Thawte Code Signing Certificates FAQ
- What are Code Signing Certificates and digital signatures?
- Why do developers need to sign their code?
- What do users see when they encounter signed code?
- How does the application know to trust my digital signature?
- Do I need different Code Signing Certificates for developing code in different platforms?
- Why do Code Signing Certificates expire?
- Will my code still be valid even though my Code Signing Certificate expired?
- What happens if a code signing cert must be revoked?
- Who needs to use code signing?
- Does Thawte Certificate certify code or guarantee it?
- Why Choose Thawte For Code Signing Certificates?
Developers and software publishers use Code Signing Certificates to attach a unique digital signature to applets, plug-ins, macros and other executable files before publishing them. The digital signature contains identification information about the publisher and is used to confirm that the code has not been altered or tampered with since release.
Easy online distribution has made it possible for developers to create fun and functional code, anywhere and everywhere. However, the potential for fraud and the spread of malicious code has increased as well. Software applications and platforms have developed security features to check for a digital signature and recommend whether or not code should be trusted. Some platforms, such as Adobe AIR, require digital signatures for all applications.
When a user encounters unsigned code, a security warning pops up or content fails to load, depending on the browser and security settings. Warnings create doubt and confusion for users and often result in support calls to the publisher or developer. When signed code is encountered, a pop-up notification shows the verified identity of the publisher and the user decides whether or not to trust the code. With a Thawte Code Signing Certificate, your code will be as safe and trustworthy to customers as shrink-wrapped software from a store shelf.
A Code Signing Certificate is a type of digital certificate. When you apply for the certificate, you generate a private/public key pair and submit the public portion to a certificate authority, such as Thawte, along with documentation to prove your identity. Once the certificate authority authenticates and verifies the information, they issue a certificate containing your full organizational name and your public key. Thawte Code Signing Certificates are chained to our Root Certificate and trusted by leading platforms. It is possible to self-sign code, however, you do not have a trusted third party to vouch for the information you provide
Each platform has slightly different ways of handling digital signatures. The Thawte Code Signing Certificates for Microsoft Authenticode (Multi-Purpose) offers maximum flexibility with a single certificate to sign code developed on multiple platforms. You can digitally sign 32- and 64-bit user-mode (.exe, .cab, .dll, .ocx, .msi and .xpi files), as well as code for Microsoft Office 2000, Microsoft VBA, Netscape Object Signing, and Marimba Channel Signing. Thawte offers additional Code Signing Certificates for:
- Microsoft Authenticode (Multi-Purpose)
- Java
- Adobe AIR
- Apple Mac
- Microsoft Office VBA
Applications and platforms that use code signing will check whether a certificate is valid as part of the security process. Digital certificates are designed to expire to protect both the certificate owner and the users who trust it. To renew a Code Signing Certificate, the certificate owner provides identification information and the certificate authority authenticates and verifies it. The Thawte Certificate Center makes it very easy to renew, manage, and track all of your code signing and SSL Certificates with a single sign-in.
A Code Signing Certificate is valid for the validity period purchased and an expired certificate cannot be used to sign code. However, a time stamp shows the validity of the certificate at the time the code was signed. Thawte does not run a time stamp server, however, you can use VeriSign time stamping by adding: "http://timestamp.verisign.com/scripts/timstamp.dll" to the signcode command line. For Java, use https://timestamp.geotrust.com/tsa
A certificate may be revoked by its owner if it is lost or stolen, or it may be revoked by Thawte if the publisher is distributing malicious or intentionally harmful code. Thawte maintains a certificate revocation list (CRL). Applications and platforms which use code signing will check the CRL to verify whether a certificate is valid as part of the security process.
Any publisher who plans to distribute code or content over the Internet or over corporate extranets risks impersonation and tampering. Thawte Code Signing Certificates provide a high level of assurance about the identity of the code publisher and its integrity.
No. Thawte issues a certificate to the developer not to the code. The certificate certifies that the software really comes from the publisher who signed it - an extremely important consideration when prospective customers decide whether to trust it. The certificate also certifies that the code has not been altered or corrupted during transmission or download and is as the publisher intended it. Thawte will revoke a developer's Code Signing Certificate if there is any indication that the developer abused the trust of the code signing infrastructure.
Thawte is trusted by millions of people worldwide. When we issue an SSL Certificate, we know that our name will appear next to yours as the trusted third party who verified it. We take that trust seriously and lead the industry with rigorous authentication methods and a global infrastructure to support real-time certificate look-ups.