What is a code signing certificate?
With increasingly active content on the Internet, end users require a method of verifying the legitimacy of downloadable Web content.
Code signing is a digital signature placed on software and other executable files and scripts. Code signatures prove the identity of software authors and validates that the software hasn't been tampered with since its original distribution.
Code signs don't alter the software – it's just an added layer of assurance for your end users.
When software is purchased from a store, it's easy to tell who published the software – and if the package was tampered with. Unfortunately, these factors aren't as obvious when software is purchased online. As a result, end users take on a certain amount of risk when downloading Java applets, plugins, Microsoft® ActiveX® controls, and other executables over the Internet.
Code signing certificates help inspire the same level of trust in your software that customers would have if they purchased your software in a store.
Improve your software security with a digital signature. Inspire user confidence by authenticating the source and integrity of your code with a GoDaddy Code Signing Certificate.
For more information, see our Code Signing Certificate product support page.
Who needs a code signing certificate?
Online security vigilance is at an all-time high. Most Web users won't download software unless you can prove it's legitimate. Code signing certificates inspire confidence and give you the proof you need to validate your code.
Software developers can use code signing certificates to provide extra assurance to their customers about who produced the content and that it's not tampered with. Signed code also prevents unidentified third parties from altering the code before it's distributed.
Content publishers can digitally sign software components, macros, firmware images, virus updates, configuration files or other types of content for secure delivery over the Internet or other mechanisms.
Code signing is particularly important when the source of a given piece of code might not be obvious – for example Active X controls, Java applets, and other active Web scripting codes.
Most Web users understand the potential risks involved with downloading content from the Internet. It's important your end users can trust the code you publish on the Internet. Code signing certificates help confirm software security and assurance with your customers.
For more information, see our Code Signing Frequently Asked Questions.
How does code signing work?
Newer operating systems and Internet browsers are often set to higher online security levels, which often require signed content. For example, Internet Explorer® uses Authenticode® technology to identify the publisher of signed software and verify that it hasn't been tampered with.
When a code signed file is downloaded from a website, the certificate is extracted from the file. The browser cross-checks this information with an internal list of certificate authorities, and then verifies the signature in the certificate.
If the signed software is tampered with in any way, the digital signature breaks and alerts customers that the code has been altered and is not trustworthy.
For more information, see Using Your Code Signing Certificate.
How does someone know they can trust my signature?
When someone attempts to download or run unsigned code, their browser attempts to validate the security of the downloaded content. A security warning pops up or the Web page content fails to load, depending on the browser security settings. These warnings create suspicion and confusion for the user.
Digitally signing code prevents unnecessary warning dialogues when end users attempt to run the signed application or executable file.
After I purchase a Code Signing Certificate, what do I need to do?
After you purchase a code signing certificate, you need to provide a certificate signing request (CSR) from the computer that is signing the code. Depending on the use of the certificate, you can create the CSR automatically, or you can use a tool like OpenSSL to generate the CSR.
After you submit your request, we verify the company information you supplied. The Registration Authority (RA) might contact you to provide additional information, if required. You can monitor the validation process through your account.
Once the code signing certificate is issued, we'll send you an email with a link to download and install the certificate file and any associated intermediate certificates.
You can even time-stamp your signature block using Authenticode to show the validity of your certificate at the time the code was signed.
For more information, see Requesting a Code Signing Certificate.