Microsoft Authenticode Code Signing Certificates

1 Star2 Stars3 Stars4 Stars5 Stars (7 votes, average: 3.71 out of 5)
Microsoft Authenticode Code Signing Certificates

What is a Microsoft Authenticode Code Signing Certificate? Everything you need to know: Utility, Working style, Cost, and Compatibility.

Microsoft’s Authenticode technology allows software publishers to use X.509 code-signing certificates to sign their software. Code signing certificates verify the publisher of the software and ensure that the software is the same and hasn’t been changed since it was signed by the original issuer.  

Microsoft itself doesn’t verify the publisher’s identity and code’s integrity. Instead, it relies on a proven Public Key Cryptography system that allows a third-party certificate authority, like Sectigo (previously Comodo CA), to authenticate the publisher and hash the codes.  

With Microsoft Authenticode, you can sign all sorts of Windows executables and code including .exe, .cab, .dll, .ocx, and .xpi files in 32- and 64-bit user-mode. 

Authenticode Certificate

Authenticode certificates are issued by Microsoft to authenticate and hash the program or code developed by the applicant. The certificate is issued by Microsoft, but the validation and hashing are done by a publicly trusted certificate authority (CA) like Sectigo. The Authenticode certificate ensures the user that the code originated from the legitimate source and has not been tampered with since its release.

How does an Authenticode Code Signing certificate work? 

There are 2 main pillars of Authenticode code signing certificates. Identity verification and Integrity assurance.

1. Identity Verification

Publicly trusted certificate authorities verify the identity of the applicant before signing the code signing certificate. That’s how the users can be confident that they know where the software is coming from and who the original publisher is.  

  • The certificate authorities verify the applicant company’s business registration details, address, and telephone number.  
  • Individual developers must provide a notarized form to validate their government-issued photo identification and complete a phone call verification.  

When users try to download software, device drivers, applications, executables, or scripts without a code signing certificate, the browser and/or operating system show the publisher’s name as “Unknown” along with a security warning such as “Do you want this app from an unknown publisher to make changes to your device?” 

If the software is signed by a code signing certificate, the publisher’s name appears in the dialogue box and the users won’t see a security warning like above. 

Microsoft Authenticode Certificates

2. Integrity Assurance 

Once the software publisher finishes the final version of code, Authenticode allows them to put a digital signature on the entire code.  

A Microsoft Authenticode Code Signing certificate hashes the file along with the digital signature of the publisher. 

Hashing means condensing the data by using mathematical functions/algorithm. It is like putting a seal on a physical product. Hash values are unique. So, if there is the slightest change in the software, the hash value changes. 

If someone tries to conduct a man-in-the-middle attack and modifies the codes or inserts the malware/viruses, the hash value of the digital signature changes. That’s how the browser and operating system know that the executable has been tampered with and they show a warning message to users. 

Malicious software, applications, and scripts are highly dangerous and can corrupt your entire computer or cell phone, or even your entire company network. Authenticode technology not only saves the users from downloading an infected piece of software but also warns the publisher to do the damage control before its too late.  

Authenticode Code Signing Certificates: Comparison 

 Sectigo OV Code Signing Certificate Sectigo EV Code Signing Certificate 
Price for 1 year $99/year $349.80/year 
Price for 2 year $89/yea$306/year 
Hashing algorithm length 256-bit 256-bit 
Money-Back Guarantee 30 Days 30 Days 
Private keys on external hardware for 2-factor verification NO Yes  
      Microsoft Authenticode Yes  Yes  
      Microsoft Silverlight Yes  Yes  
      Adobe AIR Yes  Yes  
      Java Yes  Yes  
      Apple OS X Signing Yes  Yes  
      Mozilla Yes  Yes  
      Internet Explorer 5.0 or      higher version  Yes  Yes  
      Microsoft VBA Yes  Yes  
      Netscape Object Signing Yes  Yes  
      Marimba Channel Signing Yes  Yes  
      Windows 2000, XP or a higher version.  Yes  Yes  
Microsoft SmartScreen NO Yes  
What is a Microsoft EV Code Signing Certificate?