Code signing 101: Why developers need digital certificates for applications

Code signing 101
Created: 12 Feb 2014 • Updated: 12 Feb 2014
Andy Horbury's picture
Login to vote
+2 2 Votes

Code signing does two things: it confirms who the author of the software is and proves that the code has not been altered or tampered with after it was signed. Both are extremely important for building trust from customers and safely distributing your software.

Why does code signing matter?

556 million adults worldwide experienced some form of cybercrime in 2012, according to the Symantec Internet Threat Security Report. When you consider that the average loss per cybercrime incident is $197, it’s no wonder people are extremely careful when it comes to downloading executable files from the internet. That said, it’s worth doing whatever it takes to gain their trust: online distribution means you can distribute software updates faster, you broaden your potential customer base and you can considerably cut costs since there is no postage or discs and packaging to manufacture. Providing verifiable proof that as the author of the code, you are who you say you are and that your code is in no way corrupted or malicious is therefore a no-brainer. In fact, many third party publishers and mobile network providers now insist upon code signing to protect their users.

So, how does code signing work?

The process for code signing is similar to that used for SSL certificates, where a pair of cryptographic keys is used, one public and one private, to identify and authenticate both you and your code. The best and safest way to obtain a private key is by applying for a certificate from a trusted certificate authority (CA), such as Symantec, who will take you through an authentication process. Once you have your certificate, you can then generate your private key. Your choice of CA is important as it can affect how far you are able to distribute your software. Symantec, for example, provides certificates for a wide range of desktop and mobile platforms, including Windows Phone and Android.

Getting from A to B

You then sign your executable file or library of software using this private key, which can only be unlocked by public keys that are traceable to the CA, and which are preinstalled on most browsers. If the code has been tampered with after signing, the public key will not be able to verify the authenticity of your private key signature and the browser will flash up a warning to anyone trying to download it. If the code has remained intact then your file will be delivered and downloaded seamlessly. It’s as simple as that.

Find out more about Symantec Code Signing

Filed Under

Comments

MuhammadAther's picture
MuhammadAther
Partner
Accredited
14
Feb
2014

Hey Andy, clean and straight

Hey Andy, clean and straight forward article. I liked it. Is it possible you also highlight some more technical details of how to sign your code. I want to share an experience we had with one of our client when we were trying to sign Midlet. We were actually signing JAD file, and process executed smoothly without any error but when the signed app was executed on symbian phones, it prompted "Invalid Application". After some research, we find the problem was due to 1 Intermediate Certificate of Symantec Code Signing Certificate which was in-compatible with Symbian OS, which we find it from below link:

http://developer.nokia.com/community/discussion/sh...

 

18
Feb
2014

It's really make

It's really make sense...thanks!

This is MN Web Designer who is working for a Minneapolis Web Design Firm!

24
Feb
2014

Thank you for the overview, I

Thank you for the overview, I was struggling with a few of our in-house applications, especially when it came to interacting with other services from Google or Microsoft. On the right track now!

All the best,

Pietro