Code Signing For Individual Developers

Posted by Roopesh Shenoy on Dec 19, 2011

Sections

Development

Topics

Code Signing ,

Security

Share |

RELATED Research

Code Signing is a mechanism for software users to trust executable code that is published on the internet before downloading and running it. Until now, this was practically beyond the reach of the individual developer, due to costs and processes involved. However, some stores are now offering Thawte code-signing certificates for individual developers for $99 per year. 

Using Digital Signatures does not guarantee against malicious activity – only that the code has not been modified by anyone other than the original author. Tim Heuer has written a blog post outlining the process of getting a certificate and some points to be kept in mind. Thawte provides 5 different types of certificates targeting different code signing implementations – Authenticode, Office/VBA, Java, Adobe AIR and Mac. Using Authenticode certificates, you can even sign Silverlight applications that need to run out-of-browser or install locally. 

How does Code Signing work? Code Signing works with private-public key pairs with one-way code hash functions. The software publisher signs their executable with their private key and asks the end user to verify it using a public key. The Certification Authority in-turn signs the publisher’s public key with their private key. Since the Certification Authorities are trusted by most Operating Systems, the users trust your public key and hence your executable. A more detailed explanation about how this works is provided by Scott Corley. 

Alternatives to using a Certification Authority include distributing the public key yourself (either as a download or through an installer) or employing private certification authorities for large but controlled deployments (such as internal users of a large company). Also on newer platforms such as Android or iOS it is sufficient and even typical to self-sign applications.