Code Signing

What is code signing?

Code signing is the process by which software developers digitally sign their code to ensure the authenticity and integrity of the software. A cryptographic certificate is used to ensure that the code has not been altered and actually originates from the specified developer. This protects against manipulation, for example through malware injections, and strengthens users’ trust in the software. Without code signing, companies run the risk of cybercriminals distributing software with malicious code that appears legitimate without being noticed. This is particularly critical at a time when supply chain attacks are on the rise.

How does code signing work?

Code signing is based on asymmetric cryptography. The developer signs the code with a private key that is linked to a code signing certificate. The digital signature is distributed together with the code. The user (or the operating system) verifies the signature with the public key from the certificate to ensure that:

  1. The code is unchanged (integrity).
  2. The code originates from the specified publisher (authenticity).

Operating systems such as Windows or macOS block unsigned code or display security warnings. These mechanisms are crucial for companies to protect users from malware.

What is a code signing certificate and how do I obtain one?

A code signing certificate is a digital certificate issued by a trusted certification authority (CA). It confirms the identity of the issuer and is used to create the digital signature.

Steps to apply for a code signing certificate:

  1. Selection of a trustworthy CA (e.g. DigiCert, Sectigo).
  2. Submission of an application, including identity check of the company.
  3. Receipt of the certificate and integration into the development environment.

The CAs differentiate between standard and EV code signing certificates. Extended Validation (EV) requires stricter checks, but offers greater trustworthiness.

What are the risks of unsigned code?

Unsigned code harbors several risks:

  • Malware infection: Attackers can disguise malware as legitimate applications.
  • Manipulation: Without a signature, the code can be easily modified, e.g. by inserting spyware.
  • Loss of trust: Users and operating systems classify unsigned code as unsafe, which leads to warning messages and blocked installations.

For companies, this means a potential loss of image, legal consequences and increased opportunities for attacks.

How do you recognize whether software is securely signed?

Securely signed software can be verified by the following steps:

  1. Check digital signature: Right-click on the file → Properties → Digital signatures.
  2. Verify the publisher: The name of the publisher should match a trustworthy company.
  3. View certificate details: Is the certificate valid, unexpired or revoked?

The software should not be installed if there are any uncertainties. In a corporate environment, security solutions can be used for automated testing.

What are the differences between Standard and Extended Validation (EV) Code Signing certificates?

Criterion Standard Certificate EV certificate
Validation level Basic audit Strict company audit
Protection against misuse Low High (hardware token required)
Trustworthiness Lower Higher (no SmartScreen warnings)

EV certificates are particularly recommended for companies that deliver software to a broad target group or are frequently affected by security warnings.

How does code signing protect against malware and cyber attacks?

Code signing prevents software from being manipulated unnoticed. Malware cannot be inserted undetected into signed code without invalidating the digital signature. Operating systems also block unknown or unsigned code, making it difficult for attackers to deliver malware. In cybersecurity, code signing is an important part of supply chain security as it prevents attacks such as the manipulation of software updates.

What does a code signing certificate cost and which providers are the best?

The costs for a code signing certificate vary:

  • Standard certificates: From approx. 100 € per year.
  • EV certificates: From approx. 300 € per year.

Top provider:

  • DigiCert
  • Sectigo
  • GlobalSign

In addition to price, the choice of provider should also depend on reputation and additional security features. EV certificates are more expensive, but offer higher security guarantees.

Can a code signing certificate expire or be revoked?

Yes, a code signing certificate has a limited validity (usually 1-3 years) and must then be renewed. It can also be revoked prematurely, e.g. in the event of a security incident or compromise of the private key. Expired certificates invalidate the digital signature. Companies should therefore renew in good time and ensure that old versions of their software remain verifiable (e.g. by timestamping).

What are best practices for secure code signing?

  1. Protect private keys: Never store private keys on insecure systems. Use hardware security modules (HSMs) or USB tokens.
  2. Use timestamping: This means that the signature remains valid even after the certificate expires.
  3. Restrict access rights: Only authorized employees should have access to signature keys.
  4. Regular certificate renewal: Prevents expired signatures.
  5. Prefer EV certificates: Offers additional security benefits and increased trust.

By adhering to these measures, companies minimize risks and maximize the trustworthiness of their software.

Zurück zur Übersicht des Glossars

Back to the glossary overview
AlleThe basics of cyber security

The basics of cyber security

CYBER DEFENSE.

MADE IN GERMANY.

Our portfolio
About SECUINFRA

©2025 SECUINFRA GmbH. All rights reserved.

Cookie Consent with Real Cookie Banner