EmailSharePrint

How Code Signing Works

A Code Signing Certificate generates a digital signature that provides authentication of the code source and assurance of code integrity. Increasingly, operating systems, software applications, devices and mobile networks require a digital signature to ensure that the code will not harm or interrupt services.

How Code Signing Certificates Work

With a Symantec Code Signing Certificate, the developer signs all code with the same digital signature using public key cryptography.

  1. A developer or software publisher uses a Code Signing Certificate to add a digital signature to code or content using a unique private key.
  2. The content is uploaded to a Web site or mobile network or otherwise made available for download.
  3. When a user downloads or encounters the code, the user’s system software or application uses a public key to decrypt the signature.
  4. By comparing the hash used to sign the application against the hash on the downloaded application, the system determines whether to warn the end user, not allow the download, or allow the download without interruption (depending on the platform, application and client security settings).

Different software platforms have different requirements and different tools for signing code. Symantec offers Code Signing Certificates for:

How Code Signing Portal Work

A Symantec Code Signing Account uses public key cryptography in a two-step signing process to create a unique digital signature each time code is signed, making each version of released code easier to track and manage.

  1. The developer uses a Publisher ID to sign code locally.
  2. The developer logs in to the Symantec Signing Account and uploads the application.
  3. VeriSign validates the publisher signature, then strips off the publisher’s digital signature and generates a new key pair, signs the content and sends it back to the publisher with the newly generated Content ID.
  4. The content is uploaded to a Web site or mobile network or otherwise made available for download.
  5. When a user downloads or encounters the code, the user’s system software or application uses a public key to decrypt the signature.

VeriSign Code Signing Portal is available for:

Root Certificates: Why Your CA Matters

When software decrypts the digital signature, it looks for a "root" certificate: the source of the identity information. A self-signed digital certificate means that you own your own root certificate and are vouching for your own identity: a bit like using a homemade photo ID. In most cases, your root certificate will not be available to third-party software and devices, and a warning message will appear.

When you enrol for a digital certificate from a Certificate Authority (CA), the CA authenticates your identity and provides a certificate that is chained to its root certificate. If the software or device trusts the provider of your root certificate (CA), it trusts you.

Open File Security Warning screen

Symantec is the most trusted security brand on the Internet (Tec-Ed Whitepaper, PDF, Oct 2007) and we support more development platforms than any other code signing provider. Symantec uses a robust and time-tested authentication and validation process, recognised worldwide. Before issuing a digital certificate with your full organisation name and your public key, Symantec validates the existence of the organisation with third-party sources and your authority to request a certificate on the organisation’s behalf.

Learn More
Need More Info?
Call +65 6622 1638 Request information online.
Symantec Code Signing Introduction. Learn how to instill confidence and trust in your customers.
Free E-Book - The Essential Series: Code Signing