{"id":7615,"date":"2022-07-20T10:41:36","date_gmt":"2022-07-20T18:41:36","guid":{"rendered":"https:\/\/cheapsslsecurity.com\/blog\/?p=7615"},"modified":"2022-07-20T10:41:39","modified_gmt":"2022-07-20T18:41:39","slug":"a-primer-on-how-code-signing-works","status":"publish","type":"post","link":"https:\/\/cheapsslsecurity.com\/blog\/a-primer-on-how-code-signing-works\/","title":{"rendered":"A Primer on How Code Signing Works"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Author identity authentication and software data integrity verification are what code signing is about. Maybe you\u2019re already using it, but do you know how code signing works? Join us in a behind-the-scenes tour and explore the amazing wonders of the code signing process<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">In 2021, Malwarebytes detected nearly <a href=\"https:\/\/www.malwarebytes.com\/resources\/malwarebytes-threat-review-2022\/mwb_threatreview_2022_ss_v1.pdf\">200 million Windows malware threats<\/a>. How can you protect your customers and your products from malware infection in a world where anyone can upload malicious scripts or codes anywhere on the web? By using a process known as code signing, which involves using a <a href=\"https:\/\/cheapsslsecurity.com\/blog\/ev-code-signing-vs-regular-code-signing\/\">code signing certificate<\/a>. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Signing your code with a code signing certificate is akin to using the passport issued by your country\u2019s government while traveling. Attaching your digital signature to your code helps you:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Assert your organization\u2019s digital identity,<\/li><li>Guarantee the integrity of your software and executables, and<\/li><li>Prevent fraudulent usage of your brand and software.<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">But do you know how code signing works? In this first of a two-part series article, you\u2019ll discover everything you need to know about the code signing process to do your job:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>How code signing works for you as a developer and for your users,<\/li><li>Where code signing is used,<\/li><li>Code signing best practices you can put to use.<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Reclaim ownership of your code now! Learn how a code signing certificate can protect it from attacks.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How Does Code Signing Work? A Step-by-Step Guide to Code Signing &amp; Signature Verification<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/cheapsslsecurity.com\/blog\/code-signing-vs-ssl-certificate\/\"><\/a><a href=\"https:\/\/cheapsslsecurity.com\/blog\/what-is-website-security-certificates\/\"><\/a><a href=\"https:\/\/cheapsslsecurity.com\/blog\/what-is-website-security-certificates\/\"><\/a><a href=\"https:\/\/cheapsslsecurity.com\/blog\/what-is-website-security-certificates\/\"><\/a><a href=\"https:\/\/cheapsslsecurity.com\/blog\/what-is-website-security-certificates\/\"><\/a><a href=\"https:\/\/cheapsslsecurity.com\/blog\/what-is-website-security-certificates\/\"><\/a><a href=\"https:\/\/cheapsslsecurity.com\/blog\/what-is-website-security-certificates\/\"><\/a><a href=\"https:\/\/cheapsslsecurity.com\/blog\/what-is-website-security-certificates\/\"><\/a><a href=\"https:\/\/cheapsslsecurity.com\/blog\/what-is-website-security-certificates\/\"><\/a><a href=\"https:\/\/cheapsslsecurity.com\/blog\/what-is-website-security-certificates\/\"><\/a><a href=\"https:\/\/cheapsslsecurity.com\/blog\/what-is-website-security-certificates\/\"><\/a><a href=\"https:\/\/cheapsslsecurity.com\/blog\/what-is-website-security-certificates\/\"><\/a><a href=\"https:\/\/cheapsslsecurity.com\/blog\/what-is-website-security-certificates\/\"><\/a>Let\u2019s start by exploring how to sign code using the code signing process.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>How to Sign Code in 5 Steps<\/strong><\/td><td><strong>Details<\/strong><\/td><\/tr><tr><td><strong>1. Select Your Preferred Code Signing Certificate<\/strong><\/td><td>Extended validation (EV) code signing certificate. Organization validation (OV) code signing certificate. (Some CAs offer individual validation certificates, or what are known as IV code signing certificates)<\/td><\/tr><tr><td><strong>2. Generate a Private-Public Key Pair<\/strong><\/td><td>To get a code signing certificate, together with your certificate signing request (CSR) to the certificate authority, you\u2019ll have to send your public key.<\/td><\/tr><tr><td><strong>3. Hash Your Code and Encrypt It<\/strong><\/td><td>Run your code through a one-way hash function (i.e., something that\u2019s too impractical to reverse), and Encrypt its digest.<\/td><\/tr><tr><td><strong>4. Add a Time Stamp<\/strong><\/td><td>Add the exact time and date when you sign your code.<\/td><\/tr><tr><td><strong>5. Sign Your Software<\/strong><\/td><td>Combine: The digest, The code signing certificate, and The hash function.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This is what happens on the end user&#8217;s side of things in the code signing verification process (we&#8217;ll talk about this a little later).<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Code Signing Verification Process<\/strong><\/td><td><strong>Details<\/strong><\/td><\/tr><tr><td><strong>1. The User Clicks on Your Code\u2019s Download Button<\/strong><\/td><td>The installation process begins.<\/td><\/tr><tr><td><strong>2. The Code\u2019s Digital Signature Is Decrypted and the Digital Signature Is Authenticated<\/strong><\/td><td>The user\u2019s operating system: Decrypts the digital signature created by the developer using the public key. Checks the authenticity of the digital signature.<\/td><\/tr><tr><td><strong>3. A New Hash Digest Is Created<\/strong><\/td><td>The user\u2019s operating system creates a new digest.<\/td><\/tr><tr><td><strong>4. The Two Digests Are Compared on the Backend of the User\u2019s Device<\/strong><\/td><td>The operating system\u2019s generated digest is compared with the one it decrypted at the beginning. If the two match, then it means the software hasn\u2019t been modified.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Alright, let&#8217;s get right to it: here&#8217;s how code signing works.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. Select Your Preferred Code Signing Certificate<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Do you want to get rid of the Windows Defender SmartScreen\u2019s unknown publisher warning message for good? Go with the extended validation code signing certificate. Are you looking for a cheaper solution? Then the organization validation code signing certificate is the one for you. This will allow your verified digital identity to appear in the Windows User Access Control (UAC) window, but it won\u2019t stop the Windows Defender SmartScreen from popping up because Windows OS and browsers won\u2019t automatically trust it.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Trust has to be earned organically over time for OV code signing certificates (instead of automatically being given like it is with EV code signing certificates).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Check out a summary of the difference between the two in the table below:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Features<\/strong><\/td><td><strong>Extended Validation (EV) Code Signing Certificate<\/strong><\/td><td><strong>Organization Validation (OV) Code Signing Certificate<\/strong><\/td><\/tr><tr><td><strong>Instant recognition by Windows Defender SmartScreen. No unknown publisher warning message will be shown.<\/strong><\/td><td>Yes.<\/td><td>No. Your reputation with Windows Defender SmartScreen will be built organically, which takes time.<\/td><\/tr><tr><td><strong>Two-factor authentication with an encrypted hardware token is required to sign the code.<\/strong><\/td><td>Yes.<\/td><td>No. The certificate is stored in an encrypted file on the developer\u2019s computer. The same file can be used by other developers to sign their codes.<\/td><\/tr><tr><td><strong>Can be used to sign Windows 10 drivers.<\/strong><\/td><td>Yes.<\/td><td>No.<\/td><\/tr><tr><td><strong>Can be used on any platform and browser<\/strong><\/td><td>Yes.<\/td><td>Yes.<\/td><\/tr><tr><td><strong>Can be used to sign drivers with Microsoft Authenticode.<\/strong><\/td><td>Yes.<\/td><td>Yes.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">If you decided to go for an OV code signing certificate, until around Nov. 15, 2022, you&#8217;ll have to generate a certificate signing request (CSR). (After Nov. 15, this process <a href=\"https:\/\/cabforum.org\/wp-content\/uploads\/Baseline-Requirements-for-the-Issuance-and-Management-of-Code-Signing.v2.8.pdf\">goes away<\/a>.) This will have to be added to your order form before sending it to the Certificate Authority (CA). To do so, you can use:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/knowledge.digicert.com\/solution\/SO29005.html\">Windows MMC Console<\/a>, or <a href=\"https:\/\/gist.github.com\/mohanpedala\/468cf9cef473a8d7610320cff730cdd1#generate-a-private-key-and-a-csrcertificate-signing-request-\">OpenSSL <\/a>.<\/li><li>A browser-based <a href=\"https:\/\/cheapsslsecurity.com\/ssltools\/csr-generator.php\">CSR Generator Tool<\/a>. You don\u2019t know how to use it? Follow our simple <a href=\"https:\/\/cheapsslsecurity.com\/blog\/csr-how-to-generate-private-key-from-certificate\/\">instructions<\/a>.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"837\" height=\"480\" src=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/how-code-signing-works-ov.png\" alt=\"A basic illustration that shows how code signing works for organization validation certificates (prior to November 2022)\" class=\"wp-image-7619\" srcset=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/how-code-signing-works-ov.png 837w, https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/how-code-signing-works-ov-300x172.png 300w\" sizes=\"(max-width: 837px) 100vw, 837px\" \/><figcaption> <em>Image caption: The graphic shows the actual process to follow to request an OV code signing certificate.<\/em> <\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Note: After Nov. 15, 2022, the process will change. OV requestors <a href=\"https:\/\/cabforum.org\/2022\/04\/06\/ballot-csc-13-update-to-subscriber-key-protection-requirements\/\">won\u2019t need to generate a CSR anymore<\/a>. Instead, they\u2019ll have to follow a process similar to the one used by customers requesting an EV code signing certificate. (More on that momentarily.) OV certificates will also be delivered on a hardware token after that date.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"836\" height=\"479\" src=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/how-code-signing-works-ov-after-nov-2022.png\" alt=\"A basic illustration that shows how code signing works for organization validation certificate after new industry changes roll out Nov. 14 and 15 (depending on your geographic location).\" class=\"wp-image-7620\" srcset=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/how-code-signing-works-ov-after-nov-2022.png 836w, https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/how-code-signing-works-ov-after-nov-2022-300x172.png 300w\" sizes=\"(max-width: 836px) 100vw, 836px\" \/><figcaption> <em>Image caption: This is how you&#8217;ll have to request an OV code signing certificate from Nov. 15, 2022, onward.<\/em> <\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">2. Generate a Private-Public Key Pair<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">As code signing is based on <a href=\"https:\/\/cheapsslsecurity.com\/blog\/what-is-the-rsa-algorithm-a-look-at-rsa-encryption\/\">asymmetric <\/a><a href=\"https:\/\/cheapsslsecurity.com\/blog\/what-is-the-rsa-algorithm-a-look-at-rsa-encryption\/\">encryption<\/a>, you\u2019ll need a <a href=\"https:\/\/cheapsslsecurity.com\/blog\/private-key-and-public-key-explained\/\">public and a private key pair<\/a><a href=\"https:\/\/cheapsslsecurity.com\/blog\/private-key-and-public-key-explained\/\"><\/a>. Generating them with OpenSSL is pretty easy:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Open a terminal window and paste the following script to generate your RSA private key: <em>openssl genrsa -out key.pem 3072<\/em>. (The minimum key size for code signing certificates is 3072 as of June 2021.) For this example, we made the key \u201ccsprivatekey.key\u201d<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"973\" height=\"581\" src=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/code-signing-private-key-cmd-prompt-shadow.png\" alt=\"A screenshot from the Windows Command Prompt that shows how to generate a private key. \" class=\"wp-image-7621\" srcset=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/code-signing-private-key-cmd-prompt-shadow.png 973w, https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/code-signing-private-key-cmd-prompt-shadow-300x179.png 300w\" sizes=\"(max-width: 973px) 100vw, 973px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li>Now you can extract your public key with: <em>openssl rsa -in csprivatekey.key -pubout -out cspublickey.pem<\/em><\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"973\" height=\"581\" src=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/code-signing-public-key-cmd-prompt-shadow.png\" alt=\"A screenshot from the Windows Command Prompt that shows how to extract a public key.\" class=\"wp-image-7622\" srcset=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/code-signing-public-key-cmd-prompt-shadow.png 973w, https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/code-signing-public-key-cmd-prompt-shadow-300x179.png 300w\" sizes=\"(max-width: 973px) 100vw, 973px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Done! You can now send your public key to the CA, let them run the background check as per procedures, and wait to receive your code signing certificate.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"759\" height=\"442\" src=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/how-code-signing-works-request-ev-shadow.png\" alt=\"A basic illustration that shows how code signing works with regard to extended validation certificates\" class=\"wp-image-7623\" srcset=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/how-code-signing-works-request-ev-shadow.png 759w, https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/how-code-signing-works-request-ev-shadow-300x175.png 300w\" sizes=\"(max-width: 759px) 100vw, 759px\" \/><figcaption> <em>Image caption: The graphic shows how you can request an EV code signing certificate from a certificate authority.<\/em> <\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">3. Hash Your Code and Encrypt It<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Did you finally receive your new code signing certificate? Great! Let\u2019s start hashing! How? You basically just run your precious code through a <a href=\"https:\/\/cheapsslsecurity.com\/blog\/decoded-examples-of-how-hashing-algorithms-work\/\">one-way hash function<\/a> (i.e., it virtually can\u2019t be reversed because it requires too many resources and too much time). The output will be a gibberish alphanumeric fixed string called digest that\u2019ll be then encrypted using your private key. This means that everyone will be able to access the code but not tamper with it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4. Add a Time Stamp<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">It also helps you avoid displaying error messages when your certificate eventually expires because, so long as the certificate was valid when the code was signed, the software will continue being recognized as authentic.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5. Sign Your Software<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Now you\u2019ve everything you need to create your personal, unique digital signature block. Combine:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The digest,<\/li><li>The code signing certificate, and<\/li><li>The hash function<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">and add the just created signature block to your code or executable.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Isn&#8217;t that great? In five simple steps (four if you skipped time stamping), you&#8217;ve now reclaimed ownership of your code and protected your users from accidentally downloading malware-infected software. Now, you, as a developer, have done your bit.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"761\" height=\"407\" src=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/how-code-signing-works-breakdown.png\" alt=\"Code signing process graphic: A basic overview of how code signing works\" class=\"wp-image-7624\" srcset=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/how-code-signing-works-breakdown.png 761w, https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/how-code-signing-works-breakdown-300x160.png 300w\" sizes=\"(max-width: 761px) 100vw, 761px\" \/><figcaption> <em>Image caption: The graphic shows the steps a developer has to follow to sign a code once they have acquired a code signing certificate.<\/em> <\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">How Code Signing Signature Verification Works<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Okay, so, we\u2019ve completed the run-through of how code signing works on the developer\u2019s end. So, how does code signing work on the user\u2019s end when they attempt to download the code you\u2019ve just signed?<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. The User Clicks on Your Code\u2019s Download Button<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">You\u2019ve now published your latest executable. A user notices it and clicks on the download button. Once downloaded, the installation process begins.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. The User&#8217;s Client Decrypts and Authenticates the Digital Signature<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Before starting with the installation, the user\u2019s operating system does the following to the code&#8217;s digital signature:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Decrypts the digest created by the developer (remember step three?) using the public key.<\/li><li>Checks to ensure that the digital signature created with the code signing certificate is authentic.<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3. The Client Generates a Hash Digest<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The user&#8217;s operating system creates a new digest using the same one-way hash function used by the developer in step three.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4. The Two Digests Are Compared on the Backend of the User\u2019s Device<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The operating system&#8217;s generated digest is compared with the one it decrypted at the beginning (step seven). Do they match? Great! This is the confirmation that the downloaded code is original and hasn&#8217;t been tampered with. The user now has the green light to proceed with the installation.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Of course, all these checks are happening in a matter of seconds in the background so that the user doesn&#8217;t have to wait for ages. But what if your code has been replaced by a malicious one, thus making it so the two digests don\u2019t match? The user will be automatically alerted and, if they\u2019re clever, they\u2019ll abort the installation.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"759\" height=\"450\" src=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/how-code-signing-works-verification-user-shadow.png\" alt=\"A basic illustration that shows how code signing works from a user's perspective (i.e., what happens on their end through their device clients)\" class=\"wp-image-7625\" srcset=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/how-code-signing-works-verification-user-shadow.png 759w, https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/how-code-signing-works-verification-user-shadow-300x178.png 300w\" sizes=\"(max-width: 759px) 100vw, 759px\" \/><figcaption> <em>Image caption: The graphic shows how a signed code is validated before installation<\/em>. <\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">There we go! You\u2019ve just learned how to sign code and how code signing works from a user\u2019s perspective. That wasn&#8217;t too difficult, right? Now, that you aren\u2019t a code signing newbie anymore, let me show you some tricks to make your signature even more effective and secure.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Expert Tips: Code Signing Best Practices<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Did you include code signing in your development process? Now it&#8217;s time to take it to the next level by following a few best practices. Why do you need them? Because, like everything else, private keys can be stolen. How? MITRE\u2019s Common Attack Pattern Enumeration and Classification (CAPEC) explains the <a href=\"https:\/\/capec.mitre.org\/data\/definitions\/206.html\">attack process<\/a> very well. Once stolen, the drivers you&#8217;ve just published can be replaced with malicious ones as happened recently to <a href=\"https:\/\/blog.malwarebytes.com\/awareness\/2022\/03\/stolen-nvidia-certificates-used-to-sign-malware-heres-what-to-do\/\">NVIDIA<\/a><a href=\"https:\/\/blog.malwarebytes.com\/awareness\/2022\/03\/stolen-nvidia-certificates-used-to-sign-malware-heres-what-to-do\/\"><\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, what can you do to keep your key pairs safe then?<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Keep access to your private keys to the minimum.<\/strong> Ensure that only the developers working on codes to be signed have access to the private keys used for the code signing process. No one else.<\/li><li><strong>Keep the test and release signing environment separated.<\/strong> By doing this, you&#8217;ll limit the exposure of your private keys to a smaller group of developers and users. You can even sign your test code with a self-signed certificate in your test environment. While this approach won&#8217;t cost you anything extra (because you\u2019re creating your own internal certificates instead of buying publicly trusted ones), be sure to only use it exclusively within a testing environment to avoid creating security risks. For external applications, like on your production server, you need to use a publicly trusted certificate.<\/li><li><strong>Protect your keys by storing them in a cryptographic hardware security module (HSM) or token.<\/strong> If you have used multifactor authentication with hardware tokens before, you should be familiar with security tokens. Examples include smart cards or USB devices. An HSM, on the other hand, is typically a hardware network appliance that provides an additional layer of security to the most sensitive cryptographic data by generating and storing your keys in a secure, isolated environment.<a href=\"https:\/\/www.yubico.com\/products\/hardware-security-module\/\"><\/a><\/li><li><strong>Double-check your code.<\/strong> Always double-check your code before signing it. Scan it for viruses and malware in general, test it to identify bugs, and review it thoroughly.<\/li><li><strong>Don&#8217;t sign all your codes, scripts, and executables with the same key and certificate.<\/strong> As we said before, keys get lost and stolen. Maybe it won\u2019t happen to you, but if it does and you signed your whole organization\u2019s codes and executables with just one key and certificate, then you\u2019re in for a world of hurt. Use different certificates and keys depending on what you&#8217;re signing. For example, use a simple OV certificate for non-critical codes, and sign your most important executables and drivers (though not Microsoft kernel drivers) with the more secure EV certificate, for example. This will help you keep costs down. Mix and match, select! This is the key.<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Hungry for more? Check out our additional selection of <a href=\"https:\/\/cheapsslsecurity.com\/blog\/best-practices-for-code-signing-certificates\/\">code signing best practices<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Where Is the Code Signing Process Used?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Decades ago, every piece of software sold in physical stores was carefully packaged and sealed to guarantee its authenticity and integrity. Now that the majority of software applications are downloaded and sold online, the physical seal has been replaced by the code signing certificate. Code signing is therefore used for:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Microsoft Windows applications and patches.<\/strong> From any type of executable file to macros or drivers. Do you want to sign Microsoft kernel-mode drivers? In this case, you\u2019ll have to follow <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-hardware\/drivers\/install\/driver-signing\">Microsoft\u2019s own process<\/a>.<\/li><li><strong>Jar files.<\/strong> Java applets are also signed with the support of <a href=\"https:\/\/docs.oracle.com\/en\/java\/javase\/13\/docs\/specs\/man\/jarsigner.html\">the JarSigner tool<\/a> included with the Java Development Kit (JDK).&nbsp;<\/li><li><strong>Adobe files.<\/strong> Files like .air or .airi and Adobe applications <a href=\"https:\/\/www.oreilly.com\/library\/view\/adobe-air-15\/9780596156145\/ch01.html\">must be signed<\/a> with a code signing certificate or the users won\u2019t be able to install them on their devices.<\/li><li><strong>Apps published on trusted app stores.<\/strong> All apps and software distributed on the <a href=\"https:\/\/developer.apple.com\/support\/code-signing\/\">iOS AppStore<\/a>, <a href=\"https:\/\/developer.android.com\/studio\/publish\/app-signing#enroll\">Google Play Store<\/a>, and iTunes Store will have to be signed. However, they all require a specific ID and code signing certificate issued by each store.<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Lastly, there are also containers, XML files, firmware \u2014 you name it. I could go on and on, but I guess you got it by now: any software, executable, or code should be signed. Why? This is what we\u2019re going to discuss next.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The Benefits of Signing Your Code<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Is code signing really that important? Well, yes, it is. Some time ago, a friend of mine bought a desktop online. The item was advertised as brand new and original. When he received it, though, my friend noticed that the seal on the box was broken. He opened the box and instead of the desktop he paid for, he found an empty case containing a pile of bricks.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The same can happen with software. Without a <a href=\"https:\/\/cheapsslsecurity.com\/blog\/what-is-code-signing-certificate-and-how-to-use-it\/\">code signing certificate<\/a>, your customers won&#8217;t necessarily risk getting bricks. However, at best, the software they download might be infected, creating the worst-case scenario of downloading malware. In any case, they&#8217;ll get a big, ugly warning message like the one in the screenshot below:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"761\" height=\"715\" src=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/windows-defender-smartscreen-warning-unknown-publisher.png\" alt=\"A screenshot of the Microsoft Defender SmartScreen warning message that warns users that an &quot;Unknown Publisher&quot; create the unrecognized app and that it might have security risks. \" class=\"wp-image-7626\" srcset=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/windows-defender-smartscreen-warning-unknown-publisher.png 761w, https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/windows-defender-smartscreen-warning-unknown-publisher-300x282.png 300w\" sizes=\"(max-width: 761px) 100vw, 761px\" \/><figcaption> <em>Image caption: The screenshot shows Windows Defender SmartScreen\u2019s unknown publisher warning message popping up when attempting to download and install an unsigned code.<\/em> <\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Seeing that kind of warning message is enough to prevent most customers from downloading the executable.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignright size-full\"><img decoding=\"async\" width=\"531\" height=\"397\" src=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/windows-user-access-control-verified-publisher.png\" alt=\"A screenshot of a Windows User Account Control (UAC) message that displays an organization's verified publisher information\" class=\"wp-image-7627\" srcset=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/windows-user-access-control-verified-publisher.png 531w, https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/windows-user-access-control-verified-publisher-300x224.png 300w\" sizes=\"(max-width: 531px) 100vw, 531px\" \/><figcaption> <em>Image caption: Microsoft\u2019s User Access Control window popping up in case of code signed software. As you can see it clearly shows the name of the publisher.<\/em> <\/figcaption><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">On the other hand, when your software is signed with a code signing certificate, your customers will either be able to install it without any warning at all (<a href=\"https:\/\/cheapsslsecurity.com\/blog\/ev-code-signing-vs-regular-code-signing\/\">extended validation<\/a> \u2014 EV &#8211; code signing certificate) or will visualize a much more reassuring pop-up requesting for their permission but also showing the details of the organization who published the software. This is because EV code signing certificates are trusted automatically by Microsoft browsers and operating systems. OV code signing certificates have to organically gain trust over time.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Isn\u2019t this much more reassuring?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In addition, code signing will give you and your customers an additional plethora of benefits.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Enhance Your Customers&#8217; Trust as Well as Your Download Numbers and Overall Revenue<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Let me explain this by giving you a real-life example of how code signing works with regard to increasing consumer trust and purchases or downloads. A few years ago, one of my ex-colleagues decided to create a cheaper, local alternative to Netflix. Therefore, he launched his very own on-demand streaming service platform.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">I remember one day when I asked him how it was progressing, he was complaining about the meager download numbers. He couldn&#8217;t understand the reason why considering the platform had quite a lot of interesting Indie movies. I offered him to check it out and let him know my feedback. That night I tried to download the app and guess what? The infamous warning message \u201cunknown publisher\u201d popped up. No wonder no one was using it! <em>He didn\u2019t sign his code!<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Did you know what happened when he released a new, properly signed version of the app? The number of downloads dramatically increased and so did the number of subscriptions. Some customers were so happy with it that they even suggested it to their friends and family. See? It works even for small companies and individuals.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Increase Your Organization\u2019s Reputation and Validate the Integrity of Your Code&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">As we learned earlier while going through the steps of the code signing process, the hash function used to sign the code and the hash obtained by the user\u2019s operating system are matched to check if the code hasn\u2019t been tampered with. This will reassure your customers and, at the same time, reduce the risk of program corruption and malicious modification.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Increase your security by offering code integrity validation and authentication. Prove your users that your code can\u2019t be altered without proper authorization and see your reputation growing.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Provide a Hassle-Free and Secure Customer Experience<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Don\u2019t you just hate all those security warning pop-ups, or when you have to click on different windows just to install a simple app? I do. When I see those annoyances, I immediately interrupt the download and move on to another website. And guess what? Your customers hate them, too!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Minimizing security warnings and installation failures will help you ensure a smooth, worries-free customer experience. Digitally sign your software and make your download experience as easy as a one-two-three by also keeping your code secure.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Use the Code signing Process With All Major Operating Systems<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Yup, the code signing process works on basically all platforms:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Microsoft <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/appxpkg\/how-to-sign-a-package-using-signtool\">Windows<\/a>,<\/li><li><a href=\"https:\/\/developer.android.com\/studio\/publish\/app-signing\">Android<\/a>,<\/li><li><a href=\"https:\/\/access.redhat.com\/documentation\/en-us\/red_hat_enterprise_linux\/8\/html\/managing_monitoring_and_updating_the_kernel\/signing-kernel-modules-for-secure-boot_managing-monitoring-and-updating-the-kernel\">Linux<\/a>, and<\/li><li><a href=\"https:\/\/developer.apple.com\/support\/code-signing\/\">iOS<\/a>.<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">As previously discussed, you&#8217;ll need a specific code certificate in some cases, but code signing does work and is quickly becoming the standard. By the way, did you know that even Firefox browser extensions <a href=\"https:\/\/support.mozilla.org\/en-US\/kb\/add-on-signing-in-firefox\">must be code signed by Mozilla<\/a> following a specific process<a href=\"https:\/\/support.mozilla.org\/en-US\/kb\/add-on-signing-in-firefox\"><\/a>?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Final Thoughts on How Code Signing Works<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Isn&#8217;t amazing how a small string of data can make such a big difference in the digital world? Signing your executables, scripts, and software with a code signing certificate will boost customers&#8217; trust and take your organization&#8217;s security to the next level. But how does code signing work? The quick \u201cTL;DR\u201d overview is as follows:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Generate a private-public key pair,<\/li><li>Get a certificate,<\/li><li>Hash your code, and<\/li><li>Append your certificate to build your signature.<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">That\u2019s it, you\u2019re done! From now on, your customers will know that your products come from a trusted source and that they haven\u2019t been modified since you signed them.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Do you want to give it a try? Don\u2019t miss the second part of this article series where we\u2019ll show you how to sign an executable. Get ready to provide your customers with a reassuring beam of light in the digital world where malware lurks in every corner.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Author identity authentication and software data integrity verification are what code signing is about. Maybe you\u2019re already using it, but do you know how code signing works? Join us in a behind-the-scenes tour and explore the amazing wonders of the code signing process In 2021, Malwarebytes detected nearly 200 million Windows malware threats. How can<\/p>\n","protected":false},"author":8,"featured_media":7630,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[5],"tags":[21,421,286],"class_list":["post-7615","post","type-post","status-publish","format-standard","has-post-thumbnail","category-ssl-pki","tag-code-signing","tag-featured","tag-how-code-signing-works"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>A Primer on How Code Signing Works<\/title>\n<meta name=\"description\" content=\"Understanding how code signing works is integral to knowing how you can simultaneously secure your software and protect your reputation.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cheapsslsecurity.com\/blog\/a-primer-on-how-code-signing-works\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A Primer on How Code Signing Works\" \/>\n<meta property=\"og:description\" content=\"Understanding how code signing works is integral to knowing how you can simultaneously secure your software and protect your reputation.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cheapsslsecurity.com\/blog\/a-primer-on-how-code-signing-works\/\" \/>\n<meta property=\"og:site_name\" content=\"Savvy Security\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cheapsslsecurities\" \/>\n<meta property=\"article:published_time\" content=\"2022-07-20T18:41:36+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-07-20T18:41:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/how-code-signing-works-feature.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"1000\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Savvy Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@sslsecurity\" \/>\n<meta name=\"twitter:site\" content=\"@sslsecurity\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Savvy Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/a-primer-on-how-code-signing-works\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/a-primer-on-how-code-signing-works\\\/\"},\"author\":{\"name\":\"Savvy Security\",\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/#\\\/schema\\\/person\\\/1ce9a5743b7f25b5be6e4972864b4493\"},\"headline\":\"A Primer on How Code Signing Works\",\"datePublished\":\"2022-07-20T18:41:36+00:00\",\"dateModified\":\"2022-07-20T18:41:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/a-primer-on-how-code-signing-works\\\/\"},\"wordCount\":3292,\"image\":{\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/a-primer-on-how-code-signing-works\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/how-code-signing-works-feature.jpg\",\"keywords\":[\"Code Signing\",\"featured\",\"How Code Signing works\"],\"articleSection\":[\"SSL &amp; PKI\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/a-primer-on-how-code-signing-works\\\/\",\"url\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/a-primer-on-how-code-signing-works\\\/\",\"name\":\"A Primer on How Code Signing Works\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/a-primer-on-how-code-signing-works\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/a-primer-on-how-code-signing-works\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/how-code-signing-works-feature.jpg\",\"datePublished\":\"2022-07-20T18:41:36+00:00\",\"dateModified\":\"2022-07-20T18:41:39+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/#\\\/schema\\\/person\\\/1ce9a5743b7f25b5be6e4972864b4493\"},\"description\":\"Understanding how code signing works is integral to knowing how you can simultaneously secure your software and protect your reputation.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/a-primer-on-how-code-signing-works\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/a-primer-on-how-code-signing-works\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/a-primer-on-how-code-signing-works\\\/#primaryimage\",\"url\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/how-code-signing-works-feature.jpg\",\"contentUrl\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/how-code-signing-works-feature.jpg\",\"width\":1600,\"height\":1000,\"caption\":\"feature image for cybersecurity represented as binary with a key lock on top\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/a-primer-on-how-code-signing-works\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"A Primer on How Code Signing Works\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/\",\"name\":\"Savvy Security\",\"description\":\"Practical cybersecurity advice\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/#\\\/schema\\\/person\\\/1ce9a5743b7f25b5be6e4972864b4493\",\"name\":\"Savvy Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4e5539150b16b5af1d22136f03dedda89a96babb3e9b5ceb18c2bde4e1dcba57?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4e5539150b16b5af1d22136f03dedda89a96babb3e9b5ceb18c2bde4e1dcba57?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4e5539150b16b5af1d22136f03dedda89a96babb3e9b5ceb18c2bde4e1dcba57?s=96&d=mm&r=g\",\"caption\":\"Savvy Security\"},\"description\":\"Welcome to Savvy Security, a blog focused on providing practical cybersecurity advice for website owners and small businesses. Our team brings you the latest news, best practices and tips you can use to protect your business...without a multi-million dollar budget or 24\\\/7 security teams.\",\"sameAs\":[\"blogadmin\"],\"url\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/author\\\/blogadmin\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"A Primer on How Code Signing Works","description":"Understanding how code signing works is integral to knowing how you can simultaneously secure your software and protect your reputation.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cheapsslsecurity.com\/blog\/a-primer-on-how-code-signing-works\/","og_locale":"en_US","og_type":"article","og_title":"A Primer on How Code Signing Works","og_description":"Understanding how code signing works is integral to knowing how you can simultaneously secure your software and protect your reputation.","og_url":"https:\/\/cheapsslsecurity.com\/blog\/a-primer-on-how-code-signing-works\/","og_site_name":"Savvy Security","article_publisher":"https:\/\/www.facebook.com\/cheapsslsecurities","article_published_time":"2022-07-20T18:41:36+00:00","article_modified_time":"2022-07-20T18:41:39+00:00","og_image":[{"width":1600,"height":1000,"url":"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/how-code-signing-works-feature.jpg","type":"image\/jpeg"}],"author":"Savvy Security","twitter_card":"summary_large_image","twitter_creator":"@sslsecurity","twitter_site":"@sslsecurity","twitter_misc":{"Written by":"Savvy Security","Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/cheapsslsecurity.com\/blog\/a-primer-on-how-code-signing-works\/#article","isPartOf":{"@id":"https:\/\/cheapsslsecurity.com\/blog\/a-primer-on-how-code-signing-works\/"},"author":{"name":"Savvy Security","@id":"https:\/\/cheapsslsecurity.com\/blog\/#\/schema\/person\/1ce9a5743b7f25b5be6e4972864b4493"},"headline":"A Primer on How Code Signing Works","datePublished":"2022-07-20T18:41:36+00:00","dateModified":"2022-07-20T18:41:39+00:00","mainEntityOfPage":{"@id":"https:\/\/cheapsslsecurity.com\/blog\/a-primer-on-how-code-signing-works\/"},"wordCount":3292,"image":{"@id":"https:\/\/cheapsslsecurity.com\/blog\/a-primer-on-how-code-signing-works\/#primaryimage"},"thumbnailUrl":"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/how-code-signing-works-feature.jpg","keywords":["Code Signing","featured","How Code Signing works"],"articleSection":["SSL &amp; PKI"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/cheapsslsecurity.com\/blog\/a-primer-on-how-code-signing-works\/","url":"https:\/\/cheapsslsecurity.com\/blog\/a-primer-on-how-code-signing-works\/","name":"A Primer on How Code Signing Works","isPartOf":{"@id":"https:\/\/cheapsslsecurity.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cheapsslsecurity.com\/blog\/a-primer-on-how-code-signing-works\/#primaryimage"},"image":{"@id":"https:\/\/cheapsslsecurity.com\/blog\/a-primer-on-how-code-signing-works\/#primaryimage"},"thumbnailUrl":"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/how-code-signing-works-feature.jpg","datePublished":"2022-07-20T18:41:36+00:00","dateModified":"2022-07-20T18:41:39+00:00","author":{"@id":"https:\/\/cheapsslsecurity.com\/blog\/#\/schema\/person\/1ce9a5743b7f25b5be6e4972864b4493"},"description":"Understanding how code signing works is integral to knowing how you can simultaneously secure your software and protect your reputation.","breadcrumb":{"@id":"https:\/\/cheapsslsecurity.com\/blog\/a-primer-on-how-code-signing-works\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cheapsslsecurity.com\/blog\/a-primer-on-how-code-signing-works\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cheapsslsecurity.com\/blog\/a-primer-on-how-code-signing-works\/#primaryimage","url":"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/how-code-signing-works-feature.jpg","contentUrl":"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/07\/how-code-signing-works-feature.jpg","width":1600,"height":1000,"caption":"feature image for cybersecurity represented as binary with a key lock on top"},{"@type":"BreadcrumbList","@id":"https:\/\/cheapsslsecurity.com\/blog\/a-primer-on-how-code-signing-works\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/cheapsslsecurity.com\/blog\/"},{"@type":"ListItem","position":2,"name":"A Primer on How Code Signing Works"}]},{"@type":"WebSite","@id":"https:\/\/cheapsslsecurity.com\/blog\/#website","url":"https:\/\/cheapsslsecurity.com\/blog\/","name":"Savvy Security","description":"Practical cybersecurity advice","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cheapsslsecurity.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/cheapsslsecurity.com\/blog\/#\/schema\/person\/1ce9a5743b7f25b5be6e4972864b4493","name":"Savvy Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/4e5539150b16b5af1d22136f03dedda89a96babb3e9b5ceb18c2bde4e1dcba57?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/4e5539150b16b5af1d22136f03dedda89a96babb3e9b5ceb18c2bde4e1dcba57?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4e5539150b16b5af1d22136f03dedda89a96babb3e9b5ceb18c2bde4e1dcba57?s=96&d=mm&r=g","caption":"Savvy Security"},"description":"Welcome to Savvy Security, a blog focused on providing practical cybersecurity advice for website owners and small businesses. Our team brings you the latest news, best practices and tips you can use to protect your business...without a multi-million dollar budget or 24\/7 security teams.","sameAs":["blogadmin"],"url":"https:\/\/cheapsslsecurity.com\/blog\/author\/blogadmin\/"}]}},"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/cheapsslsecurity.com\/blog\/wp-json\/wp\/v2\/posts\/7615","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cheapsslsecurity.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cheapsslsecurity.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cheapsslsecurity.com\/blog\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/cheapsslsecurity.com\/blog\/wp-json\/wp\/v2\/comments?post=7615"}],"version-history":[{"count":0,"href":"https:\/\/cheapsslsecurity.com\/blog\/wp-json\/wp\/v2\/posts\/7615\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cheapsslsecurity.com\/blog\/wp-json\/wp\/v2\/media\/7630"}],"wp:attachment":[{"href":"https:\/\/cheapsslsecurity.com\/blog\/wp-json\/wp\/v2\/media?parent=7615"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cheapsslsecurity.com\/blog\/wp-json\/wp\/v2\/categories?post=7615"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cheapsslsecurity.com\/blog\/wp-json\/wp\/v2\/tags?post=7615"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}