VeriSign 5 Reasons for Code Signing

Developers and Web publishers offer more choice and customization than ever before. Innovative applications enhance Web sites, mobile devices, and desktop software for work and play. Everyone wants the latest application, but no one wants security or functionality compromised.

• End users often ignore security warnings and continue to download content and code.
• Software and hardware vendors want to support innovation without compromising their products.
• Network providers must protect their wireless assets while offering subscribers the latest options.

How do end users, software platforms, and networks know which code to trust? Code Signing from a trusted Certificate Authority (CA) such as VeriSign shows the authenticated identity of the code source and proof of the content integrity. Why sign your code? Here are 5 good reasons:

1. Show Customers You Offer Trusted Content

Code Signing creates a digital "shrink-wrap" that shows customers the identity of the company responsible for the code and confirms that it has not been modified since the signature. In traditional software sales, a buyer can confirm the source of the application and its integrity by examining the package. With Code Signing, a developer or software publisher uses a private key to add a digital signature to code or content. Software platforms and applications use a public key to decrypt the signature during download and compare the hash used to sign the application against the hash on the downloaded application. Signed code from a trusted source may be automatically accepted or require the end user to decide whether or not to trust the code. The user may choose to trust the code once or always.

2. Reduce Error Messages and Security Warnings

VeriSign® Code Signing increases the adoption and distribution of downloadable software by reducing security warnings and meeting vendor requirements. When end users encounter unsigned or self-signed code, they are interrupted and the application fails to download or a warning screen requires their input:

If those end users encounter code with a VeriSign digital signature, most systems trust VeriSign and trust the publisher. The user may never see a warning or receive a warning that recommends trusting the application (depending on the platform, application, and client security settings).

3. Link Your Business Reputation to the Most Ubiquitous Root Certificate

Companies invest heavily in creating a brand and a business reputation that consumers and partners trust. Simply signing your code ensures that it has not been tampered with and that it comes from you, but it does not verify who you are. If a malicious party distributes malware that pretends to be from you, self-signing is no protection against that.

A third-party CA is more trusted than a self-signed certificate because the certificate requestor had to go through a third-party validation process. When software platforms and applications verify a digital signature, they access a “root” certificate to determine whether or not to trust the CA that issued the certificate. Because VeriSign root certificates come preinstalled on most devices and embedded in most applications, digital signatures from VeriSign are almost always trusted, reducing warnings and error messages. Self-signed certificates are not trusted until the end user downloads the root certificate.

4. Protect Your Customers with Verifiable Content Integrity

Digital signatures contain proof of the content integrity so customers know that the code has not been altered. If the hash used to sign the application does not match the hash on a downloaded application, a security warning will alert the end user or access will be denied. In other words, if a single bit of the code is modified, Code Signing will detect the change and warn the customer. A timestamp option shows when code was signed, allowing customers to verify that the code signing certificate was valid at the time of the digital signature. VeriSign® Code Signing Accounts use a two-step signing process to create a unique digital signature each time code is signed, making each version of code released easier to track and revoke.

5. Build a Trusted Relationship with Your Customers

VeriSign is the most trusted security brand on the Internet and we support more platforms than any other code signing provider. Whether you are a large software publisher or an independent developer, VeriSign helps you create a trusted relationship with your customers by making your applications harder to falsify and more trusted. VeriSign operates the Internet infrastructure SSL Certificates secure more than 1 million Web servers worldwide, more than any other Certificate Authority.