Introduction to Code Signing

Where to start

I created this page as I was trying to obtain my own software publisher's certificate because it seemed to me that there was a lack of clear, substantive information available. I probably spent 30 minutes navigating through Microsoft's website trying to figure out where I could get a code signing certificate and what kind I needed. I also had trouble making sense of the differences in terminology from web site to web site, and I wondered what the difference was between digital signatures, digital certificates, code signing certificates, X.509 certificates, ssl certificates, public key certificates, and software publisher's certificates. As I began to research to try to better understand how digital signatures worked, I realized that it wasn't just me who was confused. Even within the industry itself I saw more than one web site with information about signing certificates that seemed to be written by someone who didn't have a clear idea of what he was writing about.

Here I've tried to cover the basics of code signing in a way that is both clear and progressive, meaning that I won't reference terms and concepts without first explaining what they are.

Quick Reference Guide


To begin, these are some basic definitions that will make it easier to make sense of the explanations that follow. For these definitions, the word being defined is used in the form of a question to make it easier for the answers to be discovered by search engine users.

What is a digital signature ?

A digital signature, also sometimes called self-signed certificate, is a way for a software, application, or plug-in publisher to verify the authenticity of its own code when provided for download. It is intended as a statement of assurance and responsibility – expressing that the download is actually from the source that it claims to be from and that the provider is making its identity known. It is a signature in the sense that it is a unique, identifying mark created utilizing encryption and a pair of keys – one of which is used to decrypt the other, allowing the signature to be verified by the user and making it difficult to fake or alter without generating a warning message when someone attempts to download the code. In the case of a digital signature (self-signed certificate) the only entity confirming the identity of the publisher is the publisher itself. Digital signatures are therefore generally less trusted than digital certificates and will trigger warning messages in most modern browsers and operating systems.

What is a digital certificate ?

A digital certificate is a digital signature that has been certified by a certificate authority. This means that the provider of the download has registered with a certification authority and the certification authority has checked the background of the software publisher and monitors the validity of the software it provides – meaning that if a user registers a complaint stating that the software is malicious, the certifying authority can revoke the digital certificate. So the difference between a digital signature and a digital certificate is that anyone can create a digital signature and sign documents with it, but only entities registered with a certification authority can attach a digital certificate to a download.

What is a certificate authority (also certification authority or CA)?

As the phrase is commonly understood, a certificate authority is an organization that has been approved by the makers of operating systems, web browsers, and software (i.e. Microsoft, Adobe, Mac, Mozilla, Google, etc.) as an administrator of digital certificates. Certification authorities are trusted to verify the identity of software publishers and to manage a list of valid and expired or revoked digital certificates. They provide digital certificates for a fee and have the power to revoke certificates if it is found that the certificate holder is providing software that contains malicious code or otherwise operating contrary to its stated purpose.

However, any company with the technical resources can essentially make itself a certificate authority by creating its own certificate and using it to sign the digital certificates it approves, but if the company has not been added to an approved (or white) list by the kinds of companies listed above, any certificates that trace back to the self-appointed, un-verified CA will generate a warning message when users attempt to download or install the code with a digital certificate signed by the un-recognized certificate authority. So to put it simply, a developer would probably do just as well signing his own software as using an unknown CA.

What is a code signing certificate ?

A code signing certificate is a digital certificate, but to elaborate on that definition a little, a code signing certificate (also known as a software publisher's certificate) is a patch of information that is attached to a software download that provides information about the software provider (probably you) the signing authority (the company from which you purchased your certificate) and a hash or code that binds the download code to the name of your organization. So although this isn't how it works, imagine you assign a number 1-26, to each letter in the alphabet, with "A" being = 1, for the sake of simplicity. You could create a hash by taking the first 9 letters in the name of your organization and translating them into numeric values, (so organization ABCDEFGHI = 123,456,789) then creating a similar system for your software (so, for instance, take the numeric value of the exact size of the download in Kilobytes; maybe 23,457 K) and multiplying the two together. The product would be a code that binds your organization with the precise download you are providing, or a hash. If the size of the download changes, the product would change and there would be a mismatch between your assigned hash and the one that the user's browser expects to receive, generating a warning message. This affords users some assurance that the download is actually from you and that it hasn't been tampered with.

What is a software publisher certificate ?

As mentioned above, a software publisher's certificate is virtually the same thing as a code signing certificate or a digital certificate, and here I will use all of these terms interchangeably. Probably the reason that this phrasing isn't the convention is that not every type of code that can be signed falls completely into the category of "software."

What is anextended validation certificate ?

Extended validation certification works similarly to code signing certification, but in the case of extended validation the certification authority has assumed financial responsibility for the mis-administration of the extended validation certificate. In the event that a visitor to a web site or a user of code containing an EV certificate incurs damage from this visitation or usage, the user may pursue a claim against the issuer of the EV certificate itself.

Because the certificate authorities can themselves be held responsible for the actions of the certificate recipient, the authorities take special care to verify the identity and location of the EV certificate applicant. Extended Validation certificates are therefore more trusted and more easily accepted by browsers and software than standard code-signing certificates.

According to Extended Validation guidelines, the certificate authorities themselves are also subject to independent audit, which ensures that the certificates that they issue are traceable to a recognized and public source.

What is an X.509 certificate ?

X.509 is an industry standard for the format of certificates, so in general it can also mean the same thing as "code signing certificate," "software publisher certificate," and "digital certificate," however SSL certificates can also be in X.509 format, so to avoid confusion or ambiguity this phrasing will not be used here.

What is a public key certificate ?

Again, in general, a public key certificate is the same thing as a code signing certificate, a software publisher certificate, a digital certificate, and an X.509 certificate. To understand this terminology, it must be understood that of the two keys used to create a code signing certificate, one is public and one is private. A client or recipient verifies a certificate when, after realizing that a download is being attempted, her software communicates with the server on which the public key of the code publisher resides using the private key to re-perform the operation that created the certificate to begin with, thereby verifying that the two products are the same, signaling that the code and the "public key certificate" check out.

Note: "Public Key Certificate" is not a common phrasing and has probably gained popularity only as a result of its use on Wikipedia.

What is PKI ?

P.K.I. stands for Public Key Infrastructure. It is a system set up by a certificate authority that, in addition to the certificate administration processes outlined above, defines how clients' machines communicate with a server and confirm the validity of digital certificates.

The Federal PKI or FPKI is the PKI set up by the U.S. government, and sets standards that are adopted by many CAs for use in their own PKIs.

What is an SSL certificate ?

This question is typically where the confusion begins when authors write about code signing certificates. SSL is a security protocol that defines an encryption standard and it is used in the creation of digital certificates, so it is easy to assume that it would be sufficiently straightforward to call digital certificates SSL certificates.

But using this terminology, a developer will run into problems when he begins shopping for a digital certificate. Secure websites, or URLs that begin "https", are secured according to SSL standards, so when a certificate authority is selling an SSL certificate or an SSL cert as techies would say, it is selling a certification that a website's communication with users is secured using SSL. So an SSL cert would be purchased and displayed by a web site owner to inform visitors that any information they transact will be encrypted and secured, whereas a digital certificate applies to programs, applications, plug-ins, software, etc., that a user downloads.

How do I know if I should use a Sun Java cerfificate, a Microsoft Authenticode certificate, a Microsoft Office and VBA certificate, or an Adobe AIR certificate ?

As you can probably guess, Sun Java certificates are used to sign java-based applications and applets (.jar files).

Microsoft Authenticode is for Active-X controls, plug-ins, and generally files with the extensions .cab, .cat, .ctl, .ocx, .exe, and .dll.

The Adobe Air certificate is used to sign Adobe Ajax and flex files – extensions .air and .airi.

The Microsoft Office and VBA certificate is used to sign Microsoft Office macros and Visual Basic applications.

And the Mac signing certificate is used to sign applications, plug-ins, and content for Mac OS X computers.

Certificate Authority price list and links

Certificate Authority Price for a Microsoft Authenticode Digital Certificate for one year Notes
Affirmtrust potentially free  It has been written elsewhere that Affirmtrust will offer free code signing certificates, but their web site mentions only free SSL certs and even these are not yet available.
Cisco Systems no published rate
Comodo $166
DigiCert $178
GoDaddy $199
Federal PKI no published rate
IdentTrust $99
K Software $99 Not a verified CA
Network Solutions SSL certs only
Symantec $499 Owns Verisign
Thawte $299
TrustWave $329
Verisign $499 Now owned by Symantec
Verizon Business $349

What do I need to obtain a code signing certificate?

For a corporation: You'll need to know what kind of download you are providing (or the file extension) and your signer identification information. You may also need a D-U-N-S number to provide the certification authority with verification that your organization is still in existence. And you'll need to pledge that the software you are distributing is safe.

For an individual: You'll need your name and address and supporting materials to confirm your identity and stated purpose. And as with the commercial certificate, you'll need to pledge that the software you are distributing is safe.

What steps are involved in obtaining a code signing certificate?

For both corporations and individuals, the process of obtaining the certificate will probably begin with a payment followed by the submission of a Certificate Signing Request (CSR). As part of the request, you will be asked to complete a series of entries (probably the name of your business and your location including city, state, and country). During this process, a pair of keys will be generated and encrypted to create the certificate that will later be used to authenticate your download. You may also find software to generate and encrypt these keys on your own, and for some kinds of certificates this may be required.

Different signing authorities and file types will require different software and procedures to complete the steps required to create the CSR. Find instructions specific to your certificate and signing authority and follow them carefully. (note: in most cases CAs have automated and streamlined this process, and the steps involved will be fairly straightforward and simple.

Cisco's help resources state that the product of the CSR generated using their wireless control system looks like this:


Depending on the CA, this may need to be copied and pasted into a text editor like notepad and submitted through the CA's enrollment tool, or the submission may be automated. The signing authority will then send you your certificate via email.

What happens if I don't have a code signing certificate?

That depends, but probably at the very least anyone who downloads your program will see a warning message stating that the publisher could not be verified and that the file may contain malicious code. In some cases the download can even be blocked automatically. In others the users will elect to abort the download.

By Joel Acheson