What is a Microsoft Authenticode Code Signing Certificate? Everything you need to know: Utility, Working style, Cost, and Compatibility.
Microsoft’s Authenticode technology allows software publishers to use X.509 code-signing certificates to sign their software. Code signing certificates verify the publisher of the software and ensure that the software is the same and hasn’t been changed since it was signed by the original issuer.
Microsoft itself doesn’t verify the publisher’s identity and code’s integrity. Instead, it relies on a proven Public Key Cryptography system that allows a third-party certificate authority, like Sectigo (previously Comodo CA), to authenticate the publisher and hash the codes.
With Microsoft Authenticode, you can sign all sorts of Windows executables and code including .exe, .cab, .dll, .ocx, and .xpi files in 32- and 64-bit user-mode.
Authenticode certificates are issued by Microsoft to authenticate and hash the program or code developed by the applicant. The certificate is issued by Microsoft, but the validation and hashing are done by a publicly trusted certificate authority (CA) like Sectigo. The Authenticode certificate ensures the user that the code originated from the legitimate source and has not been tampered with since its release.
How does an Authenticode Code Signing certificate work?
There are 2 main pillars of Authenticode code signing certificates. Identity verification and Integrity assurance.
1. Identity Verification
Publicly trusted certificate authorities verify the identity of the applicant before signing the code signing certificate. That’s how the users can be confident that they know where the software is coming from and who the original publisher is.
- The certificate authorities verify the applicant company’s business registration details, address, and telephone number.
- Individual developers must provide a notarized form to validate their government-issued photo identification and complete a phone call verification.
When users try to download software, device drivers, applications, executables, or scripts without a code signing certificate, the browser and/or operating system show the publisher’s name as “Unknown” along with a security warning such as “Do you want this app from an unknown publisher to make changes to your device?”
If the software is signed by a code signing certificate, the publisher’s name appears in the dialogue box and the users won’t see a security warning like above.
2. Integrity Assurance
Once the software publisher finishes the final version of code, Authenticode allows them to put a digital signature on the entire code.
A Microsoft Authenticode Code Signing certificate hashes the file along with the digital signature of the publisher.
Hashing means condensing the data by using mathematical functions/algorithm. It is like putting a seal on a physical product. Hash values are unique. So, if there is the slightest change in the software, the hash value changes.
If someone tries to conduct a man-in-the-middle attack and modifies the codes or inserts the malware/viruses, the hash value of the digital signature changes. That’s how the browser and operating system know that the executable has been tampered with and they show a warning message to users.
Malicious software, applications, and scripts are highly dangerous and can corrupt your entire computer or cell phone, or even your entire company network. Authenticode technology not only saves the users from downloading an infected piece of software but also warns the publisher to do the damage control before its too late.
Authenticode Code Signing Certificates: Comparison
|Sectigo OV Code Signing Certificate||Sectigo EV Code Signing Certificate|
|Price for 1 year||$99/year||$349.80/year|
|Price for 2 year||$89/year||$306/year|
|Hashing algorithm length||256-bit||256-bit|
|Money-Back Guarantee||30 Days||30 Days|
|Private keys on external hardware for 2-factor verification||NO||Yes|
|Apple OS X Signing||Yes||Yes|
|Internet Explorer 5.0 or higher version||Yes||Yes|
|Netscape Object Signing||Yes||Yes|
|Marimba Channel Signing||Yes||Yes|
|Windows 2000, XP or a higher version.||Yes||Yes|
|BUY NOW||BUY NOW|