The Problem: How Do Users Know Your Software Is Safe?
When a user downloads software from the internet, they face a fundamental question: Can I trust this file? Has it been tampered with in transit? Does it genuinely come from the developer it claims to come from? Without a mechanism for verification, users have no reliable way to answer these questions — and attackers know it.
Code signing solves this problem by allowing developers to digitally sign their software using a cryptographic certificate, giving users and operating systems a way to verify the software's origin and integrity.
How Code Signing Works
The process relies on asymmetric cryptography — the same underlying technology used in SSL/TLS certificates:
- The developer obtains a code signing certificate from a trusted Certificate Authority (CA).
- Before distributing the software, the developer uses their private key to generate a cryptographic hash of the file and encrypt it, creating a digital signature.
- The signature is embedded into or attached to the software package along with the developer's certificate.
- When a user installs or runs the software, the OS uses the developer's public key (from the certificate) to verify the signature.
- If the signature is valid and the certificate chains to a trusted CA, the OS confirms the software is unmodified and from the stated publisher.
What Happens Without Code Signing?
On modern operating systems, unsigned software triggers warnings:
- Windows shows a SmartScreen warning saying "Windows protected your PC" and warns that the publisher is unknown.
- macOS Gatekeeper will block unsigned apps from opening by default, requiring users to override security settings manually.
- Browser-based downloads may flag unsigned executables as potentially dangerous.
These warnings erode user confidence and can significantly hurt download conversion rates, especially for independent developers and small software companies.
Types of Code Signing Certificates
| Type | Validation Level | SmartScreen Reputation |
|---|---|---|
| Standard (OV) | Organization verified | Builds reputation over time |
| Extended Validation (EV) | Thorough org verification | Immediate SmartScreen reputation |
EV code signing certificates are particularly valuable for Windows software distribution because they come with an immediate positive SmartScreen reputation — skipping the period of warnings that new OV-signed software experiences.
Timestamping: Keeping Signatures Valid Long-Term
A critical but often overlooked aspect of code signing is timestamping. When you sign software, you should always apply a timestamp from a trusted Timestamping Authority (TSA). Here's why:
Code signing certificates expire (typically after 1–3 years). Without a timestamp, your signed software will be considered untrusted once the certificate expires — even if it was perfectly valid when signed. A timestamp proves the signature was applied while the certificate was valid, extending trust indefinitely.
Who Needs Code Signing?
- Desktop application developers distributing
.exe,.msi,.dmg, or.pkgfiles - Developers publishing browser extensions or plugins
- Organizations distributing scripts, macros, or PowerShell modules
- Device driver and firmware developers
- Mobile app developers (app store signing is a separate but related concept)
Getting Started with Code Signing
To obtain a code signing certificate, you'll need to go through an identity verification process with a CA. For OV certificates, this typically involves verifying your organization's legal existence. For EV, the process is more thorough but results in stronger trust signals. Reputable providers include DigiCert, Sectigo, and GlobalSign.