Code Signing Certificate

If you create a windows application which will be downloaded and installed by your customers, you should think about the following issue: people will see this warning message below while trying to run the downloaded application:

Software without signature

It will confuse your users, some of them may refuse to trust and install such application.

To avoid that, you may get a code – signing certificate and digitally sign the installation package of your application.  

Digital code-signing certificate purposes are:

  • Ensures software came from software publisher
  • Protects software from alteration after publication

You may read more about it in the MSDN article Introduction to Code Signing.

Practically, there are 3 steps:

1. Prepare yourself for buying a code-signing certificate.

A. choose your preferred Certificate Authority (CA).

There are 4 major authorities providing code-signing certificates – see the list of these authorities below and certificate cost for 3 years as it was published in January,2014 (yes, it is not permanent, you will have to renew it):

Certificate Authority Price, USD, for 3 years
VeriSign (Symantec) 1248
GoDaddy 510
GlobalSign 563
Comodo 500

B. Check the requirements of a selected authority and do the required things. Buying a certificate is not like buying some third-party software tool. Certificate authority should make sure that you are what you are saying you are. They will/may check your company information using different available sources like your website, its domain registration information (“whois”), different online business directories (like “Dun and Bradstreet”). Make sure that your company name, phones and addresses are consistent and correct. Use the same information during certificate purchase. You may be also requested to prove that your website is your website (e.g. by sending an email from admin@<your domain>.com account).

2. Buy a code signing certificate.

Choose the certificate authority (CA), register and buy. You should get 3 most important things from this process:

  • Digital Certificate file (SPC or PFX extension)
  • Your private key file (PVK extension)
  • Certificate password.

Keep them, make backup (event multiple backups), but do not let unauthorized people to access them.

3. Sign your installation package and other files with the digital certificate you receive.

Now you should sign your software – most important is to sign your installation package, but you may sign also all executable and DLL/OCX files as well.

There are Microsoft Windows SDK utilities for code signing – see the MSDN article Signing and Checking Code with Authenticode. However, if you are using tools like InstallShield, you should have much more convenient way to automate the signing. For example, in the InstallShield just need to use the “Digital signature” screens of Release Wizard, like it is shown below.

On the screen below you provide your URL, your certificate file, private key file and certificate password:

Install shield - Digital Certificate

and the next screen where you may specify what to sign:

InstallShield - code signing screen 2

As a result, users who download and run your installation package will see much more friendly screen:

Software with Digital Signature

This way our users are much more confident to install and use our product.
We are also much more confident that our product installation package will not be modified or infected by viruses.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s