We don’t think about it often, but we are constantly using, assessing, and making decisions about identity. What we buy when we are shopping – and even where we go to buy it – are choices and decisions we make based off the identity of those products and stores. When you are walking down the street, it’s fairly easy to identify a store. Popular chains like Walmart and McDonalds have unmistakable signs and aesthetics. You can walk into a McDonald’s anywhere in the world and recognize where you are.
But online identity is much trickier. Not only are there way more options, but the nature of the internet means that identity is harder to prove. The internet has made it easier than ever to distribute Software, which has made an endless number of tasks feasible and enjoyable. But it’s also opened up users to security risks – what if they are downloading a virus claiming to be useful software? Or what if the legitimate software has been modified to contain malware that secretly installs itself alongside the program?
If you have two. EXEs on your desktop, you can’t immediately spot the difference if one if is signed and the other is not. But when you try to run the program, your operating system will alert you.
When you run a signed executable, your operating system will tell you who has signed the code (and, if you are a curious user, you can see the certificate just like you can with SSL certificates in your web browser)
Code that is unsigned is treated as suspicious – because the operating system can’t make any guarantees about what it is or where it came from.
How Do Code Signing Certificates Keep Your Code Safe?
Code Signing Certificates use Digital Signatures to protect your code. These signatures are based on a private key that is unique to every Code Signing Certificate and only possessed by the certificate’s owner. Signing happens when executables are compiled before you distribute them. The digital signature is attached to the executable and provides a cryptographically verifiable proof of your identity.
When an end user runs your executable, the platform they are using (such as Windows, OS X, Android, Java, etc) reads the digital signature. The platform is able to analyze the signature, and the executable, to detect its authenticity. If there have been any changes made to either, it will warn the user.
This protects your signed code from unauthorized or malicious modification. Let’s look at a common example: someone with bad intentions downloads your software and modifies it to include malware. They then upload your application to a popular software site. Users who want to use your great software download that copy, not realizing it’s not the “official version.” When they run the code, the Code Signing’s digital signature will kick in.
If you have signed your code, your users will be protected. Their platform will warn them that there is a problem with the signature, and encourage them not to run it. If you didn’t sign your code… you have probably just doomed your user. They will be told that the software is unsigned, but that won’t give them any context to understand the code has been modified.
Since signing never occurred, the platform can’t detect if any modification was made. Only a digital signature added by a Code Signing can provide the necessary information to tell the platform, “Here is my software and here is what it contains. If it contains anything differently, do not run it!”
Domains can be registered by anyone, and servers can be set up in seconds. Scammers and malware distributors have been known to set up a new site minutes after being detected by web-safety programs like Google’s Safe Browsing.
Who Can Sign Code?
Anyone can sign code! Seriously. There are requirements, but as long as you can satisfy them you can sign your code for safe distribution.
After you purchase a Code Signing Certificate the next step is to apply for the certificate and go through the “validation” process. In this process your information will be confirmed by the Certificate Authority (CA) providing your Code Signing Certificate.
There are two main types of validation: Individual Validation, and Organization Validation.
Individual Code Signing Validation
If you are an independent developer, or want to distribute the code under your name (like “Sam Smith”, or “Nil Patel”) you will want to apply for Individual Code Signing Validation. In this process you will provide notarized copies of government issued IDs to prove your identity. There are also some other steps involved, which will vary slightly per CA. When applying for a certificate they will clearly explain what you need to provide.
Organization Code Signing Validation
If you are an organization and want to distribute the code under the organization’s name (like “Apparel Manufacturing Inc.” or “Quality Software GmbH”) you will want to apply for Organization Validation. This process requires you provide copies of your organization’s incorporation or registration. The CA will usually confirm this information directly with your country’s registration agency or companies house.
On average, the validation process takes less than a week. Once you have completed that process, the CA will provide you with your certificate. Then it’s time to start signing!
Every development environment has its own way of signing code. Visual Basic Studio, for instance, has dedicated options and software to sign your final executable for distribution. Consult the documentation for your development environment/software to see how they handle signing.
What Code Can I Sign?
Code Signing is used to sign executable software. The most common file formats that are signed include .exe, .dll, and .app. Let’s take a look at some of the common platforms and file types that you sign:
Microsoft Windows: On Windows, there are various types of Code Signing, including Microsoft’s Authenticode and Driver Signing. Microsoft has extensive documentation about signing on Windows, but your certificate provider should be able to answer any and all of your questions.
Java Applets: Java is a very powerful development platform that has been known for security risks that come as a cost of such power. While it’s not explicitly required to sign your Java Applets, it is encouraged. If you do not sign your Applets, users will receive a warning at runtime that the publisher of the code is unknown. This warning, which does not appear for signed code, may deter users and creates a suboptimal user experience.
Apple OS X: Depending on how you distribute your software, you may be required to sign, or just encouraged to. Not signing your software will present additional alerts and warning to the user – including prompting keychain access to make system modifications. This creates a clunky user experience.
If you want to distribute your software through Apple’s official OS X App Store, signing is mandatory.
Mobile Platforms: Most mobile platforms (like Android and iOS) require code signing to maintain platform security. Due to the immense amount of personal data stored on cell phones and tablets, these requirements protect end users.
Code Signing isn’t intended for code like .html or .js files. Remember… it’s for executables. We can’t cover every platform here, so check with the requirements of your distribution platform or end-user operating system requirements to see if you should be using Code Signing.
The Best Option for Identity
Code Signing Certificates have been widely used for years. But now they are becoming more popular than ever due to platform requirements. We are seeing platforms like app stores and official repositories requiring Code Signing because of its effectiveness in establishing identity and squashing software security threats.
Code Signing isn’t perfect – for instance, it can only tell end users about the identity and origin of the software. It can’t guarantee that software isn’t intentionally dangerous or problematic. However, digital signatures can be blocked, and when platform’s detect malicious software using digital signatures, they can report back and block those signatures for all users.
But there is simply no better solution for large-scale distribution of software. If you want to provide the optimal user experience, and squash application security problems in their tracks, start signing your code today.