How does Code Signing work?

Learn more about code signing, enrolling a code signing cert and the code signing certificates offered by VeriSign and thawte via Secure128.

How Code Signing Works
Before publishing applets, plug-ins, macros and other executable files, developers and software publishers use code signing certificates to attach a unique digital signature. A trusted digital signature is often looked for by operating systems, software applications, devices, and mobile networks to authenticate the source of the code and confirm its integrity.

The Enrollment Process
You will generate a private/public key pair and submit the public portion to Thawte with documentation to prove your identity when you apply for a Thawte or VeriSign Code Signing Certificate from Secure128. Thawte will issue a code signing certificate containing your full organizational name and your public key once they are able to authenticate and verify the information. It can be used to digitally sign code and content during the certificate’s validity period.

Deploying and Trusting Signed Code
  1. A publisher or developer signs a file using the code signing certificate.
  2. A digital signature is attached to the file and a hash mark is created.
  3. The content is published to a web site or mobile network, or otherwise made available.
  4. A user downloads or encounters the code. The system software or application uses a public key to decrypt the signature.
  5. The hash used to sign the code is compared to the hash on the downloaded code. A mismatch generates an error, prevents download, or allows it, depending on the platform, application, and client security settings.

Root Certificates
Confidence in the identity of the organization that issued a certificate is important when deciding if a certificate can be trusted. When software decrypts the digital signature, it looks for a "root" certificate or the source of the identity information. A self-signed digital certificate means that you own your own root certificate and are vouching for your own identity, although your own root certificate is unlikely to be present in the user's browser or operating system. In contrast, established certificate authorities, such as Thawte, are well known and trusted by operating systems, software and device vendors. They extend that trust to digital certificates which are validated by the Thawte root certificate.