Question: What is a code signing certificate?
Answer: A code signing cert is an X509 certificate specifically used to sign code, software, executables, and scripts. Unlike an SSL Certificate used to protect data transmitted to and from a server which also identifies a server, and also unlike a user certificate that may be used to sign and encrypt email and files, certificates for code signing are used to sign code to ensure that code is secure and delivered untouched by its original author. The signature provided by the code signing cert ensures the code or software is legitimate and safe to use. For example, your organization may sign and deliver a software package that they may sign to make sure you know it was delivered by them. In essence, the certificate verifies the developer’s identity and verifies the code is the same as it was when signed by the developer.
To sum up the definition, code signing simply increases confidence and trust in software.
If you already have a code signing cert and need to view the certificate details, use our Certificate Decoder.
Code Signing Certificate EV (Extended Validation)
EV, or Extended Validation, offers the same benefits as a standard certificate but with additional assurance. With EV a tougher vetting process is involved in addition to stricter requirements for hardware. The certificate and corresponding private key may live on a USB device or even a hardware security module. In addition, an EV code signing cert is trusted by the Microsoft Defender SmartScreen. Take note that a standard OV (Organization Validated) or IV (Individual Validated) code signing cert is not enough to be trusted by Microsoft SmartScreen, it must be EV.
Code Signing Certificate Free
Unfortunately, certificates for code signing are not offered for free by any publicly trusted Certificate Authorities (CAs). Compliance is expensive so it is currently not feasible to issue X509 certificates for code signing for free.
Code Signing Certificate Cheap
Cheap code signing certs are offered by several CAs, reviewed below. Certificates for Code Signing can be bought here. To get a certificate for code signing just follow the request process for each CA. If you need help generating a CSR, read our instructions here.
In summary, you create a CSR to be sent to the CA that will then sign the certificate and issue it to you. The CA should be publicly trusted so that your Operating System trusts the certificate. If you sign and distribute malicious software, your reputation will take a hit and possibly face legal issues.
Code Signing Certificate Comodo
Thawte
Thawte Code Signing Certificate for Java and other languages.
The best code signing certificate is at your own personal discretion. Security is many times the same, especially from a reputable company. The warranty and guarantees are many times the discriminator.
Code Signing on different Operating Systems (OS)
The installation and purposes for code signing differs depending on your operating system and platform.
Code Signing Certificate Windows
Windows allows you to sign your code with any certificate by a publicly trusted CA to be used in your partner account. Windows software is generally the most common to be code signed.
Code Signing Certificate Apple
Before deploying an app to the Apple App Store, the app must be digitally signed. As with Android, this is done not with a publicly trusted code signing cert but with a key pair managed specifically for Apple.
Code Signing Android
Before deploying an app to the Google Play Store, the app must be digitally signed. As with Apple, this is done not with a publicly trusted code signing cert but with a key pair managed specifically for Google.
Code Signing Certificate Java
Java software can be signed with a code signing cert. This certificate may be any code signing cert obtained from a publicly trusted CA. Signing Java code is useful when distributing client applications to multiple clients rather than a single java archive (.jar or .war) on a web server.
Code Signing Examples
How to sign a java jar with jarsigner:
A jar file can be signed with the jarsigner utility, included in your java installation. The private key and corresponding certificate should be in a java keystore. In this example we will be using a PKCS12 keystore. To sign a java jar file with jarsigner, run the following command:
jarsigner <to-be-signed.jar> -keystore <codesign.p12> -sigfile <signed> -signedjar <signed.jar> -tsa <http://timestamp.sectigo.com> <your_private_key_alias>Where jarsigner <to-be-signed.jar> is the leading command and filename of the unsigned jar, -keystore <codesign.p12> is the keystore containing the private key and certificate used to sign the jar file, -sigfile <signed> is the base name for the .SF and .DSA files that will be included in your manifest in the signed jar file, -signedjar <signed.jar> is the name of the signed jar file, -tsa <http://timestamp.sectigo.com> is the url of the Time Stamping Authority (TSA) in this case Sectigo but will be from the issuer of the certificate you are using, and <your_private_key_alias> is the alias in the already specified Keystore of the private key being used to sign the jar file.
How to verify a signature on a java jar file with jarsigner:
To verify a signed jar file signature with jarsigner, run the following command:
jarsigner -verify -verbose -keystore <codesign.p12> signed.jarWhere jarsigner -verify -verbose is the leading command to verify the signature with verbose output, -keystore <codesign.p12> is the keystore containing the certificate used to verify the signature, and signed.jar is the signed jar file being verified.
Conclusion
Let us know in the comments if you have any questions not answered here or if you would like to see more examples on the installation and use of code signing.
Leave a Reply