. There are two cryptographic keys used to encrypt the file, namely a public key and a private key. This public-private key pair is created when a certificate authority ( CA) is software approved to request a certificate. The private key signs the data / code from the two keys, and use the public key to authorize the signature.
The publisher holds the Private Key so that the program stays safe, so no hacker can exploit it. Once the applicant receives the request from the certificate provider it verifies the applicant ‘s identity. Once the CA has completed the vetting process, the certificate is deemed legitimate and the certificate is issued.
The Code Signing Process
If you want to use a code signing certificate to sign the program you will follow these steps:
- First, you must apply by a trusted certificate authority ( CA) for a code signing certificate.
- Instead, you can get the CA to check your identity.
- The next step in line is to generate a one-way hash and encrypt it using your private key.
- Current, the hash and the certificate must be bundled together.
How Code Signing prevents the spread of malware
From a hacker’s point of view, open source software has proven to be a lethal weapon. A tried and tested approach has been to infuse malware into such applications. We strongly suggest therefore that you avoid software that displays unknown publishers and stay away from the threat.
It doesn’t mean digitally signed software is one hundred per cent bulletproof, however. We have also seen instances of malware embedded in signed apps. CCleaner, a commonly used app only recently fell victim to it.
Such a malware infusion is mostly done through the stealing of certificates / private key. You must also keep your code signing certificate in safe places and ensure that all files are password protected.
Types of code signing certificates and their requirements for validation
There are two major forms of code signing certificates-organizational validation (OV) and individual validation (IV) certificates. OV certs are used to validate organizations, as their names clearly advocate, and IV certs are used for the individual developers.
Signing requirements for organisation’s validation code
There are four general requirements you must prove to the CA if you want to issue an OV certificate.
- Organization Authentication
- Locality Presence
- Telephone Verification
- Final Verification Call
Signing criteria for individual Validation Code
If you’re a lone wolf, these are the conditions you’ll need to look after.
- Identity Verification
- Telephone Verification
- Final Verification Call
Final Reasons
Code Signing is an important method which protects users and developers alike. From the point of view of a developer, code signing not only protects the code but also strengthens the credibility. In the end this leads to stronger download numbers. If you are a user, you will need to insist that you download signed software.