1. /
  2. Code Signing Information Center

Code Signing Information Center
Deliver your code to more customers, on more platforms with Symantec Code Signing

Watch the video

5 Reasons Why You Should Sign Your Code with Symantec Code Signing

1. Maximize Distribution and Revenue on More Platforms
Two trends make code signing more important than ever: the explosion of consumer applications for mobile and desktop devices and the proliferation of malware. Software publishers and mobile network providers increasingly require code signing from a trusted Certificate Authority (CA) before accepting code for distribution. Symantec Code Signing supports more platforms than any other code signing provider. Symantec is the one trusted provider of code signing for Windows Phone, AT&T Developer Program, Java Verified and Symbian Signed applications.
2. Reduce Security Warnings by Relying on a Trusted Certificate Authority (CA)

Symantec root certificate ubiquity is second to none. Our root certificates come preinstalled on most devices and are embedded in most applications. When you use Symantec Code Signing, your code is automatically accepted for seamless download. If a security warning does appear, it is more likely to recommend trusting your code because it is trusted by Symantec. (Security warnings depend on the platform, application, and client security settings).

3. Protect Your Code Integrity and Your Reputation

Digital signatures contain proof of content integrity so that your code cannot be altered and distributed with unapproved changes. If the hash used to sign the application matches the hash on a downloaded application, the code integrity is intact. If the hash used does not match, users experience a security warning or the code fails to download. Symantec Code Signing Certificates include an optional timestamp to extend the life of your digital signatures. Your code will remain valid even if your code signing certificate expires, because the validity of the code signing certificate at the time of the digital signature can be verified.

4. Speed Time to Market with Streamlined Security

Symantec web-based portal and API integrations make it easy to manage and integrate code signing into your development process. Streamlined security helps you get to market faster while protecting the integrity of your code and reducing security warnings. More developers and publishers rely on Symantec than any other CA. In fact, 7 out of 10 code signing users choose Symantec.*

5. Ensure a Safe, Secure Experience for Customers

Symantec helps create a seamless user experience that minimizes security warnings and installation failures while maximizing code distribution and revenue potential. Signing your code ensures that it has not been tampered with and that it comes from you. Signing it with a Symantec Code Signing Certificate shows that you are trusted by the leader in code signing security and helps ensure a safe, secure experience for you and your customers.

*Online interactive survey of software developers and decision makers, conducted by Symantec, September 2011.
Symantec helps you deliver your apps and code to more customers on more platforms than any other provider. More developers and publishers rely on Symantec, the most recognized and trusted Certificate Authority (CA) worldwide, than any other CA. Our robust authentication practices, public key infrastructure and technical support teams help ensure a safe, secure experience for you and your customers.

How Code Signing Protects Your Intellectual Property and Reputation

Digital signatures use public key cryptography technology to secure and authenticate code.
  1. A developer adds a digital signature to code or content using a unique private key from a code signing certificate.

  2. When a user downloads or encounters signed code, the user’s system software or application uses a public key to decrypt the signature.

  3. The system looks for a “root” certificate with an identity that it trusts or recognizes to authenticate the signature.

  4. The system then compares the hash used to sign the application against the hash on the downloaded application.

  5. If the system trusts the root and the hashes match, then the download or execution continues.

  6. If the system does not trust the root or the hashes do not match, the system interrupts the download with a warning or the download fails.

Self-Signed Digital Certificates

A self-signed digital certificate is chained to a root certificate owned by the signer. In most cases, your root certificate will not be available to third party software and devices. The code will fail to download or a warning screen will appear.

A Trusted Certificate Authority

When you enroll for a digital certificate, the CA authenticates your identity and issues a certificate that is chained to the CA’s root certificate. Application and device have root certificates of known and reputable CA’s embedded within them. When the application or device trusts the root certificate, it trusts you. Symantec root certificate ubiquity is second to none. Our root certificates come preinstalled on most devices and embedded in most applications, creating a seamless, secure installation process for end users.

Frequently Asked Questions

Answers

What is code signing and why do I need it?

When customers download applications online, install plug-ins and add-ins, or interact with sophisticated web-based applications, they must trust that the code is authentic and has not been infected or altered. In traditional software sales, a buyer can confirm the source of the application and its integrity by examining the packaging. Code signing creates a digital “shrink-wrap” that shows customers the identity of the organization or individual responsible for the code and confirms that it has not been modified since the signature was applied. Symantec Code Signing protects your brand and your intellectual property by making your applications identifiable and harder to falsify or damage with a digital signature.

Back to Top

Which code signing certificate do I need?

Symantec Code Signing supports more platforms than any other code signing provider. Symantec is the one trusted provider of code signing for Windows Phone, AT&T Developer Program, Java Verified and Symbian Signed applications. Select the appropriate Symantec Code Signing Certificate for your development platform: Symantec Code Signing Certificates.

Back to Top

Are code signing certificates available for individual developers?

Yes. Individual developers who are not affiliated with an incorporated business have a slightly different, no less rigorous approval process. To apply for a Symantec Code Signing Certificate as an individual, select the appropriate code signing certificate for your development platform, and choose the “Individuals” option to enroll.

Back to Top

How does a code signing certificate work?

Code and content signing is based on public key cryptography. A developer or software publisher uses a private key to add a digital signature to code or content. Software platforms and applications use a public key to decrypt the signature during download and compare the hash used to sign the application against the hash of the downloaded application. Signed code from a trusted source may be automatically accepted or a security warning may require the end user to view the signature information and decide whether or not to trust the code.

Back to Top

How long does it take to purchase a code signing certificate?

During the code signing enrollment process, Symantec will collect information about you or your company for authentication. The validation process may take a few hours or several days, depending on the information you provide and how easily it can be verified. Because Symantec must receive payment before delivering your certificate, payment by credit card speeds delivery.

Back to Top

How long does a digital signature last?

Every code signing certificate is purchased with a specific validity period. The digital certificate can be used to sign code as frequently as needed during that validity period. When the digital certificate expires, all digital signatures that depend on that digital certificate expire also unless the signature includes a timestamp. A timestamp option shows when code was signed, allowing customers to verify that the code signing certificate was valid at the time of the digital signature.

Back to Top

Can I install the code signing certificate on more than one PC?

You can use a code signing certificate on any computer once it is retrieved. However, you must buy and retrieve your code signing certificate from the same computer. If you have problems with retrieval, confirm that you are using the same computer, browser, and log-in profile used to enroll. Symantec recommends that developers purchase additional code signing certificates rather than sharing certificates for better security and management. If a certificate becomes compromised and must be revoked, then all applications signed by the single certificate will be disabled.

Back to Top

How does someone know they can trust my signature?

Signing your code ensures that it has not been tampered with and that it comes from you, but does not verify who you are. Software systems, applications, and mobile networks rely on the root certificate of the issuing CA to determine the validity of the digital signature. A third-party CA is more trusted than a self-signed certificate because the certificate requestor had to go through a vetting or authentication process. Symantec root certificate ubiquity is second to none. Our root certificates come preinstalled on most devices and embedded in most applications, creating a seamless, secure installation process for end users.

Back to Top

How many code signing certificates do I need?

Symantec recommends that developers purchase additional code signing certificates rather than sharing certificates for better security and management. If a certificate becomes compromised and must be revoked then all applications signed by the single certificate will be disabled. Symantec recommends buying a code signing certificate for each developer platform. To use a single certificate across platforms requires a conversion process using additional utilities.

Back to Top

What if I lose my private key or it becomes compromised?

If your private key is lost or compromised or if your information changes, you should revoke your code signing certificate immediately and replace it with a new certificate.

Back to Top
Symantec provides code signing certificates for a number of popular development platforms. To learn more, see the complete list of Symantec Code Signing Certificates.
Current Users: Manage your certificates, check order status and get Technical Support.

Secure Hash Algorithm (SHA) 256 Support is available for Symantec Code Signing Certificates

SHA-256, also known as SHA-2 support is available for Symantec Code Signing starting April 1st, 2013 at no extra charge. SHA-2 was developed by National Institute of Standards and Technology (NIST) and is the recommended cryptographic hash function to replace SHA-1 by the end of 2014.
The option for SHA-2 is available through the ordering pages, reissue process and via the API for QuickOrder, QuickInvite and Reissue.
Some older applications and operating systems may not support SHA-2, for example, Windows XP Service Pack 2 or lower does not support the use of SHA-2. Java SDK 1.4.2 or higher needs to be installed and used on the server for SHA-2 support for Java server support.
For Windows environment, please refer to the following blog for SHA-2 deployment:
http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx
Please refer to http://docs.oracle.com/javase/1.4.2/docs/guide/security/CryptoSpec.html for SHA-2 deployment on Java servers.
In addition, Apache version 2.x or higher is required to support SHA-2 on Apache based servers and Open SSL 1.1.x will be required for certificate signing request and private key generation.
SHA-2 support is available to you as an option in securing your code signing certificates. Please check with your Security Officer on your corporate policy.

Contact Sales

View All Code Signing Certificates
Code Siging for Microsoft Developers
Read a Code Signing White Paper
Application Security for Mobile Network Providers