Code Signing for Programmers

It has been several years since Microsoft released Windows XP SP2, yet still only a small minority of software publishers digitally sign their products to enable Windows to verify the identity of the publisher. When someone downloads software that has not been signed, the web browser displays a message that the publisher could not be verified and the application may not be trusted.

Developers are relying on users having the habit of dismissing all such warnings with "OK". But this may be a false assumption as people become more security conscious. A software publishing certificate (or http://www.tech-pro.net/code-signing-certificate.html) may seem an undesirable expense but you only need to make a few extra sales per year to justify it.

Code Signing Certificate

Code signing, or Authenticode, to use the name of Microsoft’s implementation of it, is a technology based on standard cryptographic techniques. In a nutshell, two keys are generated. When one key is used to encrypt information, the other must be used to decrypt it. The encrypting key is kept private, and is known as the private key. The decrypting key can be made public.

When a program or file is signed, the signing software generates a one-way hash of the file contents. This is a large numerical value that is for practical purposes unique to the file that generated it. This value is then encrypted using the private key and stored, together with the public key, in the file’s digital certificate. When someone opens the file, their computer also generates a hash of the contents. At the same time, it decrypts the encrypted hash using the public key, and compares the results. If they are identical, the signature is valid and the file has not been modified since the signature was added.

Verifying integrity

Digital signatures provide the ability to prove the integrity of a file. In the case of software, they can show that a file has not been infected by a virus since it was created. It would, of course, be possible for a malicious individual to infect a program with a virus and then sign it. Therefore an important additional function of Authenticode digital signing is that it can also verify who the software publisher is, and that it is a publisher that can be trusted.

To do this, digital signatures are counter-signed by a trusted certification authority, whose job it is to verify the integrity of the companies and individuals who apply for code signing certificates before they are issued. Windows will only trust certificates signed by one of three certification authorities: Verisign, Thawte and Comodo.

When you buy a code signing certificate, you are asked to provide documentary proof that you are who your certificate will show you to be. This will prevent miscreants from distributing software that claims to be from Microsoft or any other reputable company.

Establishing trust

The manual checking needed to verify the identity of applicants is the reason why code signing certificates seem expensive. However, the cost is really a small price to pay for a measure that helps establish trust between you and your customers, and which will encourage more potential buyers to install your free trial products with confidence.

Comments? Questions? Email Here

© HowtoAdvice.com

How to Advice .com