Code Signing

Ever wondered how users will identify YOUR unique software among a cheap imitations? Code signing is tantamount to virtual shrink wrapping. It essentially ‘seals' your software and validates it as ORIGINAL or TAMPER-PROOF. You—as the originator of that software—are identified as the sole author, generating trust and authenticity in the minds of your buyers. A failure to implement code signing to your software will leave you vulnerable to tampering, duplications and an eventual loss in sales.

How code signing works

Developers and software publishers use code signing certificates to attach a unique digital signature to applets, plug-ins, macros and other executable files before publishing them. Operating systems, software applications, devices, and mobile networks look for a trusted digital signature to authenticate the source of the code and confirm its integrity.

The Enrollment Process
When you apply for a Thawte® Code Signing Certificate, you generate a private/public key pair and submit the public portion to Thawte with documentation to prove your identity. Once Thawte authenticates and verifies the information, we issue a code signing certificate containing your full organizational name and your public key. It can be used to digitally sign code and content during the certificate’s validity period.

Deploying and Trusting Signed Code

  1. A publisher or developer signs a file using the code signing certificate.
  2. A digital signature is attached to the file and a hash mark is created.
  3. The content is published to a web site or mobile network, or otherwise made available.
  4. A user downloads or encounters the code. The user’s system software or application uses a public key to decrypt the signature.
  5. The hash used to sign the code is compared to the hash on the downloaded code. A mismatch generates an error, prevents download, or allows it, depending on the platform, application, and client security settings.

Code Signing FAQ

  • What are code signing certificates and digital signatures?

    Developers and software publishers use code signing certificates to attach a unique digital signature to applets, plug-ins, macros and other executable files before publishing them. The digital signature contains identification information about the publisher and is used to confirm that the code has not been altered or tampered with since release.

  • Why do developers need to sign their code?

    Easy online distribution has made it possible for developers to create fun and functional code, anywhere and everywhere. However, the potential for fraud and the spread of malicious code has increased as well. Software applications and platforms have developed security features to check for a digital signature and recommend whether or not code should be trusted. Some platforms, such as Adobe® AIR®, require digital signatures for all applications.

  • Are code signing certificates available for individual developers?

    Yes. Code signing certificates are available for individual developers who are not affiliated with an incorporated business. Choose the appropriate code signing certificate for your development platform, and select the Individual option.

  • What do users see when they encounter signed code?

    When a user encounters unsigned code, a security warning pops up or content fails to load, depending on the browser and security settings. Warnings create doubt and confusion for users and often result in support calls to the publisher or developer. When signed code is encountered, a pop-up notification shows the verified identity of the publisher and the user decides whether or not to trust the code. With a Thawte® Code Signing Certificate, your code will be as safe and trustworthy to customers as shrink-wrapped software from a store shelf.

  • How does the application know to trust my digital signature?

    A code signing certificate is a type of digital certificate. When you apply for the certificate, you generate a private/public key pair and submit the public portion to a certificate authority, such as Thawte, along with documentation to prove your identity. Once the certificate authority authenticates and verifies the information, they issue a certificate containing your full organizational name and your public key. Thawte® Code Signing Certificates are chained to our root certificate and trusted by leading platforms. It is possible to self-sign code, however, you do not have a trusted third party to vouch for the information you provide

  • Do I need different code signing certificates for developing code in different platforms?

    Each platform has slightly different ways of handling digital signatures. The Thawte® Code Signing Certificates for Microsoft® Authenticode® (Multi-Purpose) offers maximum flexibility with a single certificate to sign code developed on multiple platforms. You can digitally sign 32- and 64-bit user-mode (.exe, .cab, .dll, .ocx, .msi and .xpi files), as well as code for Microsoft® Office 2000, Microsoft VBA, Netscape® Object Signing, and Marimba Channel Signing. Thawte offers additional Code Signing Certificates for:

  • Why do code signing certificates expire?

    Applications and platforms that use code signing will check whether a certificate is valid as part of the security process. Digital certificates are designed to expire to protect both the certificate owner and the users who trust it. To renew a code signing certificate, the certificate owner provides identification information and the certificate authority authenticates and verifies it. The Thawte® Certificate Center makes it very easy to renew, manage, and track all of your code signing and SSL certificates with a single sign-in.

  • Will my code still be valid even though my code signing certificate expired?

    A code signing certificate is valid for the validity period purchased and an expired certificate cannot be used to sign code. However, a time stamp shows the validity of the certificate at the time the code was signed. Thawte does not run a time stamp server, however, you can use Symantec time stamping by adding: "http://timestamp.verisign.com/scripts/timstamp.dll" to the signcode command line. For Sun Java, use https://timestamp.geotrust.com/tsa

  • What happens if a code signing certificate must be revoked?

    A certificate may be revoked by its owner if it is lost or stolen, or it may be revoked by Thawte if the publisher is distributing malicious or intentionally harmful code. Thawte maintains a certificate revocation list (CRL). Applications and platforms which use code signing will check the CRL to verify whether a certificate is valid as part of the security process.

  • Who needs to use code signing?

    Any publisher who plans to distribute code or content over the Internet or over corporate extranets risks impersonation and tampering. Thawte Code Signing Certificates provide a high level of assurance about the identity of the code publisher and its integrity.

  • Does Thawte certify code or guarantee it?

    No. Thawte issues a certificate to the developer not to the code. The certificate certifies that the software really comes from the publisher who signed it - an extremely important consideration when prospective customers decide whether to trust it. The certificate also certifies that the code has not been altered or corrupted during transmission or download and is as the publisher intended it. Thawte will revoke a developer’s code signing certificate if there is any indication that the developer abused the trust of the code signing infrastructure.

Product

Price

Save

Issuance

Validation

 

ProductSymantec Code Signing

Amount$365.67

Save$66.00

Issuance1-3 Days

ValidationOV

Buy Now

ProductThawte Code Signing Certificate

Amount$182.33

Save$67.00

Issuance1-3 Days

ValidationOV

Buy Now

ProductComodo Code Signing Certificate

Amount$82.33

Save$84.62

Issuance1-3 Days

ValidationOV

Buy Now

Best Price Guarantee 100% Money Back Guarantee

Download our Product Matrix (PDF)

Download Now

Download our Business Brochure (PDF)

Download Now
Invest in the Best

Invest in the best Why Symantec SSL over any other?

Find Out Here

Need some Advice?