Code Signing Best Practices
Download this Code Signing Best Practices guide to improve your software and supply chain security.
According to 2020 data from Statista, one of the most common ways people receive malware is through executable files. So, it’s reasonable to ask questions like: ‘Are .exe files safe to install?’ For instance, a user may receive a Microsoft Defender SmartScreen warning message if they run an unsigned executable file because the file is untrusted by the security tool.
Usually, users face Microsoft Defender SmartScreen warning messages if someone tries installing an unsigned (i.e., untrusted) software or application. Why? Because Windows operating systems consider unsigned executables and scripts as unsafe and potentially malicious files because they could be. (Better safe than sorry, right?)
So, how can you ensure your executable files don’t seem suspicious to your users or their operating systems? Using an executable signing certificate is the answer. To make your executable files more trustworthy in the user’s eyes and to remove the Microsoft SmartScreen warning, you’ll need to digitally sign your executable files using a code signing certificate.
Executable signing certificates, commonly referred to as code signing certificates, are digital files you can use to digitally sign executable files (.exe files). The code signing certificate uses a cryptographic hash that validates the executable file’s integrity and authenticity.
Executable code signing certificates are issued by reputable certificate authorities (CAs) like Sectigo and DigiCert. These certificates allow you to apply a digital signature that verifies the author’s identity and helps to confirm that the digitally signed executables are from a legitimate organization — not any malicious cybercrooks.
Executable signing certificates identify the software publisher to the user. A trusted publisher is one whose certificate is installed in the certificate store of Trusted Publishers. You can’t be a trusted publisher without a certificate!
Furthermore, executable signing certificates are available with standard (sometimes called organization validation, or OV) and extended validation (EV). Both types of code signing certificate require you to store your cryptographic key and certificate on secure hardware, and they’re issued with a secure USB device by the certification authority (CA). This serves as a form of two-factor authentication (2FA).
So, what’s the difference between standard and EV code signing certificates?
A standard code signing certificate will display your verified individual or organizational information in Windows Defender SmartScreen pop-ups. This certificate has less stringent validation requirements than its EV counterpart and costs less as well.
An EV code signing certificate requires a higher level of validation than a standard certificate. Because it’s automatically trusted by Window operating systems and browsers, it eliminates the Microsoft SmartScreen warning altogether.
It’s challenging to get users to trust any newly created executable file. A signed certificate is more trustworthy, improving the reputation of the creator of the file. Some of the benefits of signing executable files using EV code signing certificates are:
Before you can digitally sign your executable file using either a standard or EV code signing certificate, you’ll first need to install SafeNet on the device that you plan to sign software on. SafeNet Authentication Client is desktop software that allows you to access and manage yourcode signing certificates and change the password for your tokens.
Below are the steps to digitally sign executables. But, before you start digitally signing executable files, you should:
Once you complete the above steps, follow these instructions to digitally sign your executable files:
Note: Be sure to change the information to match your CA’s timestamp server address and the file path to your executable file.
signtool sign /tr https://timestamp.<certificate-authority-name>.com /td sha256 /fd sha256 /a "c:\path\file_you_wish_to_sign.exe"
Once you’ve signed your executable, you should verify the signature before making it available to end-users:
Dangerous malware infects many executable files. Microsoft’s operating system takes every possible step to make users aware of its dangers, for instance, by displaying Microsoft Warning messages if anyone tries to install unsigned or suspicious executables.
If you want users to trust your executable files, you should sign them using an EV code signing certificate from respected CAs like Sectigo or DigiCert. This way, if someone tries to tamper with your software after you’ve signed it, users will know that it’s been modified because it will trigger the Microsoft Defender SmartScreen warning message. And if your software is safe and hasn’t been tampered with, then it won’t trigger any warnings that may scare away customers or users.