Search
Table of Contents

What is Code Signing?

3 min. read
Explore Identity Security
Table of Contents

Code signing is a security process that uses digital signatures to verify the identity of a software author and guarantee that the code has not been altered or corrupted since it was signed. By using a cryptographic hash to bind an executable to a digital certificate, it establishes a chain of trust between developers and end users.

Key Points

  • Identity Verification: Confirms the legitimate origin of software through a validated digital certificate.

  • Data Integrity: Detects any unauthorized modifications made to the code after the signature was applied.

  • User Trust: Reduces security warnings and "Unknown Publisher" alerts during installation on major operating systems.

  • Non-Repudiation: Provides legal and technical proof of authorship that a developer cannot easily disown.

  • Malware Prevention: Helps security systems block unsigned or tampered files that often carry malicious payloads.
A detailed technical architectural diagram split into two vertical sections. The left section, 'SOFTWARE PUBLISHER (SIGNING PROCESS)', shows a flowchart starting from a developer workstation where unsigned code is generated. The right section, 'END USER (VERIFICATION PROCESS)', shows a user device receiving the signed software.
Figure 1: Two major phases of the code signing lifecycle.

 

Code Signing Explained

Software distribution across open networks exposes executables to various risks, including man-in-the-middle attacks and unauthorized injections. Code signing addresses these vulnerabilities by applying a digital seal to scripts, drivers, and applications. When a user downloads a signed file, the operating system examines the signature against a trusted Certificate Authority (CA).

This mechanism relies on Public Key Infrastructure (PKI) to manage the relationship between public and private keys. The developer uses a private key to sign the code, while the end user's system uses the corresponding public key to verify it. If a single bit of the original code changes, the hash no longer matches, signature verification fails, and the system blocks or warns against execution.

In modern cybersecurity architecture, signing is a prerequisite for visibility and control. Security leaders prioritize signed code to maintain compliance with frameworks like SOC 2 or HIPAA, which require strict validation of software provenance. As supply chain attacks increase, code signing serves as a critical checkpoint for ensuring that internal and third-party tools remain authentic.

 

Critical Benefits for Enterprise Security

Organizations must move beyond treating code signing as an optional step and instead integrate it as a mandatory enforcement policy within the CI/CD pipeline. Unsigned software introduces blind spots that threat actors exploit to gain persistence within a network.

Eliminating Operating System Friction

Operating systems like Windows and macOS use built-in security features to discourage the execution of unverified files. When software lacks a valid signature, users encounter aggressive "SmartScreen" warnings or "Unknown Publisher" alerts. Signed code bypasses these hurdles, ensuring a professional user experience and higher adoption rates for internal and external tools.

Hardening Software Supply Chain Integrity

The software supply chain has become a primary target for sophisticated adversaries seeking to inject malicious code into trusted updates. Code signing acts as a physical seal for digital goods. If an attacker modifies a signed library or executable, the signature breaks immediately, alerting security teams to a potential breach before the software is deployed.

Establishing Legal Non-Repudiation

Non-repudiation ensures that a software author cannot deny their association with a specific piece of code. This is vital for forensic investigations and compliance audits. By maintaining a clear record of who signed what and when, enterprises can quickly trace the origin of a configuration change or a new internal application.

 

The Technical Mechanism: How Code Signing Works

Code signing utilizes asymmetric cryptography to create a unique digital fingerprint for a file. This process ensures that the software delivered to the end user is bit-for-bit identical to the version the developer released.

Generating the Cryptographic Hash

The process begins by running the software's source code or executable through a hashing algorithm, such as SHA-256. This creates a fixed-length string of characters called a hash. Even a minor change to the code, like adding a single space, results in a completely different hash value.

The Role of the Private Key

The developer uses a private key to sign the hash, producing a digital signature that can be verified with a corresponding public key. This encrypted hash is the digital signature. It is then bundled with the software and the developer’s public key certificate.

The Verification Loop

When the user attempts to run the software, the operating system performs a dual-step check. First, it verifies the digital signature using the developer’s public key to recover the original hash. Second, it calculates a new hash of the downloaded file. If the two hashes match, the software is verified as authentic.

 

The Necessity of Trusted Timestamping

Digital certificates eventually expire, but software often needs to remain valid for years. Timestamping adds a verifiable date and time to the signature. This proves the code was signed while the certificate was still valid, allowing the operating system to trust the file even after the certificate’s expiration date has passed.

 

Standard vs. EV Code Signing Certificates

Choosing the correct certificate type depends on the required level of trust and the sensitivity of the software being distributed.

Feature Unsecured Port Secured Port (TLS/SSL)
Identity Verification Verifies organization exists Rigorous background check and identity proofing
Key Storage Software-based (Less secure) Hardware-based (HSM or USB Token)
SmartScreen Reputation Built over time through downloads Built over time through downloads (Microsoft discontinued instant EV reputation in 2023)
Drivers Not accepted for kernel-mode driver submission Required to submit drivers to Microsoft’s Hardware Developer Center for Windows 10/11

Standard Validation (OV)

Organization Validation (OV) certificates verify that the signing organization exists and is legitimate. They are suitable for most commercial and internal software distribution. Private keys for OV certificates are often stored in software, which increases exposure risk if a developer's workstation is compromised.

Extended Validation (EV)

EV certificates provide the highest level of assurance. They require hardware-based key storage, usually on a FIPS-compliant device, which prevents the private key from being copied or exported. For enterprise leaders, EV is the standard for protecting high-value customer-facing applications.

 

Addressing Vulnerabilities in the Signing Process

While code signing is a powerful security control, it is not infallible. Attackers frequently target the signing infrastructure itself to give their malware a veneer of legitimacy.

Key Theft and Improper Storage

The most significant risk in code signing is the compromise of the private key. If a developer stores a private key on a local drive without a password, an attacker who gains access to that machine can sign malware as if they were the legitimate company.

Malware Signing

Threat actors often use stolen or fraudulently obtained certificates to sign malicious payloads. Signed malware is much less likely to be flagged by legacy antivirus programs. By appearing "trusted," these files can bypass initial security screenings and move laterally through a network.

Unit 42 Insight: Abuse of Trusted Certificates

Research from Unit 42 indicates that threat actors are increasingly prioritizing the theft of legitimate certificates. In recent campaigns, nearly 25% of observed malware samples utilized some form of digital signature to evade detection. This trend highlights the need for organizations to treat code signing keys as Tier-0 assets, similar to administrative credentials.

 

Best Practices for Secure Key Management

To maintain a resilient, comprehensive security posture, organizations must implement strict controls over how certificates are requested, stored, and used.

Centralized Private Key Storage

Avoid decentralized key management where individual developers hold their own certificates. Use a Hardware Security Module (HSM) or a secure cloud-based key vault. Centralization allows the security team to monitor all signing activity and ensures that keys never leave a protected environment.

Implementing Role-Based Access Control (RBAC)

Limit signing authority to a specific set of individuals or automated build systems. Use a "least privilege" model where developers can submit code for signing, but only an authorized system or administrator can execute the final signature. This prevents unauthorized personnel from signing rogue versions of software.

Regular Certificate Auditing and Revocation

Maintain an inventory of all active certificates and their expiration dates. If a key is suspected of being compromised, it must be revoked immediately through the CA. Regular audits ensure that old, unused certificates are retired, reducing the overall attack surface of the organization.

 

Implementation Checklist for Secure Code Signing

Organizations can use this checklist to evaluate code signing maturity:

Requirement Action Item Priority
Private Key Protection Store all private keys in a FIPS 140-2 Level 2+ Hardware Security Module (HSM). Critical
Centralized Governance Establish a single policy for who can sign code and which CAs are authorized. High
Timestamping Use a trusted timestamping authority to ensure the signature remains valid after the certificate expires. High
Automation Integrate signing into the CI/CD pipeline to prevent manual key handling by developers. Medium
Scanning Scan code for malware and secrets before the signing process occurs. Critical

 

Code Signing FAQs

A digital signature is a broad cryptographic technique used to verify any electronic document. Code signing is a specific application of digital signatures designed for software, scripts, and executables.
This occurs when the software is either unsigned or signed with a certificate that is not trusted by the Windows Root Store. It can also happen if the certificate has expired or been revoked.
No. Code signing only proves who wrote the code and that it hasn't changed. If a legitimate developer's system is compromised, or if a malicious actor obtains a valid certificate, they can sign harmful software.
If the code was not "timestamped" during the signing process, the signature becomes invalid when the certificate expires. Timestamping ensures the code remains trusted as long as the signature was applied while the certificate was active.
No, code signing is designed to verify authenticity and integrity, not to act as digital rights management (DRM). It does not prevent unauthorized copying.
Yes. Microsoft requires certificates compatible with their Authenticode standard, while Apple requires developers to sign code through their specific Apple Developer Program.
You can, but it is not recommended for public distribution. Self-signed certificates are not trusted by operating systems by default and will cause "Untrusted Publisher" warnings.
No. Encryption provides confidentiality by hiding file contents. Code signing provides authenticity (who signed it) and integrity (that it hasn’t changed), but leaves the file readable.
Previous What Is a Non-Human Identity (NHI)? Machine Identity Security Explained
Next What Is a TLS Decryption? Methods, Risks & Best Practices

Get the latest news, invites to events, and threat alerts