Author identity authentication and software data integrity verification are what code signing is about. Maybe you’re already using it, but do you know how code signing works? Join us in a behind-the-scenes tour and explore the amazing wonders of the code signing process
In 2021, Malwarebytes detected nearly 200 million Windows malware threats. How can you protect your customers and your products from malware infection in a world where anyone can upload malicious scripts or codes anywhere on the web? By using a process known as code signing, which involves using a code signing certificate.
Signing your code with a code signing certificate is akin to using the passport issued by your country’s government while traveling. Attaching your digital signature to your code helps you:
- Assert your organization’s digital identity,
- Guarantee the integrity of your software and executables, and
- Prevent fraudulent usage of your brand and software.
But do you know how code signing works? In this first of a two-part series article, you’ll discover everything you need to know about the code signing process to do your job:
- How code signing works for you as a developer and for your users,
- Where code signing is used,
- Code signing best practices you can put to use.
Reclaim ownership of your code now! Learn how a code signing certificate can protect it from attacks.
How Does Code Signing Work? A Step-by-Step Guide to Code Signing & Signature Verification
Let’s start by exploring how to sign code using the code signing process.
| How to Sign Code in 5 Steps | Details |
| 1. Select Your Preferred Code Signing Certificate | Extended validation (EV) code signing certificate. Organization validation (OV) code signing certificate. (Some CAs offer individual validation certificates, or what are known as IV code signing certificates) |
| 2. Generate a Private-Public Key Pair | To get a code signing certificate, together with your certificate signing request (CSR) to the certificate authority, you’ll have to send your public key. |
| 3. Hash Your Code and Encrypt It | Run your code through a one-way hash function (i.e., something that’s too impractical to reverse), and Encrypt its digest. |
| 4. Add a Time Stamp | Add the exact time and date when you sign your code. |
| 5. Sign Your Software | Combine: The digest, The code signing certificate, and The hash function. |
This is what happens on the end user’s side of things in the code signing verification process (we’ll talk about this a little later).
| Code Signing Verification Process | Details |
| 1. The User Clicks on Your Code’s Download Button | The installation process begins. |
| 2. The Code’s Digital Signature Is Decrypted and the Digital Signature Is Authenticated | The user’s operating system: Decrypts the digital signature created by the developer using the public key. Checks the authenticity of the digital signature. |
| 3. A New Hash Digest Is Created | The user’s operating system creates a new digest. |
| 4. The Two Digests Are Compared on the Backend of the User’s Device | The operating system’s generated digest is compared with the one it decrypted at the beginning. If the two match, then it means the software hasn’t been modified. |
Alright, let’s get right to it: here’s how code signing works.
1. Select Your Preferred Code Signing Certificate
Do you want to get rid of the Windows Defender SmartScreen’s unknown publisher warning message for good? Go with the extended validation code signing certificate. Are you looking for a cheaper solution? Then the organization validation code signing certificate is the one for you. This will allow your verified digital identity to appear in the Windows User Access Control (UAC) window, but it won’t stop the Windows Defender SmartScreen from popping up because Windows OS and browsers won’t automatically trust it.
Trust has to be earned organically over time for OV code signing certificates (instead of automatically being given like it is with EV code signing certificates).
Check out a summary of the difference between the two in the table below:
| Features | Extended Validation (EV) Code Signing Certificate | Organization Validation (OV) Code Signing Certificate |
| Instant recognition by Windows Defender SmartScreen. No unknown publisher warning message will be shown. | Yes. | No. Your reputation with Windows Defender SmartScreen will be built organically, which takes time. |
| Two-factor authentication with an encrypted hardware token is required to sign the code. | Yes. | No. The certificate is stored in an encrypted file on the developer’s computer. The same file can be used by other developers to sign their codes. |
| Can be used to sign Windows 10 drivers. | Yes. | No. |
| Can be used on any platform and browser | Yes. | Yes. |
| Can be used to sign drivers with Microsoft Authenticode. | Yes. | Yes. |
If you decided to go for an OV code signing certificate, until around Nov. 15, 2022, you’ll have to generate a certificate signing request (CSR). (After Nov. 15, this process goes away.) This will have to be added to your order form before sending it to the Certificate Authority (CA). To do so, you can use:
- Windows MMC Console, or OpenSSL .
- A browser-based CSR Generator Tool. You don’t know how to use it? Follow our simple instructions.
Note: After Nov. 15, 2022, the process will change. OV requestors won’t need to generate a CSR anymore. Instead, they’ll have to follow a process similar to the one used by customers requesting an EV code signing certificate. (More on that momentarily.) OV certificates will also be delivered on a hardware token after that date.
2. Generate a Private-Public Key Pair
As code signing is based on asymmetric encryption, you’ll need a public and a private key pair. Generating them with OpenSSL is pretty easy:
- Open a terminal window and paste the following script to generate your RSA private key: openssl genrsa -out key.pem 3072. (The minimum key size for code signing certificates is 3072 as of June 2021.) For this example, we made the key “csprivatekey.key”
- Now you can extract your public key with: openssl rsa -in csprivatekey.key -pubout -out cspublickey.pem
Done! You can now send your public key to the CA, let them run the background check as per procedures, and wait to receive your code signing certificate.
3. Hash Your Code and Encrypt It
Did you finally receive your new code signing certificate? Great! Let’s start hashing! How? You basically just run your precious code through a one-way hash function (i.e., it virtually can’t be reversed because it requires too many resources and too much time). The output will be a gibberish alphanumeric fixed string called digest that’ll be then encrypted using your private key. This means that everyone will be able to access the code but not tamper with it.
4. Add a Time Stamp
It also helps you avoid displaying error messages when your certificate eventually expires because, so long as the certificate was valid when the code was signed, the software will continue being recognized as authentic.
5. Sign Your Software
Now you’ve everything you need to create your personal, unique digital signature block. Combine:
- The digest,
- The code signing certificate, and
- The hash function
and add the just created signature block to your code or executable.
Isn’t that great? In five simple steps (four if you skipped time stamping), you’ve now reclaimed ownership of your code and protected your users from accidentally downloading malware-infected software. Now, you, as a developer, have done your bit.
How Code Signing Signature Verification Works
Okay, so, we’ve completed the run-through of how code signing works on the developer’s end. So, how does code signing work on the user’s end when they attempt to download the code you’ve just signed?
1. The User Clicks on Your Code’s Download Button
You’ve now published your latest executable. A user notices it and clicks on the download button. Once downloaded, the installation process begins.
2. The User’s Client Decrypts and Authenticates the Digital Signature
Before starting with the installation, the user’s operating system does the following to the code’s digital signature:
- Decrypts the digest created by the developer (remember step three?) using the public key.
- Checks to ensure that the digital signature created with the code signing certificate is authentic.
3. The Client Generates a Hash Digest
The user’s operating system creates a new digest using the same one-way hash function used by the developer in step three.
4. The Two Digests Are Compared on the Backend of the User’s Device
The operating system’s generated digest is compared with the one it decrypted at the beginning (step seven). Do they match? Great! This is the confirmation that the downloaded code is original and hasn’t been tampered with. The user now has the green light to proceed with the installation.
Of course, all these checks are happening in a matter of seconds in the background so that the user doesn’t have to wait for ages. But what if your code has been replaced by a malicious one, thus making it so the two digests don’t match? The user will be automatically alerted and, if they’re clever, they’ll abort the installation.
There we go! You’ve just learned how to sign code and how code signing works from a user’s perspective. That wasn’t too difficult, right? Now, that you aren’t a code signing newbie anymore, let me show you some tricks to make your signature even more effective and secure.
Expert Tips: Code Signing Best Practices
Did you include code signing in your development process? Now it’s time to take it to the next level by following a few best practices. Why do you need them? Because, like everything else, private keys can be stolen. How? MITRE’s Common Attack Pattern Enumeration and Classification (CAPEC) explains the attack process very well. Once stolen, the drivers you’ve just published can be replaced with malicious ones as happened recently to NVIDIA.
So, what can you do to keep your key pairs safe then?
- Keep access to your private keys to the minimum. Ensure that only the developers working on codes to be signed have access to the private keys used for the code signing process. No one else.
- Keep the test and release signing environment separated. By doing this, you’ll limit the exposure of your private keys to a smaller group of developers and users. You can even sign your test code with a self-signed certificate in your test environment. While this approach won’t cost you anything extra (because you’re creating your own internal certificates instead of buying publicly trusted ones), be sure to only use it exclusively within a testing environment to avoid creating security risks. For external applications, like on your production server, you need to use a publicly trusted certificate.
- Protect your keys by storing them in a cryptographic hardware security module (HSM) or token. If you have used multifactor authentication with hardware tokens before, you should be familiar with security tokens. Examples include smart cards or USB devices. An HSM, on the other hand, is typically a hardware network appliance that provides an additional layer of security to the most sensitive cryptographic data by generating and storing your keys in a secure, isolated environment.
- Double-check your code. Always double-check your code before signing it. Scan it for viruses and malware in general, test it to identify bugs, and review it thoroughly.
- Don’t sign all your codes, scripts, and executables with the same key and certificate. As we said before, keys get lost and stolen. Maybe it won’t happen to you, but if it does and you signed your whole organization’s codes and executables with just one key and certificate, then you’re in for a world of hurt. Use different certificates and keys depending on what you’re signing. For example, use a simple OV certificate for non-critical codes, and sign your most important executables and drivers (though not Microsoft kernel drivers) with the more secure EV certificate, for example. This will help you keep costs down. Mix and match, select! This is the key.
Hungry for more? Check out our additional selection of code signing best practices.
Where Is the Code Signing Process Used?
Decades ago, every piece of software sold in physical stores was carefully packaged and sealed to guarantee its authenticity and integrity. Now that the majority of software applications are downloaded and sold online, the physical seal has been replaced by the code signing certificate. Code signing is therefore used for:
- Microsoft Windows applications and patches. From any type of executable file to macros or drivers. Do you want to sign Microsoft kernel-mode drivers? In this case, you’ll have to follow Microsoft’s own process.
- Jar files. Java applets are also signed with the support of the JarSigner tool included with the Java Development Kit (JDK).
- Adobe files. Files like .air or .airi and Adobe applications must be signed with a code signing certificate or the users won’t be able to install them on their devices.
- Apps published on trusted app stores. All apps and software distributed on the iOS AppStore, Google Play Store, and iTunes Store will have to be signed. However, they all require a specific ID and code signing certificate issued by each store.
Lastly, there are also containers, XML files, firmware — you name it. I could go on and on, but I guess you got it by now: any software, executable, or code should be signed. Why? This is what we’re going to discuss next.
The Benefits of Signing Your Code
Is code signing really that important? Well, yes, it is. Some time ago, a friend of mine bought a desktop online. The item was advertised as brand new and original. When he received it, though, my friend noticed that the seal on the box was broken. He opened the box and instead of the desktop he paid for, he found an empty case containing a pile of bricks.
The same can happen with software. Without a code signing certificate, your customers won’t necessarily risk getting bricks. However, at best, the software they download might be infected, creating the worst-case scenario of downloading malware. In any case, they’ll get a big, ugly warning message like the one in the screenshot below:
Seeing that kind of warning message is enough to prevent most customers from downloading the executable.
On the other hand, when your software is signed with a code signing certificate, your customers will either be able to install it without any warning at all (extended validation — EV – code signing certificate) or will visualize a much more reassuring pop-up requesting for their permission but also showing the details of the organization who published the software. This is because EV code signing certificates are trusted automatically by Microsoft browsers and operating systems. OV code signing certificates have to organically gain trust over time.
Isn’t this much more reassuring?
In addition, code signing will give you and your customers an additional plethora of benefits.
Enhance Your Customers’ Trust as Well as Your Download Numbers and Overall Revenue
Let me explain this by giving you a real-life example of how code signing works with regard to increasing consumer trust and purchases or downloads. A few years ago, one of my ex-colleagues decided to create a cheaper, local alternative to Netflix. Therefore, he launched his very own on-demand streaming service platform.
I remember one day when I asked him how it was progressing, he was complaining about the meager download numbers. He couldn’t understand the reason why considering the platform had quite a lot of interesting Indie movies. I offered him to check it out and let him know my feedback. That night I tried to download the app and guess what? The infamous warning message “unknown publisher” popped up. No wonder no one was using it! He didn’t sign his code!
Did you know what happened when he released a new, properly signed version of the app? The number of downloads dramatically increased and so did the number of subscriptions. Some customers were so happy with it that they even suggested it to their friends and family. See? It works even for small companies and individuals.
Increase Your Organization’s Reputation and Validate the Integrity of Your Code
As we learned earlier while going through the steps of the code signing process, the hash function used to sign the code and the hash obtained by the user’s operating system are matched to check if the code hasn’t been tampered with. This will reassure your customers and, at the same time, reduce the risk of program corruption and malicious modification.
Increase your security by offering code integrity validation and authentication. Prove your users that your code can’t be altered without proper authorization and see your reputation growing.
Provide a Hassle-Free and Secure Customer Experience
Don’t you just hate all those security warning pop-ups, or when you have to click on different windows just to install a simple app? I do. When I see those annoyances, I immediately interrupt the download and move on to another website. And guess what? Your customers hate them, too!
Minimizing security warnings and installation failures will help you ensure a smooth, worries-free customer experience. Digitally sign your software and make your download experience as easy as a one-two-three by also keeping your code secure.
Use the Code signing Process With All Major Operating Systems
Yup, the code signing process works on basically all platforms:
As previously discussed, you’ll need a specific code certificate in some cases, but code signing does work and is quickly becoming the standard. By the way, did you know that even Firefox browser extensions must be code signed by Mozilla following a specific process?
Final Thoughts on How Code Signing Works
Isn’t amazing how a small string of data can make such a big difference in the digital world? Signing your executables, scripts, and software with a code signing certificate will boost customers’ trust and take your organization’s security to the next level. But how does code signing work? The quick “TL;DR” overview is as follows:
- Generate a private-public key pair,
- Get a certificate,
- Hash your code, and
- Append your certificate to build your signature.
That’s it, you’re done! From now on, your customers will know that your products come from a trusted source and that they haven’t been modified since you signed them.
Do you want to give it a try? Don’t miss the second part of this article series where we’ll show you how to sign an executable. Get ready to provide your customers with a reassuring beam of light in the digital world where malware lurks in every corner.
