Home » Code Signing Certificate

Code Signing Certificate

A code signing certificate is a digital certificate issued by a trusted Certificate Authority (CA) that lets software developers cryptographically sign their executables, drivers, and scripts. The signature proves two things simultaneously: the software came from a specific, verified publisher, and the code has not been modified since it was signed. Without it, Windows and macOS display security warnings that stop users from installing - and AI platforms and app stores increasingly require signed code as a baseline distribution requirement.

What is Code Signing Certificate?

Code Signing Certificate

A code signing certificate is a PKI-based credential that binds a software publisher's verified identity to a cryptographic key pair. When a developer signs an executable, the certificate attaches a digital signature containing a hash of the file encrypted with their private key. When a user downloads and runs that file, the operating system verifies the signature using the corresponding public key - confirming the publisher's identity and checking that the file matches the original hash.

The certificate is issued only after a Certificate Authority verifies the publisher's identity through documented checks. The private key used for signing must remain under the publisher's exclusive control - typically stored on a hardware security module or cryptographic token. If the private key is ever compromised, any signatures it produced can no longer be trusted.

Code signing applies to executable files including .exe, .msi, .dll, .ocx, .ps1 (PowerShell scripts), device drivers, firmware packages, and mobile app binaries submitted to the Apple App Store or Google Play.

How Does Code Signing Work?

Code signing uses public key cryptography to create a tamper-evident seal on software files. Here is the process from signing to end-user verification:

How Code Signing Works
  1. The developer generates a key pair - a private key (kept secret) and a public key (embedded in the certificate).
  2. The CA validates the publisher's identity and issues the signed certificate containing the public key and publisher details.
  3. At signing time, the developer's signing tool (such as Microsoft SignTool) computes a cryptographic hash of the executable file, then encrypts that hash using the private key. This encrypted hash is the digital signature.
  4. The signature is embedded into the executable alongside the certificate.
  5. When a user downloads and runs the file, the OS decrypts the signature using the public key from the certificate, recomputes the file's hash, and compares the two. A match confirms the file is unmodified. The OS also checks whether the certificate was issued by a trusted CA.
  6. If everything checks out, the software runs without warnings. If the certificate is absent, expired, or the hash doesn't match, the OS flags the file.

This chain of verification runs automatically and takes milliseconds. Users never see it unless something fails.

What Are the Three Types of Code Signing Certificates?

Code signing certificates come in three validation tiers. Choosing the right one depends on whether you are an individual developer, a small business, or an organization distributing software at scale.

Certificate Type Who It's For Validation Level SmartScreen Reputation
Individual Independent developers, hobbyists Identity document verification Builds over time
OV (Organization Validated) Businesses and commercial publishers Business registration + domain + phone Builds over time
EV (Extended Validation) Enterprise, driver publishers, high-trust distribution Full organizational vetting by CA auditors Instant reputation
  • Individual code signing validates the developer's personal identity through government-issued ID. It is the entry point for solo developers signing apps outside major stores.
  • OV code signing confirms the organization's legal existence, physical address, and domain ownership. It is suitable for commercial software distributed through the company's own website or third-party download sites.
  • EV code signing involves the most rigorous vetting - the CA checks business registration documents, verifies the physical office, and confirms executive identities. The key advantage: EV-signed code receives instant positive reputation with Microsoft SmartScreen. OV-signed software has to build that reputation gradually through download volume, while a first-time EV-signed release displays no warning at all. EV certificates also require the private key to be stored on a hardware security module - this is mandatory, not optional.

For a direct comparison of EV versus standard code signing, see the EV code signing certificate guide.

Why Do Developers Need a Code Signing Certificate?

Eliminates Security Warnings

Unsigned executables trigger the Windows "Unknown Publisher" SmartScreen warning. Most users stop the installation when they see it. A valid code signing certificate removes this barrier entirely.

Proves The Software Is Unmodified

The cryptographic hash check means any tampering with the file after signing - even a single byte changed - invalidates the signature. Users and IT administrators can trust the file they received is the file you published.

Meets Platform Distribution Requirements

Microsoft requires all kernel-mode drivers to be signed through its Windows Hardware Quality Labs program. Both Apple and Google verify signing certificates before allowing apps into their stores. Many enterprise deployment tools block unsigned software by policy.

Protects Your Publisher Reputation

If malware is distributed under your name via an unsigned or stolen certificate, you bear the reputational cost. A valid certificate with a protected private key is your proof of control.

Supports Compliance Requirements

Industries handling sensitive data - healthcare, finance, government - often mandate signed software as part of broader supply chain security controls. As of 2024, the CA/Browser Forum reduced the maximum validity period for code signing certificates to 460 days, aligning them more closely with TLS certificate lifecycle standards.

How to Get a Code Signing Certificate: Step-by-Step

Getting a code signing certificate follows a defined process that typically takes anywhere from a few hours (Individual) to several business days (EV).

  1. Choose your certificate type - Individual, OV, or EV - based on your distribution needs and the platforms you target.
  2. Generate a Certificate Signing Request (CSR) on your signing workstation. The CSR includes your public key and identifying information.
  3. Submit the CSR to a Certificate Authority and complete their identity verification process. For EV, prepare business registration documents and expect callback verification.
  4. Receive and install the issued certificate using the CA's tools or Microsoft CertMgr. For EV certificates, the private key is delivered on or imported to a hardware token.
  5. Sign your executables using Microsoft SignTool, the CA's signing tool, or your CI/CD pipeline integration.
  6. Verify the signature before distribution by checking it with signtool verify or the Windows file properties dialog.
  7. Distribute signed software through your website, app store submission, or enterprise deployment system.

For guidance on choosing a provider, the best code signing certificate providers comparison covers pricing and validation timelines across the major CAs.

How to Integrate Code Signing into Your Development Pipeline

Code signing should happen at the build stage - not as a manual afterthought before release. Here is how it fits across the Software Development Lifecycle:

  • Planning: Decide which certificate type the project requires and assign key management responsibility to a named team member.
  • Development: Keep signing keys off developer workstations. Access should be restricted to the build system.
  • Build stage: Sign artifacts immediately after compilation. This ensures that everything tested is also what gets released.
  • Testing: If code is modified after signing, re-sign before the next test cycle. Testing an unsigned version and releasing a signed one introduces risk.
  • Release: Use a production-grade signing key that is separate from any development or staging key.
  • Maintenance: Audit key usage regularly. When personnel changes occur or a security incident is suspected, rotate or revoke affected certificates immediately.

Automation tools like Jenkins, GitHub Actions, and TeamCity can execute signing as part of the build step, reducing human error and enforcing signing policy across every release.

Secure Private Key Storage

The private key is the foundation of your signing certificate's trustworthiness. If it is compromised, anyone can sign malware in your name. Two accepted storage approaches exist:

Hardware Security Modules (HSMs) are dedicated, tamper-resistant devices certified to FIPS 140-2 or FIPS 140-3. They generate and store keys internally - the private key never leaves the device. HSMs are required for EV code signing and are the standard for enterprise environments. For implementation guidance, the HSM best practices for code signing guide covers setup and key management in detail.

Cryptographic tokens (YubiKey, SafeNet) serve as portable alternatives. The token must be physically connected to sign - limiting exposure to network-based attacks. These are practical for individual developers and small teams where a dedicated HSM is not cost-effective.

Where Is Code Signing Used?

Code signing applies across more platforms than most developers initially expect:

  • Windows Drivers and Applications: Microsoft requires signed kernel-mode drivers; unsigned apps trigger SmartScreen.
  • macOS Applications: Apple requires Gatekeeper notarization, which builds on code signing.
  • Mobile Apps: iOS and Android stores verify the signing certificate of every submitted binary.
  • Firmware and IoT Devices: Manufacturers sign firmware updates so devices can verify authenticity before flashing.
  • Package Repositories: npm, PyPI, and RubyGems increasingly support or require signed packages.
  • Over-the-air Updates: Medical devices, vehicles, and critical infrastructure use code signatures to validate OTA patches before applying them.
  • CI/CD Pipelines: Build servers sign artifacts at release time to guarantee integrity from commit to deployment.

Frequently Asked Questions

Why does Windows show an "Unknown Publisher" warning for my software?

Windows displays this warning when a downloaded executable has no valid code signing certificate, or when the certificate comes from an issuer the system doesn't recognize as trusted. Installing a certificate from a trusted CA removes the warning entirely. SmartScreen may still flag software with a new OV certificate until enough users have downloaded it - EV certificates bypass this waiting period immediately.

How long does a code signing certificate last?

As of November 2024, the CA/Browser Forum capped the maximum validity of code signing certificates at 460 days (approximately 15 months). Prior to this change, certificates could be valid for up to three years. When renewing, you will need to re-sign any software you plan to continue distributing, since signatures made with an expired certificate may not be trusted by newer OS versions without a valid timestamp.

What is the difference between a code signing certificate and an SSL certificate?

SSL/TLS certificates secure the connection between a web server and a browser - they authenticate a domain. Code signing certificates authenticate a software publisher and protect the integrity of executable files. They use the same underlying PKI technology but serve entirely different purposes and are not interchangeable.

Can I use a self-signed certificate for code signing?

Technically yes, but practically no. A self-signed certificate is not issued by a trusted CA, so operating systems will not recognize it as trusted and will display the same security warning as unsigned software. Self-signed certificates are occasionally used for internal testing within a controlled environment but are never appropriate for software distributed to end users.

How much does a code signing certificate cost?

Individual and OV code signing certificates typically range from $50–$500 per year depending on the CA. EV code signing certificates run from $300–$900 per year given the additional validation requirements and mandatory hardware token. Pricing varies significantly between providers - comparing options across the major CAs before purchasing is worthwhile.

Do I need to re-sign my software after every update?

Yes. The digital signature covers the exact bytes of the file at signing time. Any change to the executable - even a minor patch - produces a different hash, invalidating the original signature. Each new build that will be distributed to users must be signed before release.