What is a Code Signing Certificate and how to ensure digital trust for your application

What is Code Signing?

A digital code signature is a cryptographic mathematical scheme used to check the security of your application code in order to guarantee the integrity of your application.

Simply put, a digital code signature tells the end user (through the operating system) that your application comes from an original vendor and hasn’t been altered with malicious code. This way, the end user knows your application can be safely installed on a device.

To digitally sign an application, you need a certificate (private key included). The signing process uses the private key from your certificate as a secret for the encryption algorithm, so no one can alter the file without invalidating the signature.

In case someone gets access to your private key (and private key password), the application risks being resigned with the same certificate.

A digital signature is mandatory for MSIX packages but currently optional for MSIs, EXEs, and DLLs.

However, despite being optional for the latter formats, it is highly recommended to digitally sign your code or application, regardless of the package format. Most modern operating systems will flag your application as being “from an untrusted source” which might discourage your end users to install and trust your application.

If you are up-to-date and use the latest OS from Microsoft, and Windows 11, then there is a big chance you are using Smart App Control (SAC) - which is an additional layer of security that blocks potentially harmful applications.

Your application may get blocked by the Smart App Control if the application and your code are not digitally signed (files and DLLs inside included).

Read more on the subject in our dedicated Smart App Control blog article and see how Advanced Installer enables your application to be 100% SAC compatible.

How to Get a Code Signing Certificate?

As we said above, to digitally sign your code, you need to have a certificate that proves your authenticity. To get a code signing certificate, you have two options:

1. Generate a self-signed certificate
2. Buy a certificate from a Certified Authority (CA).

1. Self-signed certificates involve generating your own certificate and then deploying it to the machines where you want the application installed and recognized as certified.

This type of certificate is mainly used in test scenarios or in enterprise environments with large IT infrastructures where the self-generated CAs are controlled through PKI (Private KeyInfrastructure) and deployed via GPOs (Group Policy Objects).

2. Certified Authority certificates - you have to purchase them from authorized vendors.

These trusted authorities generate a certificate that is recognized by the operating system. In this case, you don’t need to do any extra configurations on the machines where your application is installed.

Note: When you want to buy a certificate for your application, make sure the CA vendors are selling code-signing certificates. Don’t confuse it with SSL certificates which are used for websites.

Besides the standard code signing certificate, you can use an EV certificate. EV stands for Extended Validation which means extra layers of security, rigorous vetting process and hardware security requirements.

When using the EV certificate, the Private key is stored on a USB so you need it plugged in when you want to generate the digital signature.

How to Sign Code with a Code Signing Certificate?

After you receive your certificate, you can use multiple tools to sign your code. One of the most popular tools is Microsoft SignTool.

Get started with the Microsoft SignTool by reading How does code signing work with Microsoft SignTool in-depth article.

When you buy a certificate to digitally sign your application, that certificate has an expiration date. But you have the option to timestamp your package when you code-sign it.Timestamping your package offers the advantage of the application being recognized by the system even after it expires. You can find more details in our Why a Digital Signature Timestamp is Always Required blog post.

My certificate has expired. How do I renew it?

After your certificate expires, you need to buy a new one from the vendor and then use it to “re-digitally-sign” the newer version of your application.

Between the time of expiration and the time of “re-digitally-sign”, you may experience a temporary loss of online reputation since the old installer is seen as untrusted.

As soon as you release your newer installer signed with the latest digital signature, the customers using your latest installer will not have any digital trust issues with your application.

How to digitally resign your application in Advanced Installer

When you resign your application in Advanced Installer, make sure you use the same definitions in the Certificate Name (CN). If you have a different value, when you perform an update, especially with an MSIX package, the update will fail.

When you use Advanced Installer’s Auto-Updater, you need to double-sign your MSI package with both the old and the new certificate to avoid update failures.

To test the Advanced Installer Auto-Updater, get the 30-day full feature free trial.

Conclusion

Although optional (for MSI packages), digital signing these days has become a must. Considering the impact it has on end-users and how easily you can procure and digitally sign your package using Advanced Installer, as a developer or application packager, you should always consider digitally signing your software.