BT
x Your opinion matters! Please fill in the InfoQ Survey about your reading habits!

Code Signing For Individual Developers

by Roopesh Shenoy on Dec 19, 2011 |

Code Signing is a mechanism for software users to trust executable code that is published on the internet before downloading and running it. Until now, this was practically beyond the reach of the individual developer, due to costs and processes involved. However, some stores are now offering Thawte code-signing certificates for individual developers for $99 per year. 

Using Digital Signatures does not guarantee against malicious activity – only that the code has not been modified by anyone other than the original author. Tim Heuer has written a blog post outlining the process of getting a certificate and some points to be kept in mind. Thawte provides 5 different types of certificates targeting different code signing implementations – Authenticode, Office/VBA, Java, Adobe AIR and Mac. Using Authenticode certificates, you can even sign Silverlight applications that need to run out-of-browser or install locally. 

How does Code Signing work? Code Signing works with private-public key pairs with one-way code hash functions. The software publisher signs their executable with their private key and asks the end user to verify it using a public key. The Certification Authority in-turn signs the publisher’s public key with their private key. Since the Certification Authorities are trusted by most Operating Systems, the users trust your public key and hence your executable. A more detailed explanation about how this works is provided by Scott Corley. 

Alternatives to using a Certification Authority include distributing the public key yourself (either as a download or through an installer) or employing private certification authorities for large but controlled deployments (such as internal users of a large company). Also on newer platforms such as Android or iOS it is sufficient and even typical to self-sign applications. 

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2014 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT