What is a Microsoft Authenticode Code Signing Certificate? (2024)

Rate this article: What is a Microsoft Authenticode Code Signing Certificate? (1)What is a Microsoft Authenticode Code Signing Certificate? (2)What is a Microsoft Authenticode Code Signing Certificate? (3)What is a Microsoft Authenticode Code Signing Certificate? (4)What is a Microsoft Authenticode Code Signing Certificate? (5) (10 votes, average: 3.90)

What is a Microsoft Authenticode Code Signing Certificate? (6)Loading...

A rundown on code signing with an Authenticode certificate

Using Microsoft Authenticode to sign your software isn’t just something that the biggest software companies need to do — nowadays, it’s basically a requirement for any software. Authenticode is a Microsoft-specific signing technology that allows developers to sign their code and users to authenticate the signature.

It’s kind of similar to the way that different companies andnetworks use different software libraries for SSL/TLS. The underlying premise,the use of PKI and X.509 digital certificates is still the same — it’s just howit’s all executed that differs a little bit.

Today we’re going to discuss code signing, Authenticode code signing certificates, and how and why you should acquire one.

A Quick Rundown on Code Signing

When you create a piece of software, ideally, you would liketo have people purchase or obtain it, and then use it. And in a perfect worldit would all be that simple. But criminals and hackers have ruined that and,nowadays, any device or system has been designed closer to a zero-trust model.After all, executing the wrong program can prove disastrous.

This is where code signing enters the picture. Beforerunning a new piece of software — or updating an old one — the device or systemis going to need some kind of assurance about the legitimacy of said software.Specifically, it needs to know who the publisher is and whether it’s beenaltered since it was signed.

Code signing accomplishes both with a digital signature and a hash function. The digital signature authenticates the developer; the hash serves as a checksum to ensure the integrity of the software hasn’t been compromised. Quickly, from a technical standpoint, the code signing certificate and the code itself are both hashed together and then the resulting hash value is digitally signed with the certificate’s private key.

When a user receives the software, their system will firstrepeat the hash value that was created when the certificate and code were bothhashed together during the signing. No two disparate inputs can create the sameoutput in hashing, so if the values match, you can safely assume the software’sintegrity is intact.

Then the system takes the public key that was presentedalongside the code signing certificate and uses it to verify the signature.

When done properly, the result is this:

What is a Microsoft Authenticode Code Signing Certificate? (7)

If not done properly, the user gets warned instead:

What is a Microsoft Authenticode Code Signing Certificate? (8)

Nowadays, you can’t get away with not signing code. Nowlet’s talk about how to obtain an Authenticode Code Signing certificate.

How to Obtain a Microsoft Authenticode Code Signing Certificate

Unfortunately, unlike SSL/TLS, there is no free variant of acode signing certificate. Owing to the amount of trust given to a digitalsignature made by a trusted signing certificate, the certificate authorities (CAs)need to spend time vetting your organization (or the individual developer)before they’re willing (or allowed) to issue a code signing certificate.

There are two variants of a code signing certificate:

  • Standard Code Signing
  • Extended Validation (EV) Code Signing

What is a Microsoft Authenticode Code Signing Certificate? (9)

Save Up 42% On Comodo Code Signing Certificates

Need to sign your software to assure users and make installation easier? We sell all Comodo code signing certificates at up to 42% off.
View Code Signing Certificates

EV code signing requires more extensive vetting, but it paysoff in the form of a reputation boost with Microsoft SmartScreen filter, andyour private key comes stored on an external hardware token for bettersecurity. This is a great option for newer developers.

As for getting an Authenticode code signing certificate, some are specifically marketed that way but any trusted code signing certificate CAN be used to sign Authenticode. Such certificates would include Comodo authenticode certificates for code signing. You may have to change the file format/encoding, but they can all be configured for use with Authenticode.

While you can buy direct from a certificate authority, you’re going to get better pricing if you work through a reseller. Resellers such as ComodoSSLstore.com purchase in bulk — well below MSRP — and can sell at lower price points than the CAs because of it. CAs also prefer to work with larger companies, so for SMBs, a reseller is definitely the way to go.

Purchase Comodo Code Signing Certificates & Save Up to 42%

We offer the best discount on all types of Comodo Code Signing Certificates, which work with Microsoft Authenticode.Shop Comodo Code Signing Certificates and Save Up to 42%

Making Authenticode Signatures

The best option for making Authenticode signatures, provided you’ve already purchased and installed the certificate, is to use the SignTool.exe program that came with your software development kit (SDK). Depending on the version you have, it might require some manual tweaking, or it might just be a matter of clicks

The best option for making Authenticode signatures, providedyou’ve already purchased and installed the certificate, is to use theSignTool.exe program that came with your software development kit (SDK).Depending on the version you have, it might require some manual tweaking, or itmight just be a matter of clicks

Best Practices for Signing Authenticode

First and foremost, it’s important to timestamp everysignature. Like any other PKI digital certificate, code signing certificateshave a finite lifespan. This is for both security and technical reasons.Without timestamping, any signature left by a now-invalid code signingcertificate will no longer be trusted.

When you timestamp a signature, it does require a couple ofother functions — calls to time servers — but it keeps your signatures valid inperpetuity. This saves you money and saves your reputation in the long run,too.

Second, sign both the installer and the application. As Microsoft’s Eric Law says:

“When downloading installation packages from the Internet, the browser and/or Windows Shell will only check the digital signature on the installer itself. However, as a best practice, you should also sign the main executable of your application as well. This helps prevent tampering, but more importantly, it helps ensure that any security tools on the user’s machine can more readily identify your code. For instance, many anti-malware or firewall tools will treat unsigned executables with suspicion, and may even block them if they happen to share the same filename as a malicious program.”

Remember, it’s up to you to sign your code. You still have theoption not to if you really want to shirk security and responsibility. Justdon’t expect many people to use your software.

code signing microsoft authenticode what is code signing

Related posts:

  1. What is Code Signing?
  2. Code Signing Certificate vs SSL Certificate: What’s The Difference?
  3. How to Sign Code with a Java Code Signing Certificate
  4. How to Perform Kernel Mode Code Signing
  5. Visual Studio Code Signing Certificate Guide
What is a Microsoft Authenticode Code Signing Certificate? (2024)
Top Articles
Latest Posts
Article information

Author: Nathanial Hackett

Last Updated:

Views: 5477

Rating: 4.1 / 5 (52 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Nathanial Hackett

Birthday: 1997-10-09

Address: Apt. 935 264 Abshire Canyon, South Nerissachester, NM 01800

Phone: +9752624861224

Job: Forward Technology Assistant

Hobby: Listening to music, Shopping, Vacation, Baton twirling, Flower arranging, Blacksmithing, Do it yourself

Introduction: My name is Nathanial Hackett, I am a lovely, curious, smiling, lively, thoughtful, courageous, lively person who loves writing and wants to share my knowledge and understanding with you.