EmailSharePrint

How Code Signing Works

A Code Signing Certificate generates a digital signature that provides authentication of the code source and assurance of code integrity. Increasingly, operating systems, software applications, devices, and mobile networks require a digital signature to ensure that the code will not harm or interrupt services.

How Code Signing Certificates Work

With a VeriSign® Code Signing Certificate, the developer signs all code with the same digital signature using public key cryptography.

  1. A developer or software publisher uses a Code Signing Certificate to add a digital signature to code or content using a unique private key.
  2. The developer logs in to the VeriSign Code Signing Portal and uploads the application.
  3. When a user downloads or encounters the code, the user’s system software or application uses a public key to decrypt the signature.
  4. By comparing the hash used to sign the application against the hash on the downloaded application, the system determines whether to warn the end user, not allow the download, or allow the download without interruption (depending on the platform, application, and client security settings).

Different software platforms have different requirements and different tools for signing code. VeriSign offers Code Signing Certificates for:

How Code Signing Portal Works

A VeriSign® Code Signing Portal uses public key cryptography in a two-step signing process to create a unique digital signature each time code is signed, making each version of code released easier to track and manage.

  1. The developer uses a Publisher ID to sign code locally.
  2. The developer logs in to the VeriSign Signing Portal and uploads the application.
  3. VeriSign validates the publisher signature, then strips off the publisher’s digital signature and generates a new key pair, signs the content, and sends it back to the publisher with the newly generated Content ID.
  4. The content is uploaded to a Web site or mobile network or otherwise made available for download.
  5. When a user downloads or encounters the code, the user’s system software or application uses a public key to decrypt the signature.

VeriSign Code Signing Portal is available for:

Root Certificates: Why Your CA Matters

When software decrypts the digital signature, it looks for a "root" certificate, the source of the identity information. A self-signed digital certificate means that you own your own root certificate and are vouching for your own identity, kind of like using a homemade photo ID. In most cases, your root certificate will not be available to third party software and devices, and a warning message will appear.

When you enroll for a digital certificate from a Certificate Authority (CA), the CA authenticates your identity and provides a certificate that is chained to its root certificate. If the software or device trusts the provider of your root certificate (CA), it trusts you.

Open File Security Warning screen

VeriSign is the most trusted security brand on the Internet (Tec-Ed Whitepaper, PDF, Oct. 2007) and we support more development platforms than any other code signing provider. VeriSign uses a robust and time-tested authentication and validation process, recognized worldwide. Before issuing a digital certificate with your full organizational name and your public key, VeriSign validates the existence of the organization with third party sources and your authority to request a certificate on the organization’s behalf.

Learn More
Need More Info?
Call 866-893-6565 or 650-426-5112 Submit an inquiry online.
Symantec wins Code Project's 2011 Members Choice Award for Authentication Tools
VeriSign® Code Signing Introduction. Learn how to instill confidence and trust in your customers.
Free E-Book - The Essential Series: Code Signing