Authentication. Security. Trust.
Code Signing
Distributing trustworthy software over the Internet
© GlobalSign. A GMO Internet Inc group company.
Contents
As operating system and browser vendors move towards higher security models and
lock down capabilities on unknown code, it is increasingly important for developers
and end users to identify legitimate applications from the masses of badware.
 What is Code Signing?
 The Benefits of Code Signing
 Supported Platforms
 Buyer Considerations
 Why choose GlobalSign?
 Adding Code Signing to your Portfolio
Authentication. Security. Trust.
www.globalsign.com
What is Code Signing?
 Code Signing is the virtual equivalent of shrink-wrapping CD-based software for
distribution.
 Software developers digitally sign code or software distributed over the Internet using
X.509 v3 digital certificates marked for the specific use of digitally signing code.
 The digital certificate binds the identity of a person or entity
to a public key which is related to a corresponding private
key. The private key is used to apply a digital signature to a
shortened version of the code which is run through a
hashing algorithm. The public key is used to verify the
signature.
 Signing the hash of the code with an algorithm like SHA-1
provides a method to validate if the code has changed in any
way since signature.
Authentication. Security. Trust.
Digital Certificate marked for Code Signing
(Code Signing Certificate)
www.globalsign.com
The Benefits of Code Signing
 Code Signing using a trusted third party prevents:
−
−
−
Users abandoning the installation of an application that is not easily identified as genuine.
Malicious alteration of legitimate code.
Identity theft or damage to reputation of vendor or code author.
 The end user knows the digitally signed software being executed is legitimate, comes from a
known software vendor and has not been tampered with since being published.
Unsigned code
The end user is presented with a warning
message that may cause them to abandon
the install.
Signed code
The code has been digitally signed by a
certificate from a trusted Certification
Authority. The end user is presented with
the publisher’s identity.
 By digitally signing code, the software vendor enhances customer confidence, increasing the
number of downloads.
Authentication. Security. Trust.
www.globalsign.com
Supported Platforms
 Different platforms have different requirements and options available for digitally
signing code. GlobalSign’s Code Signing Certificates support:
Microsoft Authenticode
Windows ActiveX controls can be
signed via Authenticode (32 bit and
64 bit .exe, .ocx, .dll or other) and
Kernel software for Windows.
Windows 7 compatible.
Microsoft Office & VBA
Digitally sign Microsoft Office
macros and Visual Basic
Applications (VBA) to avoid
Unknown Publisher macro
warnings.
GlobalSign is one of the select Certificate
Authorities enabled by Microsoft to allow
Windows Kernel 64 bit code signing.
Adobe AIR applications
Adobe AIR only allows digitally
signed applications to be run.
Java
JAR applet files can be signed to
allow apps access to client-side
resources.
Authentication. Security. Trust.
Apple Mac applications
Code Signing was introduced by
Apple in MacOS 9 onwards.
Mozilla & Netscape Objects
Digitally sign Mozilla and legacy
Netscape Object files to enable
activation in Mozilla browsers.
www.globalsign.com
Buyer Considerations
 There are several elements to consider when choosing the right Code Signing
Certificate to sign your application.
− Ubiquity
Public rooted Code Signing Certificates, as opposed to self-signed certificates, will allow users to verify the
authenticity of the publisher and origin of the software, as well as ensuring that the code has not been
tampered with.
− Timestamping services
Timestamping ensures that the signature on your application remains valid after the certificate has
expired.
− Price and value
Am I getting good value for the experience, support and functionality?
− Trust
A good reputation and credibility of the Authority can inspire additional downloads of your application.
− Support for individuals and commercial software publishers
Many Authorities only support commercial software publishers and not individuals.
Authentication. Security. Trust.
www.globalsign.com
Why choose GlobalSign?
The benefits of signing code with a GlobalSign Code Signing Certificate
 Removes the "Unknown Publisher" popup in Operating Systems and browsers.
 Full timestamping service included free of charge – timestamping code ensures the
signature does not expire.
 Allows an unlimited number of applications to be signed within the lifespan of the
certificate.
 Supports all developer platforms.
 Offers multi-year savings - plus multi-year avoids having to renew annually.
 Offers a risk free refund.
 Comes with a $100,000 Warranty - underwritten Liability program.
 Multi-Language Tech Support - access to expert technical support staff via email and
telephone.
 Issued by an organization that’s been a WebTrust Accredited Certification Authority since
2002.
Authentication. Security. Trust.
www.globalsign.com
Adding Code Signing to your Portfolio
 Adding Code Signing to your value chain
Developing
Testing
Deploying
Code Signing is the ideal value-add product for VARs looking to complement
core services and existing portfolios, opening up a new revenue stream and ensuring
customer satisfaction.
Distributing

Security
 Partner Program
GlobalSign has developed specialist partner programs to allow you to resell Digital Certificates
cost-effectively and hassle-free.
Partners receive instant discounts and the GlobalSign SaaS web portal makes the application of
certificates quick and easy. A flexible XML API can also allow the process to be fully automated
and integrated into your own workflows.
The whole range of GlobalSign Digital Certificate Solutions can be resold using the GlobalSign
Partner account, including:


Code Signing Certificates
SSL Certificates
Authentication. Security. Trust.


Email encryption (S/MIME Digital IDs)
Adobe Certified Document Services (CDS) Digital IDs
www.globalsign.com
Reselling Code Signing Certificates
 Talk to GlobalSign today about adding Code Signing Certificates to your
portfolio.
 Learn more about our Partner Program at:
− http://www.globalsign.com/partners/
 Read White Paper.
− http://www.globalsign.com/resources/......
Authentication. Security. Trust.
www.globalsign.com