Developers and software publishers use Code Signing Certificates to attach a unique digital signature to applets, plug-ins, macros and other executable files before publishing them. Operating systems, software applications, devices, and mobile networks look for a trusted digital signature to authenticate the source of the code and confirm its integrity.
The Enrollment Process
When you apply for Code Signing Certificate, you generate a private/public key pair and submit the public portion with documentation to prove your identity. Once certificate authority authenticates and verifies the information, we issue a Code Signing Certificate containing your full organizational name and your public key. It can be used to digitally code sign and content during the certificate’s validity period.Deploying and Trusting Signed Code
- A publisher or developer signs a file using the Code Signing Certificate.
- A digital signature is attached to the file and a hash mark is created.
The content is published to website or mobile network or otherwise made available. - A user downloads or encounters the code. The user’s system software or application uses a public key to decrypt the signature.
- The hash used to sign the code is compared to the hash on the downloaded code. A mismatch generates an error, prevents download, or allows it, depending on the platform, application, and client security settings.
Root Certificates
A certificate’s trustworthiness depends on confidence in the identity of the organization that issued it. When software decrypts the digital signature, it looks for a “root” certificate, the source of the identity information. A self-signed digital certificate means that you own your own root certificate and are vouching for your own identity, although your own root certificate is unlikely to be present in the user’s browser or operating system. In contrast, established certificate authorities, such as Thawte and VeriSign, are well known and trusted by operating systems, software and device vendors.
