In our digital era, providing a secure and trusted method for distributing software and other types of code is crucial. The development of code signing technology has resulted over the past decades due to the increasing demand for safe digital products. The first known code signing certificate was issued for a web browser plugin in 1995. Code signing certificates have greatly evolved and improved over the years as new technologies and security standards have been implemented.
Today, code signing certificates are issued by various certificate authorities (CAs) worldwide, like DigiCert, and software developers and organizations use them to distribute software and securely protect their code's integrity. As a software developer or code author, you absolutely need to understand the importance of this digital tool. When using code signing certificates to distribute your software securely and protect your reputation, it’s essential to keep an eye on the expiration date as a certificate is not valid indefinitely. This digital certificate has a lifecycle and you must extend its validity over time. This article examines the code signing lifecycle and explains the consequences of an expired certificate.
What is a code signing certificate?
Code signing certificates fall into the broader category of digital certificates. A digital certificate is an electronic document used to verify the identity of an individual, organization or device and establish trust in online transactions and communications. There are several digital certificates, including TLS/SSL certificates, S/MIME and client authentication certificates. Each type has its own unique features and uses.
Code signing is used to verify software's authenticity and integrity. It ensures the software has not been tampered with or modified in any way since the certificate was signed. Code signing certificates are typically issued by a trusted certificate authority (CA) and are used to sign executables, drivers and other types of code. When a user downloads and installs software that has been signed with a code signing certificate, the user's operating system or web browser can verify the authenticity of the code based on the certificate.
Several types of code signing certificates are available, including standard code signing certificates for organization validation, extended validation (EV) code signing certificates. Each type of certificate has specific features and benefits. Finding the correct type of certificate depends on your needs as a software developer or organization.
With code signing, you authenticate and verify software applications. Let's take a closer look at the technology behind a digital certificate and some best practices for digitally signing your applications.
Why should you use a code signing certificate?
There are several reasons a software developer or organization might choose to use a code signing certificate.
To verify the authenticity and integrity of the code
Code signing certificates help to ensure that the code has not been tampered with or modified. This strengthens user trust and protects the reputation of the software developer.
To protect users against malware
Code signing certificates can help to prevent users from downloading and installing malicious software. If a user tries to download and install software signed with a code signing certificate, their operating system or web browser can verify the code's authenticity using the certificate.
To improve distribution and installation
Code signing certificates can help streamline software distribution and installation. For example, some operating systems and web browsers automatically trust software signed with a code signing certificate, making it easier for users to download and install the software.
To comply with industry regulations
Code signing certificates are needed in some industries to comply with regulatory requirements. For example, some medical device manufacturers must use code signing certificates as part of their quality management system.
Do code signing certificates expire?
Like any other digital certificates, code signing certificates have a limited lifespan and must be renewed after a certain period. The expiration date is usually specified in the certificate and is available to the user or administrator who has installed the certificate. The validity time frame for a code signing certificate can vary depending on the issuing certificate authority (CA) and the type of certificate.
As an expired certificate cannot be used to sign code, it is essential to renew a code signing certificate before it expires. If a user or administrator tries to sign a code with an expired certificate, the signing process will fail and the user will need to obtain a new code signing certificate to continue distributing the software. Furthermore, an expired certificate will require you to go through the entire validation process from scratch.
Different code signing types offer different validity
There is more than one type of code signing, each with its benefits and drawbacks. Getting to grips with their differences is important for selecting the best fit for your business requirements. The following overview takes a look at the main differences.
1. Organization Validation (OV) code signing certificate
This is the most common type of code signing, also called Organization Validation (OV) certificate. It is used to sign executables, drivers and other kinds of code and verifies the code's authenticity and integrity. Standard code signing certificates are typically valid for one to three years.
2. Extended validation (EV) code signing certificate
This certificate offers a higher level of security since it requires the software developer or organization to undergo a more thorough vetting process in order to obtain the certificate. The certificate is issued on a hardware token (USB) in accordance with current regulations in order to comply with 2FA. Code signing certificates with EV provide a higher level of trust to users and are typically used to sign code distributed to a large number of users. They are generally valid for one to three years.
3. Timestamping code signing certificates
These certificates are actually a classic code signing certificate with an additional function. They allow software developers to timestamp their code, which means they can provide proof that the code was signed at a specific time. This can be useful in cases where the code signing certificate has expired but the distribution of the code is ongoing. Timestamping code signing certificates may have different expiration dates depending on the specific requirements of the issuing certificate authority (CA).
There are also other types of code signing for specific uses, such as kernel-mode code signing certificates and code signing for use with Microsoft Office and VBA. All in all, the right kind of code signing certificate will always depend on your specific needs.
These are the six steps of the code signing lifecycle
The lifecycle of code signing is the process from when you first apply for and then obtain and install the certificate through to when you need to renew it before its expiration date. The full lifecycle of a code signing certificate includes the following steps.
- Application: As a software developer or organization, you apply for a code signing from a certificate authority (CA) or through a provider. The application process may involve filling out an online form, paying a fee and providing specific documentation to verify the applicant's identity.
- Issuance: If the application is approved, the CA will issue the digital certificate to the applicant. The code signing certificate will include information about the applicant, the expiration date and any entitlements or restrictions on the use of the certificate.
- Installation: The applicant installs the code signing certificate on their computer or other devices. This typically involves importing the certificate into the appropriate software or operating system and configuring any necessary settings or preferences.
- Use: The code signing certificate is used to sign the code the applicant wants to distribute. A code signing tool or utility is required to apply the digital signature to the code.
- Verification: When users download and install your software with code signing, their operating system or web browser the certificate's authenticity and integrity using the certificate's digital signature.
- Renewal: When the code signing certificate approaches its expiration date, you will need to renew it in order to continue using it. The renewal process may involve applying for a new certificate, paying a fee and undergoing a vetting process, depending on the specific requirements of the CA.
The lifecycle of a code signing certificate involves many steps. Today, most of the process can be carried out relatively easily and smoothly online.
What happens if your code signing certificate expires?
If a code signing certificate expires, it can no longer be used to sign code. The signing process will fail if a software developer or administrator tries to sign code with an expired certificate. This means that you will need to obtain a new code signing certificate in order to continue distributing the software. The process of getting a new code signing certificate may involve applying for the certificate, paying a fee and undergoing a vetting process again, depending on the specific requirements of the issuing certificate authority (CA). It is crucial to keep track of the expiration date of a code signing certificate and renew it before it expires. This will ensure that the code can continue to be signed and distributed without interruption.
Ensure enduring code validity with a timestamp
A timestamp is not mandatory but is typically included as part of a code signing certificate process when issued by a certificate authority (CA). It is a feature of code signing that allows the software developer to timestamp the code, which means they can provide proof that the code was signed at a specific time.
A timestamp ensures that code does become invalid when the certificate reaches expiration because the system validates the timestamp. The timestamp server will record a hash of your code so that the user's software can distinguish between code signed with an expired certificate (that should not be trusted) and code that was signed with a certificate which was valid when the code was signed but which has subsequently expired.
In some cases, a software developer may choose not to use a timestamp with a code signing certificate. For example, if proof of when the software was signed is not necessary. Whether or not to use a timestamp with a code signing certificate is a decision that depends on the specific needs and requirements of the software developer.
Timestamping is a crucial feature for code signing and provides an additional level of security to extend its validity.