SECURITY TOPICS

Code Signing 101

Code signing does two things: it confirms who the author of the software is and proves that the code has not been altered or tampered with after it was signed. Both are extremely important for building trust from customers and safely distributing your software.

Why Does Code Signing Matter?

556 million adults worldwide experienced some form of cybercrime in 2012, according to the Symantec Internet Threat Security Report. When you consider that the average loss per cybercrime incident is $197, it’s no wonder people are extremely careful when it comes to downloading executable files from the internet.

 

That said, it’s worth doing whatever it takes to gain their trust: online distribution means you can distribute software updates faster, you broaden your potential customer base and you can considerably cut costs since there is no postage or discs and packaging to manufacture. Providing verifiable proof that as the author of the code, you are who you say you are and that your code is in no way corrupted or malicious is therefore a no-brainer. In fact, many third party publishers and mobile network providers now insist upon code signing to protect their users.

Introduction to Code Signing

Website Security

So, How Does Code Signing Work?

The process for code signing is similar to that used for SSL/TLS certificates, where a pair of cryptographic keys is used, one public and one private, to identify and authenticate both you and your code. The best and safest way to obtain a private key is by applying for a certificate from a trusted certificate authority (CA), such as Symantec, who will take you through an authentication process. Once you have your certificate, you can then generate your private key. Your choice of CA is important as it can affect how far you are able to distribute your software. Symantec, for example, provides certificates for a wide range of desktop and mobile platforms, including Windows Phone and Android.

 

You then sign your executable file or library of software using this private key, which can only be unlocked by public keys that are traceable to the CA, and which are preinstalled on most browsers. If the code has been tampered with after signing, the public key will not be able to verify the authenticity of your private key signature and the browser will flash up a warning to anyone trying to download it. If the code has remained intact then your file will be delivered and downloaded seamlessly. It’s as simple as that.

Boost Software Adoption and Sales with Code Signing

What's Code Signing?

Code signing is a digital signature added to software and applications that verifies that the included code has not been tampered with after it was signed.

DATA SHEET
SHA 256 Support

SHA 256 Support

Secure Hash Algorithm (SHA) 256 Support is available for Symantec Code Signing Certificates.

Continue Reading

Code Signing: Why Sign

Code Signing: Why Sign

5 Reasons Why You Should Sign Your Code with Symantec Code Signing.

Continue Reading

How Code Signing Works

How Code Signing Works

Symantec helps you deliver your apps and code to more customers on more platforms than any other provider. More developers and publishers rely on Symantec, the most recognized and trusted Certificate Authority (CA) worldwide, than any other CA.

Continue Reading

USE CASES

Symantec Website Security Solutions In The Real World

Security

2017 Symantec Internet Security Threat Report (ISTR)

LEARN MORE

Security

2017 Symantec Internet Security Threat Report (ISTR)

LEARN MORE

Applications

Boost Software Adoption and Sales with Code Signing

LEARN MORE

Malware

Malware Scanning FAQ

LEARN MORE

Join the Community

Join the Symantec Discussion on Symantec Connect

SYMANTEC CONNECT

Follow Threat Intelligence on Twitter @Threatintel

SYMANTEC ON TWITTER

Watch Videos on the Symantec Website Security YouTube Channel

SYMANTEC ON YOUTUBE