October 2, 2012 at 14:11Code Signing certificates or developer certificates. Types of How to Choose
Last time we looked at digital SSL certificates , this time we will consider another version of digital certificates. Code Signing certificates is a certificate by which software or scripts are signed, which confirms the author of the program and ensures that the code has not been changed after the digital signature has been applied. They are also called developer certificates.
So developer certificates provide us with several options. Firstly, it is a digital signature mechanism that confirms that the program that you use is really released by a particular company, that is, it guarantees the authenticity of the source. And secondly, it guarantees the integrity of the content, that is, that from the moment of signing the software product has not been damaged or modified.
In all modern versions of Windows, starting with Windows XP SP2, when you install software without such a digital signature, you will receive a warning. The same thing applies to installing drivers that do not have a corresponding digital signature.
If a digital signature is not found, Windows will warn you that this program has an “Unknown Publisher” and it is not recommended to run it.
If the program is digitally signed, then the window will look different and you can also see information about the certificate.
What are the types of Code signing certificates, and how are they different?
First of all, consider the certificates for the certification authorities that issue them.
The best differences between certificates from different certificate authorities are shown by a dashboard.
The columns indicate the names of certification authorities, and in the lines the type of certificate or technology / platform for which it is used.
| Platform \ Certification Authority | Symantec | Thawte | Comodo | Digicert | Globalsign | Trustwave | Startcom |
|---|---|---|---|---|---|---|---|
| Microsoft Authenticode Signing | + | + | + | + | + | + | + |
| Code Signing for Apple | + | + | + | + | + | + | |
| Microsoft Vba Signing | + | + | + | + | + | + | + |
| Java Code Signing | + | + | + | + | + | + | + |
| Adobe Air Signing | + | + | + | + | + | + | + |
| Kernel mode signing | + | + | + | + | |||
| Android | + | ||||||
| Windows phone | + | ||||||
| Qualcomm BREW | + | ||||||
| Cost, from | 500 $ | 250 $ | $ 90 | 220 $ | 220 $ | 330 $ | 200 $ |
it should be clarified that not all certification authorities provide complete information about the platforms on which their certificates work, therefore only those platforms whose support is explicitly stated by the certification authority are marked with a plus.
Microsoft Authenticode
For signing 32 and 64 bit files (.exe, .cab, .dll, .ocx, .msi, .xpi and .xap files). Also allows code signing for Microsoft® Office, Microsoft VBA, Netscape Object Signing, and Marimba Channel Signing.
Supports Silverlight 4 Applications
Code Signing for Apple
Allows developers to sign programs for Mac OS as well as software updates
Microsoft Office Vba Signing
Signs VBA objects, scripts, and macros for Microsoft Office .doc, .xls, and .ppt files.
For Microsoft Office and add-ons that use VBA
Java Code Signing
For signing Java applets. Allows you to sign .jar files and Java applications for desktop and mobile devices.
Recognized Java Runtime Environment (JRE)
Adobe Air Signing
To sign .air files
Required for all AIR-based applications
Kernel mode signing
Kernel-Mode developer certificates allow you to sign the so-called kernel-mode applications and device drivers. The 64-bit version of Windows Vista and Windows 7 require all kernel-mode applications to be signed with a certificate and a trusted certification authority.
Android
To sign and optimize .apk files for the Android platform
Microsoft Windows Phone
For digitally signing applications for Windows Phone and Xbox 360. Required for Microsoft App Hub
Qualcomm BREW
For those who develop applications for the BREW platform (Binary Runtime Environment for Wireless)
How Code Signing Certificate Works:
Code signing process.
- The publisher (developer) requests a Code Signing certificate from a certification authority
- Using SIGNCODE.EXE or another publisher code signing utility, creates a code hash using MD5 or SHA algorithms
- Encodes a hash using a private key
- Creates a package that includes: code, an encrypted hash, and a publisher certificate
The process of verifying the signed code.
- The user downloads or installs the signed software, and the user's platform or system checks the publisher’s certificate, which is signed by the root private key of the certification authority
- The system runs the code using the same hash algorithm as the publisher and creates a new hash
- Using the publisher’s public key, which is contained in the certificate, the system decrypts the encrypted hash
- And compares 2 hashes
Certification Authority
When a developer requests a digital certificate, the certification authority identifies it and issues a certificate associated with the root certificate of the certification authority. Platforms and devices contain the root certificate of the corresponding certification authority. That is, if a platform or device trusts a certification authority, then it will trust your certificate signed by this certification authority.
If the hashes do not match, you will receive an error when starting such software - this may mean that the software was modified by a virus or an attacker.
When the software decrypts the digital signature, it also checks the root certificate in the system, the source of the verified information. If you use a self-signed certificate, you will receive an error: "the publisher cannot be verified." Therefore, it is important to use the certificates of the certification authority whose root certificates are already installed on the system with the intended user of the program.
I will not talk about the organization verification process itself, since it is the same as for SSL certificates with organization validation, which we already talked about in the previous article .
A few words about timestamp.
A timestamp or timestamp is used to indicate when the digital signature was made. If such a label is present, then the application that verifies the signature will check whether the certificate associated with the signature was valid at the time of signing. If there is no such mark, and the certificate has expired, the signature will be considered invalid.
Example: The
certificate is valid from: 01.01. 2008
Certificate is valid until: 12/31/2010
Signature made: 07/04/2009
Signature verified: 04/30/2012
With a timestamp, the signature will be verified because the certificate was valid at the time of signing. Without such a label, the certificate will not pass verification, because at the time of verification the certificate has expired.
That is, such a label allows you to use a signed code, even after the certificate expiration date.
Summarize
To select a certificate, you first need to select a certification authority that issues certificates for the platform you need, and then the choice essentially comes down to choosing the certification authority for the price and popularity, often customers choose the certification authorities that they have worked with before.
Some tips.
- It is advisable to fill out the application for the certificate from the same machine with which you will then execute the software signature.
- Most certificate authorities recommend that you generate a certificate application through Internet explorer, although we also had no problems generating applications through other browsers.
I will be glad to answer questions on developer certificates, within my competence, as I myself am not a developer.
I will also be happy with additions and clarifications from those who use such certificates.
UPD: added important information about timestamp (timestamp), thanks TolTol and crea7or