how code signing works

The Enrollment Process

When you apply for a Thawte® Code Signing Certificate, you generate a private/public key pair and submit the public portion to Thawte with documentation to prove your identity. Once Thawte authenticates and verifies the information, we issue a code signing certificate containing your full organizational name and your public key. It can be used to digitally sign code and content during the certificate’s validity period.

Deploying and Trusting Signed Code

1. A publisher or developer signs a file using the code signing certificate.
2. A digital signature is attached to the file and a hash mark is created.
3. The content is published to a web site or mobile network, or otherwise made available.
4. A user downloads or encounters the code. The user’s system software or application uses a public key to decrypt the signature.
5. The hash used to sign the code is compared to the hash on the downloaded code. A mismatch generates an error, prevents download, or allows it, depending on the platform, application, and client security settings.

Root Certificates

A certificate’s trustworthiness depends on confidence in the identity of the organization that issued it. When software decrypts the digital signature, it looks for a "root" certificate, the source of the identity information. A self-signed digital certificate means that you own your own root certificate and are vouching for your own identity, although your own root certificate is unlikely to be present in the user’s browser or operating system. In contrast, established certificate authorities, such as Thawte, are well known and trusted by operating systems, software and device vendors. They extend that trust to digital certificates which are validated by the Thawte root certificate.

Choose a Thawte Code Signing Certificate.