Code Signing 101: providing peace-of-mind for end users

Much new software is designed to be downloaded and upgraded directly from the internet, allowing developers and web publishers to offer more choice and customisation than ever before. Innovative applications enhance websites, mobile devices, and desktop software for work and play. Everyone wants the latest application, but no one wants their security or functionality compromised.

Malware infections are on the rise, jeopardising the ability to safely deliver software and updates via the internet. Software and hardware vendors want to support innovation without compromising their products. Network operators must protect their wireless assets and 'zero fault tolerance' networks at all costs, while offering subscribers the latest options. How do end users, software platforms, and networks know which code to trust?

One answer is code signing. An industry-recommended and widely-used defense against tampering, corruption, and malicious infection, code signing allows end users to verify the identity of the company responsible for the software and confirm that it hasn't been modified with unwanted code after it was signed by the developer - like a digital 'shrink-wrap'. This enables customers to download and install software on their computers with confidence.

With code signing, a developer or software publisher uses a 'private' (encryption) key to add a digital signature to code or content. Software platforms and applications use a corresponding 'public' key to decrypt the signature during download and compare the encryption hash used to sign the application against the hash on the downloaded application.

Using a public key issued from a reputable third-party Certificate Authority, or CA, adds robustness and improved usability to the security provided by code signing. Signed code from a trusted source may be automatically accepted or require the end user to decide whether or not to trust the code. The user may choose to trust the code once or always. In all cases, the end user knows who the author of the software is, and that it hasn't been tampered with since being signed by the developer.

Self-signed or 3rd party-backed code signing

Some software publishers opt to 'self-sign' their code as an alternative to using a third-party CA. As the name suggests, self-signed code is signed by its creator. Any certification that doesn't utilise third party authentication that the developer is separate from the publisher is performed with self-signed code. Consequently, the end user is left to wonder if the software that they're downloading is tamper-free.

Additionally, digital certificates issued with self-signed code cannot be revoked. So, a hacker who has already gained access to an end user's system can monitor activity and inject malicious code into a connection to spoof an identity if a private key has been compromised.

End user benefits

In addition to helping establish trust with end users, code signing that utilises a reputable CA can help mitigate error messages and security warnings. This enhanced user experience helps increase adoption and distribution of downloadable software.
When end users encounter unsigned or self-signed code, they are interrupted and the application fails to download or a warning screen requires their input. Reducing security warnings and error messages ultimately drives up trust between the application and customer, thus increasing customer confidence, satisfaction, and subsequent downloads.

Forewarning customers of compromised code can also foster trust. As previously mentioned, digital signatures contain proof of the content integrity of a piece of software, so customers know that the code has not been altered. If the hash used to sign the application does not match the hash on a downloaded application, a security warning will alert the end user or access will be denied. In other words, if a single bit of the code is modified, code signing digital certificates will detect the change and warn the user.

Code signing with a reputable CA helps software publishers create a trusted relationship with their customers by assuring customers of the authenticity of the publisher and that the downloaded software has not been tampered with since being produced by the publisher. This improved level of trust encourages downloads, enabling software developers to leverage the numerous benefits of the internet for software sales and distribution.

Additionally, the improved user experience of code signed from a reputable CA - as opposed to unsigned or self-signed code - contributes to enhanced customer satisfaction and repeat business.

Armando Dacal is the director of Authentication Services at VeriSign Asia Pacific.