- Key Takeaways
- What is a Code Signing Certificate?
- How Code Signing Works
- Types of code signing certificates
- Why Code Signing Keys Must Live on an HSM
- Code Signing in CI/CD Pipelines
- Code Signing Risks and How to Mitigate Them
- How can Encryption Consulting Help?
- Conclusion
- Frequently Asked Questions
- Secure Your Software Supply Chain
A code signing certificate is a digital certificate that a software publisher uses to digitally sign code, so operating systems, browsers, and security tools can verify who published it and confirm the code has not been altered since it was signed.
A code signing certificate lets a publisher attach a digital signature to an application, script, driver, or firmware image. The signature proves the code came from the certificate holder and has not changed since signing. Certificate authorities issue code signing certificates at Organization Validation (OV) or Extended Validation (EV), and since June 1, 2023, the CA/Browser Forum requires every code signing private key, OV or EV, to be generated and stored on a certified hardware crypto module rather than in software.
Key Takeaways
- A code signing certificate binds a publisher’s verified identity to the code it signs, so operating systems and antivirus engines can confirm authenticity and integrity before a user runs the software.
- Certificate authorities issue two validation levels for code signing: Organization Validation (OV) and Extended Validation (EV). There is no domain-validated code signing certificate.
- Since June 1, 2023, CA/Browser Forum Baseline Requirements mandate that all code signing private keys, OV and EV, be generated and stored on a hardware crypto module certified to at least FIPS 140-2 Level 2 or Common Criteria EAL 4+.
- Timestamping a signature keeps it valid after the certificate itself expires, which matters for software that stays in the field for years.
- Private key theft, not weak cryptography, is the most common cause of code signing incidents. The ASUS Live Update compromise and similar supply chain attacks both stemmed from stolen signing keys.
What is a Code Signing Certificate?
A code signing certificate is the mechanism behind the “trusted publisher” indicator a user sees when installing software. The publisher’s private key signs a cryptographic hash of the code; the certificate carries the matching public key and the publisher’s verified identity. When a device installs the software, it recomputes the hash, checks the signature against the certificate, and walks the certificate chain back to a trusted root before allowing the install to proceed without warnings.
Code signing certificates are issued by public certificate authorities such as DigiCert, Sectigo, and GlobalSign, following the CA/Browser Forum’s Baseline Requirements for Code Signing Certificates.
How Code Signing Works
Signing and verifying code follows the same basic sequence every time:
- The publisher generates a hash of the code (the application, script, or firmware image).
- The publisher’s private key, held on an HSM or token, encrypts that hash to create the digital signature.
- The signature and the code signing certificate are embedded in or attached to the software package.
- Optionally, a timestamp authority co-signs the package so the signature remains valid after the certificate expires.
- When a user or system installs the software, it recalculates the hash, verifies the signature against the certificate’s public key, and checks the certificate chain to a trusted root before allowing the install.
Types of code signing certificates
Code signing certificates come in two validation levels, plus an optional timestamping feature that applies to both.
| Type | Validation Performed | Typical Use |
|---|---|---|
| Standard (OV) code signing | Confirms the organization’s legal existence and that the requester is authorized to act for it. | Desktop applications, drivers, internal tools, most commercial software. |
| EV code signing | Adds a deeper legal-entity and background check; historically enabled instant SmartScreen reputation on Windows. | Kernel-mode drivers, security software, publishers needing immediate trust with no reputation-building period. |
| Timestamping (add-on, not a certificate type) | A trusted timestamp authority co-signs the package at signing time. | Any signed software that needs to remain valid after the signing certificate expires. |
Older versions of this article referred to “Domain Validation code signing certificates.” That type does not exist: DV is a TLS/SSL validation level, not a code signing one. Every code signing certificate requires organization-level identity verification at minimum.
Why Code Signing Keys Must Live on an HSM
Effective June 1, 2023, the CA/Browser Forum requires the private key behind every new or renewed code signing certificate, OV or EV, to be generated and stored in a hardware crypto module certified to FIPS 140-2 Level 2 or Common Criteria EAL 4+ or better, with the key non-exportable. Certificates issued before that date are unaffected until their next renewal.
| Storage Option | How it works |
|---|---|
| Hardware token | The CA ships a certified USB token; the key is generated on and never leaves the token. |
| On-prem or cloud HSM | The subscriber operates a certified HSM (or an HSM-as-a-service); the CA verifies compliance and remote key attestation. |
| Signing service | The CA or a trusted provider holds the key in its own certified HSM and signs on the subscriber’s behalf through an API. |
This rule exists because stolen software signing keys, not broken cryptography, have caused the highest-profile code signing incidents. Keeping the key inside a certified HSM means it can sign code but can never be copied out and used elsewhere.
Code Signing in CI/CD Pipelines
Most teams now sign code automatically inside their build pipeline rather than as a manual step before release.
- Automated signing. Every build in Jenkins, GitHub Actions, or Azure DevOps calls a signing step before artifacts are published, removing manual handling of the private key.
- Client-side hashing. Only the file hash is sent to the HSM or signing service for signing, not the full artifact, which keeps large builds fast.
- Access control and audit. Role-based access control (RBAC) restricts who or what can trigger a signature, and every signing event is logged for compliance.
- Compliance mapping. A complete signing audit trail supports frameworks such as NIST guidance, PCI DSS, and internal software supply chain policies, and aligns with frameworks like Google’s SLSA and Microsoft’s S2C2F.
Code Signing Risks and How to Mitigate Them
| Private key theft or misuse | HSM-based storage, RBAC, and key rotation so a stolen credential cannot sign code. |
| Key sprawl across teams and pipelines | Centralize signing through a single platform with a real-time key and certificate inventory. |
| Malicious insiders or compromised build servers | Immutable, audited build environments and approval workflows before a signature is issued. |
| Expired certificates breaking older software | Timestamp every signature so it stays valid after certificate expiry. |
How can Encryption Consulting Help?
Encryption Consulting’s CodeSign Secure is a secure and flexible solution for code signing on multiple operating systems, namely Windows, Linux, macOS, and Docker containers. CodeSign Secure protects digital devices from harmful software by digital code signing, protecting them from alterations while in transit, which forms a vital part of security in today’s digitalized world.
CodeSign Secure allows an organization to secure information while it is being transmitted. It also allows the code’s recipients to provide additional trust by knowing that the code is intact and original across all platforms.
Conclusion
Certificates for code signing are essential in trying to develop software that is secure and reliable. By selecting the right category of the certificate, knowing the difference between public trust and private trust, and integrating code signing into your DevOps pipeline, you are also improving the security and reliability of your software.
Complying with regulations is one thing, but instilling confidence in your users and safeguarding their applications against all forms of tampering is another. All in all, code signing enhances the level of security of all programs and software created for the users.
Frequently Asked Questions
What is the difference between a code signing certificate and an SSL/TLS certificate?
An SSL/TLS certificate authenticates a website and encrypts traffic between a browser and a server. A code signing certificate authenticates the publisher of a piece of software and proves the code has not been altered. Both are digital certificates issued by a CA, but they verify different things and are not interchangeable.
Do I need an EV code signing certificate?
Most publishers can use a standard OV code signing certificate. EV is worth the extra verification for kernel-mode drivers or security software where an antivirus vendor or Microsoft Windows requires the stricter identity check, or where a publisher wants the deepest available level of identity assurance.
Can I store my code signing private key in software instead of an HSM?
No. Since June 1, 2023, CA/Browser Forum rules require every new or renewed code signing certificate’s private key to be generated and stored in a certified hardware crypto module (FIPS 140-2 Level 2 or Common Criteria EAL 4+ or better). Public CAs will not issue a certificate for a software-only key.
What is timestamping in code signing?
Timestamping adds a trusted, independently verifiable time to a code signature. It lets a signature remain valid after the signing certificate expires, so software signed years ago can still be verified as legitimate at the time it was signed.
How long is a code signing certificate valid?
Code signing certificates are not covered by the CA/Browser Forum’s shrinking TLS validity schedule. Most CAs issue them for one to three years, and timestamping preserves the signature’s validity beyond that expiry date.
Secure Your Software Supply Chain
Ready to move code signing off spreadsheets and shared USB tokens? See CodeSign Secure in action, or inspect any certificate with our free ASN.1 CSR & Certificate Decoder.
- Key Takeaways
- What is a Code Signing Certificate?
- How Code Signing Works
- Types of code signing certificates
- Why Code Signing Keys Must Live on an HSM
- Code Signing in CI/CD Pipelines
- Code Signing Risks and How to Mitigate Them
- How can Encryption Consulting Help?
- Conclusion
- Frequently Asked Questions
- Secure Your Software Supply Chain
