The Digital Equivalent of a Tamper-Proof Seal
Entrust Code Signing Certificates allow users to authenticate the source and verify the content integrity of code that is downloaded from the Internet. These certificates provide assurance that customers are installing code or applications as the developer intended.
What is Code Signing?
Code signing is the process of digitally signing executables and scripts to confirm the identity of the software author and guarantee that the code has not been altered or corrupted since it was signed.
In order to sign the code, a software publisher needs to generate a private-public key pair and submit the public key to a certification authority (CA), along with a request to issue a code signing certificate. The CA verifies the identity of the publisher and authenticates the publisher’s digitally-signed certificate request. If this vetting and key-verification process is successful, the CA bundles the identity of the publisher with the public key and signs the bundle, creating a code signing certificate.
How Does Code Signing Work?
While software purchased from a retail store is considered to be relatively safe, programs downloaded from the Internet are often treated with suspicion because of the widespread proliferation of viruses and malware. Entrust Code Signing Certificates are used by software developers to digitally sign programs and to prove that it has not been altered or compromised by a third party.
Entrust Code Signing Certificates use a unique cryptographic hash to bind the identity of the publisher to the software. Code Signing proves the signed software is legitimate, comes from a known software vendor, and that the code has not been tampered with since being published. Code Signing prevents users from abandoning the installation of an application due to security warning messages, malicious alternation of legitimate code, and identity theft of vendor author.
What Types of Code Need to Be Signed?
- Device drivers
- Enterprise applications
- OEM software
- Operating systems
- Packaged software
- Utility software
- Web application
Entrust Code Signing Certificates also:
- Establish trust which prevents customers from seeing annoying trust dialogs when installing software
- Provide convenient expiry notifications lessen risk of inadvertent certificate expiration
- Give application users assurance they can download software from the Internet
- Provide flexible support options tailored to your needs
- Prevent unverified software from being installed on corporate desktops
- Establish a relationship of trust with your customers
EV Code Signing certificates
EV code signing certificates provide the same benefits of standard code signing certificates, but also bring additional benefits. EV code signing certificates have two distinct advantages over the common issuance and management of code signing certificates. First, the EV verification process of the identity and authorization of the publisher must be completed in accordance with the CA/Browser Forum EV Code Signing Guidelines. Second, the private keys to the certificates must be managed in hardware meeting the requirements of FIPS 140 Level 2 or equivalent.
The upside of EV code signing certificates is users know who the publisher is and reasonable protection has been provided to the private key to mitigate unauthorized signing. Since EV code signing certificates are more trusted, this allows developers of verification products to raise the reputation level of the publisher or the signed code. Moving forward, if an application is signed with an EV Code Signing Certificate and contains no malware, Internet Explorer 9 (IE9) through the SmartScreen Filter will grant that application immediate reputation, and allow a user’s download to avoids SmartScreen filter warnings.
Additional Benefits & Features
Entrust Code Signing Certificate Featuress
- SHA-1 or SHA-2 signing capabilities
- Organization name validated using Extended Validation techniques — customers installing your software will see that it is provided by a trusted vendor
- Expiry notifications
- Easily purchase by speaking with an Entrust representative
- WebTrust Accredited certification authority (CA)
- Available in 1-, 2- or 3-year terms
- Digitally certify and sign Authenticode (most Microsoft® Windows® platforms), Java, Microsoft® Office® macros and Visual Basic script
- Packages applications and macros for online software distribution
- Time-stamping indicates when code was signed and extended trust period for code
- Integrates with most third-party development tools for easy signing
Entrust Code Signing Certificate Benefits
- Established browser trust prevents customers from seeing annoying trust dialogs when installing software
- Convenient expiry notifications lessen risk of inadvertent certificate expiration
- Gives users of applications assurance they can download software from the Internet
- Provides flexible support options tailored to your needs
- Prevents unverified software from being installed on corporate desktops
- Establishes a relationship of trust with your customers
Code Signing Certificate Comparison Chart
|EV Code Signing|
|Platform Support (Authenticode, Office Macros and VBA, Java, Adobe AIR)|
|Support Windows Kernel Mode Signing||Vista, Windows 7, 8 and 8.1||Vista, Windows 7, 8, 8.1 and 10|
|Hardware Private Key Protection||Customer choice||Mandatory|
|Immediate Application Reputation|
|Information Display in Certificate||Organization|
Type of Organization
|Removes “unknown publisher” security warnings|
|Unlimited Number of Signatures|
|Certificate Signature Hash Algorithm||SHA-1 or SHA-2||SHA-2|
|Validity Period of one, two or three years|