Code signing 101: Why developers need digital certificates for applications
Code signing does two things: it confirms who the author of the software is and proves that the code has not been altered or tampered with after it was signed. Both are extremely important for building trust from customers and safely distributing your software.
Why does code signing matter?
556 million adults worldwide experienced some form of cybercrime in 2012, according to the Symantec Internet Threat Security Report. When you consider that the average loss per cybercrime incident is $197, it’s no wonder people are extremely careful when it comes to downloading executable files from the internet. That said, it’s worth doing whatever it takes to gain their trust: online distribution means you can distribute software updates faster, you broaden your potential customer base and you can considerably cut costs since there is no postage or discs and packaging to manufacture. Providing verifiable proof that as the author of the code, you are who you say you are and that your code is in no way corrupted or malicious is therefore a no-brainer. In fact, many third party publishers and mobile network providers now insist upon code signing to protect their users.
So, how does code signing work?
The process for code signing is similar to that used for SSL certificates, where a pair of cryptographic keys is used, one public and one private, to identify and authenticate both you and your code. The best and safest way to obtain a private key is by applying for a certificate from a trusted certificate authority (CA), such as Symantec, who will take you through an authentication process. Once you have your certificate, you can then generate your private key. Your choice of CA is important as it can affect how far you are able to distribute your software. Symantec, for example, provides certificates for a wide range of desktop and mobile platforms, including Windows Phone and Android.
Getting from A to B
You then sign your executable file or library of software using this private key, which can only be unlocked by public keys that are traceable to the CA, and which are preinstalled on most browsers. If the code has been tampered with after signing, the public key will not be able to verify the authenticity of your private key signature and the browser will flash up a warning to anyone trying to download it. If the code has remained intact then your file will be delivered and downloaded seamlessly. It’s as simple as that.
Find out more about Symantec Code Signing