How does Code Signing work?
A digital signature is really just a string of letters and numbers that can be affixed to a file or program. When the signature is added, the program and the signature are both hashed and that hash value, along with the signed program, are then made available for download.
When a customer decides to download the software, their browser will take a look at the digital signature and authenticate it; once this is done, the browser will perform the same hash function and compare the value to the one that came with the program. If the two values match, the file hasn’t been tampered with.
This can be determined with confidence because of the way hashing works. Hashing is the practice of mapping data of any length to a fixed-length output. For instance, SHA-256 is the standard hashing algorithm used in SSL/TLS. SHA-256 outputs hashes that are 256 bits long, this is usually represented by a 64 character hexadecimal string. No two pieces of data can ever produce the same hash value. If they do, this is called a collision and it renders the entire hashing algorithm worthless.