Discover our products
KONNEKTKONNEKTRADIUSaaSRADIUSaaSRealmJoinRealmJoinUnified ContactsUnified ContactsTerraProviderTerraProvider
Start now
Discover our products
KONNEKT
Work with your local office 365 data
RADIUSaaS
Authentication for your network
RealmJoin
Cloudbased Software distribution
Unified Contacts
Find contacts in Microsoft Teams
TerraProvider
Terraform Provider for Microsoft 365

Sign your code

What is Code Signing?

Code signing is a security technology that allows software developers and organizations to digitally sign their executables, scripts, and software libraries to confirm the author's identity and ensure that the code has not been altered or tampered with after it was signed. This process is facilitated by the use of digital certificates issued by Certificate Authorities (CAs) like SCEPman.


Why would I sign my code?


Companies use code signing for several key reasons, each aimed at enhancing the security, integrity, and trustworthiness of their software applications and updates. Here are the primary reasons for using code signing:

Authenticity: Code signing helps to verify the identity of the software publisher. When software is signed with a digital signature, users can be confident that the software they download or install comes from the claimed source or author and not from an impersonator or malicious actor.

Integrity: A digital signature ensures that the code has not been altered or tampered with since it was signed. If the software were modified in any way after signing, the digital signature would become invalid, alerting users that the integrity of the software may be compromised.

Trust: Code signing builds trust among users. Operating systems and web browsers often present warnings or block unsigned code to protect users from potentially harmful software. Signed software typically bypasses these warnings, providing users with a smoother installation experience and confidence in the software's safety.

Security: By ensuring the authenticity and integrity of the code, code signing helps in preventing the distribution of malware, spyware, or other malicious software. This is crucial for maintaining the security of users' systems and data.

Compliance: Certain regulatory or industry standards may require code signing as part of compliance with security policies.

Gatekeeping: Modern operating systems and browsers use code signing as a gatekeeping mechanism to ensure that only trusted, verified software can be installed and run. This helps in creating a safer ecosystem for both developers and users by reducing the risk of malware infections.


How does Code Signing work?


Digital Signature Creation: When a developer or organization is ready to release software, they use a code signing certificate to create a digital signature. This certificate contains a public key and a private key. The private key is used to encrypt the hash of the software, creating the digital signature.

Hashing: A hash function is applied to the software's code to produce a unique hash value (digest). This hash value represents the contents of the code. If even a single bit of the code changes, the hash value will also change, making it an effective way to detect alterations.

Encryption: The hash is then encrypted with the signer's private key. This encrypted hash, along with information about the hashing algorithm, forms the digital signature. The digital signature is then attached to the software.

Verification: When users download or install the signed software, their system (or software installation process) decrypts the digital signature using the public key (which is made available through the digital certificate). The system then hashes the software again and compares this hash to the decrypted hash. If they match, it confirms that the software has not been modified since it was signed.

Trust Chain: The digital certificate used in signing is issued by a Certificate Authority (CA) like SCEPman that the operating system or application trusts. The certificate includes the publisher's information and the public key. When the signature is verified, if the certificate is trusted (i.e., issued by a recognized CA), the software is considered authentic.


How can SCEPman help to sign your code?


SCEPman is equipped to issue code signing certificates, enabling developers and organizations to ensure the integrity and authenticity of their software.

Extended Key Usage "Code Signing": SCEPman supports the Extended Key Usage (EKU) attribute for "Code Signing." This ensures that certificates issued by SCEPman are optimized for the purpose of signing software and applications, aligning with industry standards and security practices.

Multiple Key Length Options: To accommodate varying security requirements and preferences, SCEPman offers multiple key length options for certificates. This flexibility allows you to choose the appropriate level of security for your certificates, balancing the needs for strong encryption with the performance implications of longer keys.

Support for PKCS#12 and PEM Formats: Understanding the diverse ecosystem of software development and deployment, SCEPman supports certificates in both PKCS#12 and PEM file formats. This compatibility ensures that SCEPman-issued certificates can be easily integrated into a wide range of environments and platforms, facilitating seamless deployment and management of signed code.