Code signing is the process in which digital certificates are used to sign software applications for secure delivery.
A digitally signed software with a certificate issued by a reputable public certification authority allows the developers to ensure their users that the software they want to install is developed by a known and trusted developer.
Code signing is particularly useful for software distributed over the Internet, where there are many possibilities to modify applications for harmful third parties to enforce malware or viruses or legitimate software vendors.
By signing the code digitally, developers can also stop users from clicking on operating system warning messages or changing default security settings while installing the software.
Table of Contents
Why should I sign my code?
Customers who are going to install the software need assurance: they wanted to know who the developer of the software is and whether the software they are installing is secure or not.
Signing code allows the users to be completely comfortable when they are using your software online.
When the code signing certificate expires?
Code signature certificates are valid for a period of one to three years.
Is there any limit on the number of applications that can be signed with a code signing certificate?
No. You can sign all the applications you need with a code signature certificate, as long as the application is distributed by the organization for which the certificate was issued.
Main challenge with it is to safeguard the private signing key linked with the signing certificate. The certificate loses its credibility if a key is compromised, endanger the programme that you have already signed.
Follow these best practices of code signing:
Reduce the access to private keys.
Limit the number of the connections to the computers that have keys.
Limit the number of users who have key access.
In order to minimize the access to keys use physical security controls.
Time-stamping permit the code to be authenticated after the revocation of the certificate.
Time-stamp certificates can be granted for a period of up to 11 years.
Verification of code.
Verification of code is necessary before signing or issuing any code.
To avoid the signature of an unauthorised or harmful code, enforce a signing submission and approval process.
In order to review or incident-response purposes, log all its practices.
Virus scan code before signing.
The signing of the code does not guarantee the protection of the code; it ensures the publisher whether the code has been updated or not.
Be aware while integrating code from other sources.
Know the distinction between test-signing and release-signing.
Test-signing private keys and certificates involve less security access controls than release signing private keys and certificates.
Certificates for test-signing may be self-signed or emerge via internal CA test.
Test certificates should be linked to a root certificate that is completely separate from the root certificate that is used for signing publicly released products; this measure guaranteed that test certificates are only trusted in the expected test environment.
In order to test-sign pre-release builds of software, set up a separate test signing infrastructure.