Home
>
Code Signing Certificates

Code Signing Certificates

Signing scripts and executables asserts publisher identity and ensures software integrity

SSL certificates are far from the only X.509 digital certificates that Sectigo sells. In fact, Sectigo is among the only Certificate Authorities that offers both an organization and an individual code signing certificate option.

What is Code Signing?

A code signing certificate allows you to affix a digital signature to a script or executable, proving to end-users that your software is safe to download and install. With the industry’s June 2023 code signing security updates (more on the changes in a moment), this process now involves the use of secure hardware for secure private key storage, adding an extra layer of protection.

Examples of secure hardware for code signing include:

Secure USB token
Hardware security module (HSM)

The way code signing works is that when a user’s computer or browser tries to download or install the signed file, it can verify the authenticity of the signature to ensure it knows who signed it and whether the final product has been tampered with. The new hardware-based storage methods make this process even more secure by increasing the security of your signing key.

One of the key benefits of code signing is that it reduces security warnings for your users, making it easier and faster for them to install your software. This remains true with the new updates, as the hardware-based signing methods align with industry best practices.

Code Signing Is Like Tamper-Evident Packaging for Software

Many within the industry compare code signing to the tamper-proof packaging used to protect items sold in a retail store. That shrink wrap lets you know whether the item has been tampered with and whether its integrity has been compromised. Code signing is similar in that it helps assure your customers the software hasn’t been tampered with, providing assurance of the developer’s identity and software’s integrity.

Browser warnings indicating a lack of publisher identity or software integrity can be detrimental. Code signing, especially with the new hardware-based methods, is the most trustworthy and effective way to avoid these kinds of warnings.

Summary of Policy Updates for Standard Code Signing Certificates

Sectigo has revised its policies for both standard (formerly organization validation [OV]) and individual validation (IV) code signing certificates to align with changes to the industry guidelines that took effect June 1, 2023. The primary focus of these updates is the secure storage and management of private keys. Now, all private keys must be stored in a secure hardware that meets specific security benchmarks, such as FIPS 140 Level 2 or Common Criteria EAL 4+.

These changes bring standard and IV certificates in line with the existing baseline requirements for Extended Validation (EV) Code Signing Certificates.

These changes impact anyone who obtained a new OV or IV code signing certificate after the effective date. Certificates issued prior to June 1, 2023 will continue to be operational until they expire. However, any renewals will need to comply with the updated policies.

The updates in the issuance of IV and OV code signing certificates represent a significant move toward a more secure environment for code signing. While these changes come with stricter requirements and potentially higher costs, they are a necessary measure to mitigate the risks associated with unauthorized access to private keys. If you're planning to obtain or renew a Sectigo code signing certificate, it's vital to be aware of these changes and prepare accordingly.

Sectigo Code Signing Certificate

Digitally sign your scripts and executables to assert publisher identity and ensure file integrity.

The Sectigo Code Signing certificate is one of the most trusted digital signing certificates in use today by software developers and engineers.

Set the strongest standard of publisher identity and block Unknown Publisher warnings with Sectigo EV Code Signing.

The Sectigo Extended Validation Code Signing certificate is the ultimate way to sign your scripts and executables.

How does Code Signing work?

A digital signature is a unique string of letters and numbers that can be attached to a file or program. Starting June 2023, the process includes an additional layer of security: the private keys used for these digital signatures must be stored either on a secure USB token or a hardware security module (HSM) that meets specific security standards.

When the signature is added to the software code, it creates a hash digest (hash value) that’s then encrypted using a private key. The signed hash value is packaged with the code, signed hash, and code signing certificate. This creates the cryptographic digital signature that provides authenticity and integrity protections.

How does Code Signing work?

When a customer downloads the software, their browser or operating system examines the digital signature for authentication. After this step, the browser or operating system performs its own hash function and compares the resulting value with the one accompanying the program. A matching pair of hash values confirms the file's integrity.

Code Signing Digital Signature Verification Process

The reliability of this process lies in the nature of hashing, which maps data of varying lengths to a fixed-length output. For example, SHA-256 is a standard hashing algorithm used in SSL/TLS protocols. It produces 256-bit long hashes, typically represented by a 64-character hexadecimal string. The uniqueness of each hash value ensures that no two data sets can produce the same output, making the algorithm secure and reliable.

Customers Need Two Assurances Before Downloading Your Software

Before anyone downloads your software, they require two key assurances:

The software was developed by a trustworthy party.
The software hasn’t been altered or tampered with since it was signed.

Signing your software using a code signing certificate provides these assurances to users. By adding your digital signature to your script or executable, you validate your identity and the file's integrity. Again, with the latest guidelines, digital signatures now utilize secure hardware for enhanced security, warranting the software remains unaltered.

These assurances make the difference between gaining a new user and missing out on a download.

Choose Your Code Signing Key Storage Method

As we touched on earlier, the industry’s Code Signing Baseline Requirements stipulate that all code signing private keys must be stored securely on Common Criteria EAL 4+ and FIPS 140-2 Level 2-compliant hardware. However, there are a few ways you can choose to meet these requirements:

Receive your certificate and key on a secure USB token. This is the default method that Sectigo uses to issue code signing certificates. You’ll receive a pre-configured token with the certificate and key already installed that meets the industry’s new security baseline requirements.
Use an existing USB token. This one is a bit trickier in that you need to ensure that your secure hardware device is compliant with the CC EAL 4+ and FIPS 140-2 Level 2 standards.
Use an on-prem or cloud-based HSM. This secure storage mechanism also must meet the Common Criteria EAL 4+ and FIPS 140-2 Level 2 security requirements, and it must support externally verifiable key attestation. As of August 24, 2023, Sectigo currently supports two HSM options: Network Attached Luna HSM, version 7.x or the Luna Cloud HSM.

What Can I Sign Using a Code Signing Certificate?

Sectigo code signing certificates are compatible with a wide range of major file types and platforms:

Adobe AIR
Apple applications and plug-ins
Mozilla Firefox Objects
Microsoft Authenticode
Microsoft VBA and Office macros
Java
Microsoft Silverlight apps

Sectigo EV Code Signing Certificate

An EV certificates shows your commitment to security and transparency, particularly to businesses that handle sensitive data.

Microsoft SmartScreen will now show your publisher identity, letting users know that you chose the highest standard of assurance with a Sectigo EV Code Signing certificate.

Learn More