A code or software can easily be tampered with by an attacker, and the unsuspecting end-users would be none the wiser. Hashing is used to check the integrity of files. It works as long as the hacker doesn’t compromise your website and the hashes along with it. Consider a scenario where a malicious file mimicking your program is uploaded along with the hash of the compromised software. A site visitor can easily get tricked into believing that the file was uploaded by a genuine developer. Once the visitor downloads and executes the application, the modified file then carries out some malicious activity. This is damaging to the user as well as the developer’s reputation. Most new developers and organizations struggle to get enough users to download and run their applications. Building trust and reputation takes time, and using a code signing certificate not only assures file integrity but can also circumvent Microsoft SmartScreen ‘Unknown Publisher’ warnings.
Let’s take a look at how code signing works and delve deeper into the purpose it solves.
How Does a Code Signing Certificate Work?
Using a code signing certificate enables a developer to place a digital signature on an application or an executable so that end users are able to verify the authenticity of the publisher and the file integrity before installing and running the program on their systems. If a program is signed, an attacker can no longer manipulate the content since it will not clear the integrity check and the signature becomes invalid. If we attempt to understand how code signing works, there are two sides to consider – the steps taken by the publisher to sign the code and what happens at the customer’s end. At the developer’s end, the first step is to obtain the code signing certificate from a reputed certificate authority (CA) and the validation process typically takes a few days. Next, the developer generates a one-way hash of the program executable and encrypts it using the private key associated with the certificate. The hash and the certificate are bundled along with the application before releasing it to end-users.
At the customer’s end, the user decrypts the hash using the public key and compares this value to a newly generated hash of the downloaded executable. If a match occurs, it indicates that the application has not been tampered with since it was last signed and it is safe to be installed and executed.
Types of Code Signing Certificates
There are two types of code signing certificates offered by most CAs – standard code signing and EV code signing certificates. The primary difference between the two lies in how they deal with the Microsoft SmartScreen filter. With the standard code signing certificate, they continue to appear up until the developer builds their reputation. Whereas with EV code signing that thoroughly verifies the developer’s identity, these warning messages are removed.
Hopefully, you now have a better understanding of code signing certificates and where they’re often used. When it comes to opting for a self-signed code signing certificate, note that a self-signed certificate will not work outside of your network. It is because browsers and machines outside your network don’t have your public key in their trust root store. Choosing between a standard code signing certificate and an EV code signing certificate also depends on your specific requirements and financial feasibility.