Code Signing Architecture: How the Code Signing Process Works
Home » Code Signing Architecture: How the Code Signing Process Works
(No Ratings Yet)
Code Signing Requires Four Different Components for the Code Signing Architecture
As a software developer, you know the role of a code signing certificate, how important it is, and how helpful it is to provide trust to the users. If you have purchased a code signing certificate, then it won’t be new to say what’s the process to get one and how this Code Signing Certificate Works.
But, today, we’ll dig a little deeper to understand the architecture of a code signing certificate and the sets of components that are responsible for the code signing process. You might know the basics, but let’s explore it for the ones who don’t.
A code signing architecture has four different components
Code Signing System (CSS)
Certification Authorities (CA)
Time Stamp Authority (TSA)
Verifiers
Let’s look at each one in order…
1. Code Signing System (CSS)
The code signing system (CSS), the first component of the process, is where the code is actually signed. Typically, code goes through a series of steps such as authentication and authorization of the one who submitted code, then finally, generation of the signature. To generate the signature, the code signing system uses a certificate and a private signing key, which is kept securely to prevent unauthorized usage.
2. Certificate Authorities (CAs)
The code signing system relies on the developer having a certificate issued by Certificate Authorities such as Sectigo. To get a certificate, the developer will need to purchase the certificate and submit documents for validation. And, once all the information and details are provided, (it’s for the security controls and practices that CAs need to follow) the CA issues a code signing certificate.
The requirements mandated by the CA for issuing a code signing certificate, are based on guidelines from the CA/Browser Forum and the CA Security Council, who specify the required documents that are needed for the issuance of a code signing certificate.
3. Time Stamp Authority (TSA)
Code Signing process and architecture involves the use of a time stamp authority (TSA). Although this part is optional it’s recommended. A TSA is used for specifying at what time and date a piece of code are signed. This is so the signature will be valid even after the certificate has expired. Whenever a Time Stamp Authority (TSA) is used, the signature is sent to it. Then the TSA applies its signature along with the signing time to be added to the software package or other executable files.
Code Signing process and architecture involves the use of a time stamp authority (TSA). Although this part is optional it’s recommended. A TSA is used for specifying at what time and date a piece of code is signed. This is so the signature will be valid even after the certificate has expired. Whenever a Time Stamp Authority (TSA) is used, the signature is sent to it. Then the TSA applies its signature along with the signing time to be added to the software package or other executable files.
Once your software package or executable file is signed and timestamped, any client that attempts to use the file will first attempt to verify the signature. As a developer, it’s recommended that you verify the signature yourself before publishing the file.
The clients or verifiers manage trust anchors that are used for validating certificates.
Trust Anchors
Verifiers use trust anchors for validating the signature, generally by verifying issued code signing certificates.
Trust anchors are typically public keys for root certificates that are installed and securely stored on the verifying platform. For example, a self-signed root certificate using standard X.509 architecture works as a trust anchor for applications, if that certificate is included in the verifier’s trust store. A web browser like Google Chrome and Mozilla Firefox and operating systems also provide the list of their trust anchors.
These trust anchors do not verify code directly, but they’re public keys of root CAs which are used for signing code signing certificates of CAs like Sectigo or DigiCert.
Closing Thoughts
We hope this article gives you a better understanding of how code signing certificates work, while making you aware about the different components involved to make the signing of an executable file or software package successful. In the end, the goal is to assure users that the signed file they’re downloading or installing is trustworthy, genuine, and coming from the original publisher without being tampered with.
Code Signing Best Practices
Download thisCode Signing Best Practices guideto improve your software and supply chain security.
Help keep your end users safe from supply chain attacks.
Prove your software's authenticity using digital identity.
Protect your software's integrity by preventing alterations.
New users – if this is your first time purchasing a cloud signing product from us, check the email address entered during enrollment for a message from DigiCert. Create your password and follow this guide.
Existing users – if you’ve purchased a cloud signing certificate in this account before, you already have an account. We’ve update your DigiCert CertCentral account to allow another Code Signing Certificate request. Login to your account here.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Token + Shipping
This is the simplest option and what we recommend for most customers. DigiCert will ship a USB eToken to you, then you’ll use DigiCert’s provided software to download and install the certificate onto your USB Token.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Use an Existing Token
If you already own a compatible USB eToken (SafeNet 5110 CC, SafeNet 5110 FIPS, or SafeNet 5110+ FIPS), you can use DigiCert’s provided software to download and install the certificate onto your USB token.
Advanced Option: Install on a Hardware Security Module (HSM)
If you use a cloud or on-prem hardware security module (HSM), you can choose this option to download and install your certificate onto your HSM. DigiCert will send you an email asking you to confirm that your HSM meets the security standards, then they’ll deliver the certificate to you digitally for installation.
Any FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent HSM is compatible for this option. You can use an HSM you manage directly or you may use a key storage/vault solution that uses a compliant HSM (for example, Azure Key Vault or AWS KMS).
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Sectigo on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose this option to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Comodo CA on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose “Install on Existing HSM” to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.
Email Us
+1 (727) 291-0611
Chat Now
