Code Signing Digital ID: Features & Benefits
- It is a way to protect and reassure your customers with an assurance that the code they download from your site is intact on its integrity, in that it has not been altered or tampered with in the transit.
- End users can be sure of the genuine source of the code, that the code downloaded by them really came from you, facilitating you to preserve your business reputation and intellectual property. Digital IDs allow for the customers the identification of the author of digitally signed code and contacting them in the event that an issue or query arises.
- Most browsers are picky about the Certificate Authorities issuing code signing certificates. Trusted CAs only, like COMODO, have won their trust, while others are just rejected when it comes to execute the action commands from the downloaded code.
- It is easy to use code signing certificates conjunctively with several vendor software tools that developers use.
- Code signing simply appends a digital signature to the executable code itself and does not alter it. Use of digital signatures is prudent when you want to distribute data and assure the recipients that it does, indeed, come from you.
- The digital signature provides sufficient information to authenticate the signer as well as to ensure that there has been no subsequent modification of a code.
- Content publishers, including those who develop the software, can use code signing digital certificates (or IDs) for signing their content such as software objects, macros, configuration files or any other that they want to securely deliver over the internet.
What Is Code Signing?
- The source of software is obvious to customers when they buy it from a store.
- Customers can know who published the software and can see whether the package has been opened before. On the basis of these factors, customers make decisions about how much to trust those products and what software to purchase.
- Downloading of digitally signed HTML content, ActiveX controls, DLLs, or CAB files makes the customers confident about the authenticity and integrity of the code.
- This is how digital IDs serve as virtual “shrinkwrap” for your software: After your signing a code, in case it is tampered with in any way, the digital signature will break and alert customers about its alteration and hence not being trustworthy.
- The conjugation of Microsoft’s Authenticode technology and COMODO’s digital IDs presents a great solution to the above concerns. Code signing is a good opportunity for the software developers to publish their software with information about their identity as well as their code.
How Does Code Signing Work?
A code signing certificate issued by COMODO provides a source of confirmation and verification at the time of software download by end users assuring them that: One, the software truly comes from the software publisher (i.e. authentic content source) and two, the software is unaltered or uncorrupted since its creation and signing (i.e. intact content integrity).
Who Needs A Code Signing Digital ID?
COMODO offers two classes of code signing digital IDs: code signing digital IDs for Microsoft Authenticode & code signing digital IDs for commercial software developers.
The former protects a software publisher against risks of impersonation and tampering, and the latter is designed to provide assurance regarding an organization’s identity and legitimacy, pretty much what a business license does. This is the level of assurance needed today by retail channels for their software.
Therefore, you need a code signing digital ID if:
- You are a software publisher and want to distribute code or content over the internet or through an extranet.
- You are a commercial software developer publishing software, such as a company or an organization.
How Does Authenticode Function With COMODO Digital IDs?
- Authenticode trusts only the well-demonstrated cryptography protocols which ensure that code signing technology is implemented in a robust way. Thus, it makes use of industry standard cryptography techniques (like X.509 v3 certificates and PKCS #7 and #10 signature standards).
- Digital signature technology assures users regarding the origin and integrity of software. Authenticode uses it for the same. A digital signature makes use of a private key and a public key mechanism in which the private key creates the signature and the corresponding public key validates it. The use of a cryptographic digest in the Authenticode protocols saves time.
COMODO Code Signing: Something More
Software accountability provided by COMODO Code Signing Certificate brings many user benefits. Through it, a user can confirm a software publisher and get evidence of any code tampering. Should software perform any malicious activity on the users’ computers, though an extreme possibility, they can very well take recourse against the publisher. This can prove to be a strong prevention deterring the distribution of a detrimental code. These certificates are a boon to the web developers and specialists as a trust is built in their names and it becomes more difficult to falsify their software. Users get reassured as they are confident about downloading software signed by that publisher or website. Great web pages can be created with code signing certificates using signed ActiveXT controls or other signed executables. Then, an end user, at his disposal, can decide as to what software to download, informed of the publisher of the software and no tampering.
A public-key signature algorithm, such as the RSA public-key cipher, comes to play when creating digital signatures. It actually generates two different keys to work in a pair: a public key and a private key. While the private key is meant only for the owner, the public key is for any user. The algorithm so works that if one key does encryption, decryption needs the other one. Moreover, it is not possible to reasonably calculate the decryption key from the encryption key. The digital signature is generated by the private key and validated by the corresponding public key.