code signing FAQ
What are code signing certificates and digital signatures?
Developers and software publishers use code signing certificates to attach a unique digital signature to applets, plug-ins, macros and other executable files before publishing them. The digital signature contains identification information about the publisher and is used to confirm that the code has not been altered or tampered with since release.
Why do developers need to sign their code?
Easy online distribution has made it possible for developers to create fun and functional code, anywhere and everywhere. However, the potential for fraud and the spread of malicious code has increased as well. Software applications and platforms have developed security features to check for a digital signature and recommend whether or not code should be trusted. Some platforms, such as Adobe® AIR®, require digital signatures for all applications.
Are code signing certificates available for individual developers?
Yes. Code signing certificates are available for individual developers who are not affiliated with an incorporated business. Choose the appropriate code signing certificate for your development platform, and select the Individual option.
What do users see when they encounter signed code?
When a user encounters unsigned code, a security warning pops up or content fails to load, depending on the browser and security settings. Warnings create doubt and confusion for users and often result in support calls to the publisher or developer. When signed code is encountered, a pop-up notification shows the verified identity of the publisher and the user decides whether or not to trust the code. With a Thawte® Code Signing Certificate, your code will be as safe and trustworthy to customers as shrink-wrapped software from a store shelf.
How does the application know to trust my digital signature?
A code signing certificate is a type of digital certificate. When you apply for the certificate, you generate a private/public key pair and submit the public portion to a certificate authority, such as Thawte, along with documentation to prove your identity. Once the certificate authority authenticates and verifies the information, they issue a certificate containing your full organizational name and your public key. Thawte® Code Signing Certificates are chained to our root certificate and trusted by leading platforms. It is possible to self-sign code, however, you do not have a trusted third party to vouch for the information you provide
Do I need different code signing certificates for developing code in different platforms?
Each platform has slightly different ways of handling digital signatures. The Thawte® Code Signing Certificates for Microsoft® Authenticode® (Multi-Purpose)
offers maximum flexibility with a single certificate to sign code developed on multiple platforms. You can digitally sign 32- and 64-bit user-mode (.exe, .cab, .dll, .ocx, .msi and .xpi files), as well as code for Microsoft® Office 2000, Microsoft VBA, Netscape® Object Signing, and Marimba Channel Signing. Thawte offers additional Code Signing Certificates for:
Microsoft® Authenticode® (Multi-Purpose)
Microsoft® Office VBA
Why do code signing certificates expire?
Applications and platforms that use code signing will check whether a certificate is valid as part of the security process. Digital certificates are designed to expire to protect both the certificate owner and the users who trust it. To renew a code signing certificate, the certificate owner provides identification information and the certificate authority authenticates and verifies it. The Thawte® Certificate Center makes it very easy to renew, manage, and track all of your code signing and SSL certificates with a single sign-in.
Will my code still be valid even though my code signing certificate expired?
A code signing certificate is valid for the validity period purchased and an expired certificate cannot be used to sign code. However, a time stamp shows the validity of the certificate at the time the code was signed. Thawte does not run a time stamp server, however, you can use Symantec time stamping by adding: "http://timestamp.verisign.com/scripts/timstamp.dll" to the signcode command line. For Java, use "http://sha256timestamp.ws.symantec.com/sha256/timestamp" (SHA256), "http://sha1timestamp.ws.symantec.com/sha1/timestamp" (SHA1)
What happens if a code signing certificate must be revoked?
A certificate may be revoked by its owner if it is lost or stolen, or it may be revoked by Thawte if the publisher is distributing malicious or intentionally harmful code. Thawte maintains a certificate revocation list (CRL). Applications and platforms which use code signing will check the CRL to verify whether a certificate is valid as part of the security process.
Who needs to use code signing?
Any publisher who plans to distribute code or content over the Internet or over corporate extranets risks impersonation and tampering. Thawte Code Signing Certificates provide a high level of assurance about the identity of the code publisher and its integrity.
Does Thawte certify code or guarantee it?
No. Thawte issues a certificate to the developer not to the code. The certificate certifies that the software really comes from the publisher who signed it - an extremely important consideration when prospective customers decide whether to trust it. The certificate also certifies that the code has not been altered or corrupted during transmission or download and is as the publisher intended it. Thawte will revoke a developer’s code signing certificate if there is any indication that the developer abused the trust of the code signing infrastructure.
Why choose Thawte?
Thawte is trusted by millions of people worldwide. When we issue an SSL certificate, we know that our name will appear next to yours as the trusted third party who verified it. We take that trust seriously and lead the industry with rigorous authentication methods and a global infrastructure to support real-time certificate look-ups.