Code signing is the process of digitally signing code and binaries to ensure that they haven’t been tampered with and come from a trusted source. It can also be used to encrypt and decrypt data for transport over networks or stored in storage devices. Code signing is not limited to executables, but can also apply to scripts and other code types. There are interoperability issues across different executable formats, so not all systems can read all formats.
This guide is going to tell you everything that you need to know about code signing.
What are code signing certificates and why does my enterprise need them?
Code signing certificates are digital certificates that you use to identify yourself as the publisher of code or binaries.
The main component of any code signing certificate is a private key used for creating signatures and sometimes the ability to sign software updates over a period of time (i.e., used for authentication).
You sign your code using the private key and anyone with a copy of that certificate can verify that it is in fact you who published it by checking your digital signature against your public key, which is packaged with the code signing certificate. The main benefit of code signing certificates is that they ensure secure transport and storage of data and also secure communication with a third party over a network.
What do I need in order to get a code signing certificate?
In order to get a code signing certificate, you will need:
- A registered company name (D-U-N-S)
- DUNS Number (Data Universal Numbering System) is a unique nine-digit identification number assigned to your company by Dun & Bradstreet.
- A registered domain name (D-U-N-S)
- Virtual Private Network (VPN), or you can purchase code signing certificates for several years at a time, which will give you access to bulk pricing and volume licensing options
- Web hosting account
How do I use my code signing certificate?
There are several ways to use the code signing certificate:
- Download a Microsoft Authenticode signature tool from Microsoft’s website and sign your binaries with it. The advantage of using this method is that you can use the same certificate to sign other documents, but this will only work with Microsoft Windows.
- Use a third-party publisher certificate management tool. This is more efficient than using Microsoft’s Authenticode since it allows you to distribute multiple signed binaries for different platforms at once. The downside of this method is that you need to have a web hosting account in order to host the binaries.
- Use a third-party API to sign binaries programmatically. This is mostly used for signing scripts and other non-executable files, but it can also be used for applications similar to how Google uses API keys for services such as YouTube uploads. There are several third-party tools such as SignTool, 7-Zip (with the SFX module), and Axantum’s AxCrypt that can do this.
Where can I find more information about code signing certificates?
To learn more about code signing certificates we recommend reading the KeyFactors blog. You can learn about Keyfactor Code Assure and more.
We hope that you found this guide to be helpful. If there’s anything else we can do for you, please let us know!