Home » Explained: How an EV Code Signing Certificate Works
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

A behind-the-scenes look at how an EV Code Signing Certificate works to authenticate and protect your software app’s integrity

As a developer, you already know the importance of using a Code Signing Certificate to digitally sign your software apps and scripts. Our goal here is to educate and answer your questions about how to get an EV Code Signing Certificate and how this type of digital certificate works behind the scenes.

An Overview of Purchasing an Extended Validated Code Signing Certificate

The purchase process of EV Code Signing Certificate is much like that of a standard code signing certificate. The only real difference can be seen while passing through the vetting process.

When you purchase a publicly trusted Extended Validated Code Signing Certificate, the CA takes you through a more rigorous vetting process. This extra layer of verification assures clients and operating systems that your company is a legally registered, legitimate entity.

This process can take anywhere between one to five working days, depending on the CA you choose. Any failure to provide the require documentation or details can lead to delays or even failure to get the certificate.

Code Signing Private Keys Must Be Stored on Secure Hardware

It used to be that only the private key of your Extended Code Signing Certificate had to be mailed to you on an external USB token. However, industry leaders implemented new code signing baseline security requirements in June 2023 that made it so standard code signing certificates also must be securely generated and stored on secure hardware.

As you know, the security of your private key is essential. This is why you can choose to generate and store your private key on a secure hardware USB token, an on-prem hardware security module (HSM), or using a secure HSM-backed cloud code signing key storage method like DigiCert KeyLocker. These approaches reduce the chances of your cryptographic keys becoming compromised.

Extended Validated Code Signing Certificate — How Does it Work?

Ok, now you are aware of how the private key is stored for all code signing certificates. Now, let’s explore the process more in depth to answer the question, “how does an EV Code Signing Certificate work?” Review the illustrations below for a visual representation of this process.

An Overview of the Code Signing Process

How EV Code Signing Works

Hashing the Software 

Once the software is created successfully, you have to hash it as the first step in the digital signing process. This hashing function generates a hash value that can be used to assure users that your software is trustworthy and hasn’t been tampered with since it was signed.

When downloading or installing digitally signed software applications, any failure to produce the right hash value signals to Windows browsers and operating systems that the software may have been compromised.

Signing the Software

Once the hashing is done, the most important one, the signing process is the next step. Here, you will make the use of that provided external USB token, for using your private key to digitally sign and timestamp your software.

This process, which involves encrypting the hash digest, lets the browser know who’s the publisher of the software and whether it’s trustworthy or not.

An Overview of the Digital Signature Verification Process

Verifying the Code in EV Code Signing

Verifying the Software’s Digital Signature 

Once the above steps (i.e., hashing, signing, and timestamping of your software) are complete, your digitally signed software app is ready to release or distribute.

Whenever any user or customer downloads or installs your signed software, their browser or operating system will recognize that you’re the legitimate publisher of the software. The user’s client or OS will use your public key and software hash value to determine whether your software is authentic and trustworthy, or if it’s been tampered with since it was signed.