[{"data":1,"prerenderedAt":176},["ShallowReactive",2],{"$kqleMCUnSMtiX":3},{"code":4,"status":5,"result":6},200,"OK",{"blocks":7,"objectives":160,"title":171,"subheading":172,"intro":173,"related":174,"browser":171,"description":175},[8,14,20,24,29,33,37,41,45,49,53,57,61,65,69,73,77,81,85,89,94,98,102,106,110,114,118,122,126,130,134,138,144,148,152,156],{"content":9,"id":11,"isHidden":12,"type":13},{"text":10},"\u003Cp>Code signing is the process of applying a digital signature to a piece of software. This includes executables, scripts, drivers, firmware, and application packages. Signing is accomplished by using a dedicated code signing certificate issued by a trusted \u003Ca href=\"/learning/ssl/what-is-a-certificate-authority\">Certificate Authority (CA)\u003C/a>.\u003C/p>\u003Cp>The digital signature serves the purposes of authentication and integrity. Users and operating systems can identify the software’s publisher, and vouch for the fact that the code has not been altered since the publisher signed it.\u003C/p>\u003Cp>If the code has been modified in any way, shape, or form after signing, the signature verification fails, and the operating system can warn the user in advance or outright reject the code.\u003C/p>","fd7c21cc-5044-4253-bdd6-a7aa392817e8",false,"text",{"content":15,"id":18,"isHidden":12,"type":19},{"level":16,"text":17},"h2","How Does Code Signing Work?","5708d5b9-a424-4c39-a740-b0ce27eb6c86","heading",{"content":21,"id":23,"isHidden":12,"type":13},{"text":22},"\u003Cp>Code signing leverages core Public Key Infrastructure (PKI) principles in much the same way as \u003Ca href=\"/ssl-certificates\">SSL/TLS certificates\u003C/a> do. Signing code relies on \u003Ca href=\"/learning/ssl/symmetric-vs-asymmetric-encryption\">asymmetric cryptography\u003C/a> and hashing to ensure security. This is a simple five-step process:\u003C/p>","60293425-8775-4b14-a02e-674d0e2d8906",{"content":25,"id":27,"isHidden":12,"type":28},{"text":26},"\u003Col>\u003Cli>The developer obtains a \u003Ca href=\"/ssl-certificates/code-signing\">code signing certificate\u003C/a> from a trusted CA. This package includes the developer’s public key and the CA’s own digital signature.\u003C/li>\u003Cli>A new key pair is generated, consisting of a private key (held securely by the developer) and a public key (embedded in the certificate).\u003C/li>\u003Cli>The code is run through a hashing algorithm (e.g. \u003Ca href=\"/learning/ssl/what-is-256-bit-encryption\">SHA-256\u003C/a>), producing a fixed-length digest of the software’s content.\u003C/li>\u003Cli>The hash is encrypted using the developer’s private key, producing the digital signature. This signature is then attached to the shipped code.\u003C/li>\u003Cli>End users verify the signature using the developer’s public key, wherein the OS decrypts the signature to recover the original hash, independently hashes the downloaded software, and compares the two values. The signature is valid if the two values match.\u003C/li>\u003C/ol>","e922a40d-f08d-4160-b150-1afdc455f985","list",{"content":30,"id":32,"isHidden":12,"type":19},{"level":16,"text":31},"What is a Code Signing Certificate?","124a54a6-5b8b-4cbe-9e48-f4cc4f7fffbd",{"content":34,"id":36,"isHidden":12,"type":13},{"text":35},"\u003Cp>Though both regular SSL/TLS certificates and code signing certificates are created using the same cryptographic baseline, the latter exists in a niche of its own. A code signing certificate is an X.509 certificate issued by a trusted CA, used to sign code rather than for server-level authentication or email signing. A code signing certificate contains the publisher’s public key, identifying information about the developer or the organisation in charge, and the CA’s own bespoke digital signature.\u003C/p>\u003Cp>There are\u003Ca href=\"/learning/code-signing/certificate-types\"> two different validation levels\u003C/a> for code signing: \u003Ca href=\"/verokey/secure-code-signing-certificate\">Organisation Validation (OV)\u003C/a> and \u003Ca href=\"/verokey/ev-code-signing-certificate\">Extended Validation (EV)\u003C/a>, which we’ll discuss in \u003Ca href=\"/learning/code-signing/certificate-types\">dedicated articles\u003C/a>.\u003C/p>","259ad2e0-e550-45ad-aabc-892fe578ca0e",{"content":38,"id":40,"isHidden":12,"type":19},{"level":16,"text":39},"What is Timestamping?","6b555fef-02b3-4cca-b1e9-15f20389ab14",{"content":42,"id":44,"isHidden":12,"type":13},{"text":43},"\u003Cp>Upon signing code, a developer can also request a trusted \u003Ca href=\"/learning/code-signing/time-stamping\">timestamp from a Time Stamping Authority (TSA)\u003C/a>, which is a special server operated by the issuing CA. The TSA returns a cryptographically signed token, which records the exact date and time the signature was applied. The signature timeline matters because these certificates typically expire after one to three years after they’ve been signed, and code cannot be validated post-expiration. Timestamping provides a way around this, as the original time of signature is recorded during the process and remains trusted indefinitely.\u003C/p>\u003Cp>Note that \u003Ca href=\"/learning/code-signing/what-is-ci-cd-automation\">timestamping\u003C/a> is not a part of the signing process by default. The developer needs to specifically request it, and the operation itself relies on the TSA’s certificate chain.\u003C/p>","2a6629c6-848e-44cc-ae1c-1b0a995b54e1",{"content":46,"id":48,"isHidden":12,"type":19},{"level":16,"text":47},"How Does an Operating System Verify Signed Code?","94dc81d7-ea1b-4092-b856-a20827826e9b",{"content":50,"id":52,"isHidden":12,"type":13},{"text":51},"\u003Cp>Attempting to run signed code makes the OS do a whole checklist’s worth of background operations:\u003C/p>","024b5ee9-0f26-42e7-bc4a-21796623d092",{"content":54,"id":56,"isHidden":12,"type":28},{"text":55},"\u003Cul>\u003Cli>\u003Cp>It extracts the digital signature from the software package.\u003C/p>\u003C/li>\u003Cli>\u003Cp>It uses the publisher’s public key from the embedded certificate to decrypt the signature, recovering the original hash.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Independently, it uses the same algorithm to hash the software locally.\u003C/p>\u003C/li>\u003Cli>\u003Cp>It compares the original hash with the new hash. If they mesh, the signature is valid.\u003C/p>\u003C/li>\u003Cli>\u003Cp>It checks whether the certificate can be sourced back to a trusted CA.\u003C/p>\u003C/li>\u003Cli>\u003Cp>It checks whether the certificate might have since been revoked.\u003C/p>\u003C/li>\u003C/ul>","3687fb14-446f-4120-9a7d-e92a99d4cde8",{"content":58,"id":60,"isHidden":12,"type":13},{"text":59},"\u003Cp>Failing any of these checks means that the software cannot be verified, and the user needs to be warned.\u003C/p>","04029551-e5f4-4c11-875f-24c4a6dbc2b9",{"content":62,"id":64,"isHidden":12,"type":19},{"level":16,"text":63},"What Happens Without a Code Signing Certificate?","7decbb3e-2ef2-4959-a07a-92ab25a6688c",{"content":66,"id":68,"isHidden":12,"type":13},{"text":67},"\u003Cp>While unsigned software is not inherently dangerous, the problem is that operating systems have no way to verify its integrity and authenticity. As such, it needs to be treated accordingly.\u003C/p>\u003Cp>On Windows, SmartScreen blocks unsigned executables by default, \u003Ca href=\"/learning/code-signing/unknown-publisher-warnings\">displaying a warning\u003C/a> that the user must manually override for the code to run. On macOS, Gatekeeper fulfils a similar function, except the user needs to go into the system security settings to allow an optional override.\u003C/p>\u003Cp>Third-party security tools and antivirus packages also have a higher likelihood of flagging unsigned executables, thereby requiring additional inspection by the end user.\u003C/p>\u003Cp>The specifics of how unsigned code is or is not flagged vary by OS type, version, and local security policy configuration. The default position of all major desktop platforms, however, is that unsigned code should be distrusted.\u003C/p>","511d012e-fb12-47f4-8eab-5fc1a7437fe3",{"content":70,"id":72,"isHidden":12,"type":19},{"level":16,"text":71},"Where is Code Signing Used?","7ab89236-54db-479b-a906-a2169e1f46de",{"content":74,"id":76,"isHidden":12,"type":13},{"text":75},"\u003Cp>Code signing is applied to an extremely broad range of software assets, including:\u003C/p>","21d065de-fa0f-46f0-ab40-91bf3ca2eeb5",{"content":78,"id":80,"isHidden":12,"type":28},{"text":79},"\u003Cul>\u003Cli>\u003Cp>Windows executable files: .exe, .msi, .dll, .cab.\u003C/p>\u003C/li>\u003Cli>\u003Cp>MacOS packages and applications: .app, .pkg, .dmg.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Scripts, like PowerShell.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Java applications (.jar).\u003C/p>\u003C/li>\u003Cli>\u003Cp>Android packages (.apk).\u003C/p>\u003C/li>\u003Cli>\u003Cp>iOS application archives (.ipa).\u003C/p>\u003C/li>\u003Cli>\u003Cp>Browser extensions.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Firmware releases.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Device drivers.\u003C/p>\u003C/li>\u003C/ul>","39dc5cf6-54f2-4343-8f6d-f2e5367734fb",{"content":82,"id":84,"isHidden":12,"type":13},{"text":83},"\u003Cp>Driver signing is particularly noteworthy because Windows requires EV-level signatures for kernel-mode drivers. They also need to be submitted to the Microsoft Hardware Developer Centre for further checking. If the driver is unsigned or even improperly signed, it will not work on 64-bit versions of Windows.\u003C/p>","a1194a7d-b01b-4107-9c1f-4a88c7829f20",{"content":86,"id":88,"isHidden":12,"type":19},{"level":16,"text":87},"How to Obtain and Use Code Signing Certificates","cb942474-3b27-41f4-9d6c-d162d6046ae7",{"content":90,"id":93,"isHidden":12,"type":19},{"level":91,"text":92},"h3","#1: Choose the appropriate level of validation","52d63cc3-d036-42a1-91fa-a66fcc1bf59a",{"content":95,"id":97,"isHidden":12,"type":13},{"text":96},"\u003Cp>Whereas EV certification is required for kernel-mode drivers, regular OV code signing is sufficient for standard code distribution. In practice, developers need to decide which option makes sense for their use-case.\u003C/p>","ea08896f-b5d0-4af9-af94-76de74b90ed1",{"content":99,"id":101,"isHidden":12,"type":19},{"level":91,"text":100},"#2: Generate a key pair and submit your CSR","ab5d8ad8-54e8-467f-b27a-976d400296a6",{"content":103,"id":105,"isHidden":12,"type":13},{"text":104},"\u003Cp>Tools such as OpenSSL or bespoke signing tools provided by CAs are used to \u003Ca href=\"/ssl-tools/generate-csr\">generate a key pair\u003C/a>. Afterwards, the developer submits a Certificate Signing Request (CSR) containing their public key and all the necessary identifying information to their CA.\u003C/p>","2cc3871e-20da-4174-94ac-ca9ee1399a5b",{"content":107,"id":109,"isHidden":12,"type":19},{"level":91,"text":108},"#3: Complete your identity verification","17922ed6-2b5d-4cd5-8c5f-24b29063087d",{"content":111,"id":113,"isHidden":12,"type":13},{"text":112},"\u003Cp>The CA verifies the developer’s identity depending on the level of certificate validation they requested. Whereas OV certificates may require only organisation registration documentation, EV certificates undergo a more extensive review process.\u003C/p>","6dad00d8-fb0f-4b69-9072-16c1eec62db4",{"content":115,"id":117,"isHidden":12,"type":19},{"level":91,"text":116},"#4: Receive your new code signing certificate","2f2d2b0f-803f-4183-89b7-66e3ad6abe2f",{"content":119,"id":121,"isHidden":12,"type":13},{"text":120},"\u003Cp>After identity verification is complete, the CA issues the certificate and delivers it to a \u003Ca href=\"/learning/code-signing/hardware-security-tokens-hsm\">Hardware Security Module (HSM)\u003C/a>. This hardware token is a hard requirement as of June 2023 for both OV and EV certificates, in which private keys must be generated and stored on a device that meets the appropriate security requirements.\u003C/p>","e21e0b77-e063-43a1-adcd-252a7d568933",{"content":123,"id":125,"isHidden":12,"type":19},{"level":91,"text":124},"#5: Sign your code","0c43d802-7bd7-4cb5-b981-cf0026944021",{"content":127,"id":129,"isHidden":12,"type":13},{"text":128},"\u003Cp>At this point, the \u003Ca href=\"/help/code-signing-installation-manuals\">developer can use a signing tool to sign\u003C/a>. On Windows, \u003Ca href=\"/help/setup-guides/program-signing-and-timestamping-with-signtool\">signtool.exe\u003C/a> is included in the OS SDK and applies Authenticode signatures. On macOS, the equivalent task is completed by codesign, which handles software signing for all Apple platforms. Timestamping may also be completed at this time by specifying a TSA endpoint.\u003C/p>","6f18bd09-d2d6-414e-add9-b2d3191a0057",{"content":131,"id":133,"isHidden":12,"type":19},{"level":91,"text":132},"#6: Verify your signature","3551a969-8e5b-448d-8fba-ad5ec54be142",{"content":135,"id":137,"isHidden":12,"type":13},{"text":136},"\u003Cp>A developer may choose to verify their newly signed code locally before distributing it. On Windows, this is accomplished by running the command:\u003C/p>","38532780-c046-438a-b874-cc094bb7c70a",{"content":139,"id":142,"isHidden":12,"type":143},{"code":140,"language":141},"signtool verify /pa /v your-executable.exe","shell","0e8a6f3b-2a63-4780-afd6-f09727801058","code",{"content":145,"id":147,"isHidden":12,"type":13},{"text":146},"\u003Cp>On macOS, this is done by running the command:\u003C/p>","edb93a7f-823e-4dee-ad4c-f877341710f4",{"content":149,"id":151,"isHidden":12,"type":143},{"code":150,"language":141},"codesign –verify –verbose your-executable.app","8eb35060-ba3f-4191-978b-591ca163d9f6",{"content":153,"id":155,"isHidden":12,"type":19},{"level":16,"text":154},"To Summarize","2819aa8e-bfcd-4ac8-9e87-c4bd736a0bee",{"content":157,"id":159,"isHidden":12,"type":13},{"text":158},"\u003Cp>Code signing uses asymmetric cryptography to sign code. A developer signs their software with a private key, which can then be verified against using the corresponding public key embedded in the certificate. The CA’s role is to vouch for the publisher’s identity, thereby providing users and operating systems with a baseline of software trustworthiness. Timestamping may also be used to extend the signature’s validity beyond the certificate itself. Taken together, these mechanisms enable users to execute code safely and reliably.\u003C/p>","a8a0da19-ffb7-486f-93d8-ef1407576b94",[161,163,165,167,169],{"text":162},"Explain what code signing is",{"text":164},"Describe the process of signing",{"text":166},"What code signing certificates are",{"text":168},"Understand what timestamping is",{"text":170},"Identify unsigned code","What is Code Signing?","","Code signing is the practice of applying a cryptographic digital signature to software, scripts, and executables. This signature allows operating systems, browsers, and end users to verify the publisher’s identity and confirm that the code has not been modified since its signature was issued.",[],"Learn all about Code Signing. What it is and how it works? and the important ways to make software secure.",1776822232867]