All About Code Signing: What it is, How it Works, And Why You Should Do it
In the summer of 2021, Microsoft issued a security advisory letting users know of a critical vulnerability in the Windows Print Spooler service. The flaw made it possible for attackers to run arbitrary code on just about any affected Windows machine if they could trick a user into installing a compromised printer driver. From there, they could gain near-total control of the machine and access to anything connected to it.
But if you read the details of the bulletin, you’d have noticed a critical piece of information: that the vulnerability revolved around the users’ ability to install unsigned printer drivers. Signed drivers weren’t a problem—because it’s all but impossible for attackers to alter them to include the malicious bits they needed to launch an attack.
And within that distinction lies a lesson for software developers around the world: Code signing is important and something we all need to do when publishing software meant for public consumption. That said, there seem to be plenty of developers out there that don’t bother with code signing or don’t understand its significance.
Make no mistake, though: Code signing is just as important to protect your customers as it is to protect yourself as a software developer. Imagine, for example, that a hacker or other bad actor decides to inject malicious code into one of your pieces of software. When that code does the damage it’s designed to do, who do you think your customers are going to blame?
Two points if you guessed it’ll be you.
Code signing isn’t all that difficult to do. To help you understand how it works, here’s a complete guide to code signing. We’ll cover what it is, how it works, and why you should be doing it. Let’s get started, shall we?
What Is Code Signing?
To get started, let’s first take a look at what code signing is—it’s very simple, really. Code signing is the process of issuing a trusted digital certificate attesting to who you are and guaranteeing that a piece of software contains only the code you wrote and that you can vouch for.
In other words, it’s a bit like a certificate of authenticity you might get if you buy a signed piece of movie memorabilia. Except in the case of code signing, you’re not just guaranteeing authenticity, you’re guaranteeing providence and security.
It’s based on the same kind of logic that web browsers use to open SSL-encrypted connections to remote servers. The use of trusted certification authorities makes it possible for computers—and users—that don’t know you personally to be reasonably certain that software they’re going to execute hasn’t been tampered with in any way.
If you’ve ever downloaded a program from the internet and tried to run it anytime in the last twenty years, you’ve likely seen code signing in action. Modern operating systems check downloaded software for a valid signature and use that information to alert you as to who is asking to alter your computer.
Software that isn’t signed will generate a colorful and dire-looking warning letting you know that an unknown entity wishes to make changes to your PC. But signed software results in a benign-looking alert listing the software developer’s name and asking for permission to proceed.
There’s an excellent chapter on the subject in the book Web Security, Privacy and Commerce that discusses code signing—and numerous other web security topics developers should know about. It’s also a great handbook that I believe every developer should have on their shelf as a reference on myriad online security topics.
How Does Code Signing Work?
The process of signing your code isn’t all that different from the way you’d obtain an SSL certificate for a website. It involves the use of a public and private encryption key pair to have a trusted certification authority issue a valid code signing certificate to you to use when you publish software.
To get a code signing certificate, you have to prove your identity to a certification authority, so they’ll know you are who you say you are. But how you do that depends on the kind of certificate you’re trying to obtain. There are two main types:
- Organization Validated Code Signing Certificate – Often called a standard code signing certificate, they’re the easier of the two types of certificates to obtain. To get one, you’ll have to identify yourself to a certification authority and go through a simple verification process. Obtaining one isn’t much more difficult than obtaining a standard SSL certificate.
- Extended Validation Code Signing Certificate – An Extended Validation (EV) code signing certificate is much harder to obtain. To get one, you have to go through a lengthy vetting process with a certification authority. The catch? EV certificates are only issued to organizations, not individuals. They’re meant for higher-volume software publishers and come with a private encryption key stored on a physical hardware key to prevent misuse.
The main difference between standard and EV code signing certificates is what they’ll allow your software to do. Standard certificates make it possible for operating systems to compare your software’s hash at the time of signing to its hash at runtime. It also identifies you, the developer, as the person behind a particular piece of software.
On the other hand, EV certificates come with some additional benefits. The first is that you can use an EV certificate to sign Microsoft Windows drivers, whereas you can’t use a standard certificate for that purpose. Remember the security advisory mentioned in the introduction? It was EV certificate signed drivers that were safe from the vulnerability.
The other main added benefit of an EV certificate has to do with SmartScreen, which is Microsoft’s built-in website and download checking system. When you sign your software with an EV certificate, SmartScreen will instantly trust your software. That greatly improves the odds that Windows users will be able to download your software without any scary security warnings popping up on their screens.
Why You Should Be Signing Your Code
There are a variety of reasons that you should be signing your code. Some of them are very obvious. Others are less so. Let’s begin with the most obvious reason of all: You want people to run your software, and if your software isn’t signed, there’s a very good chance that users will struggle to run it.
Microsoft, for its part, is really serious about stopping users from downloading and running unsigned code. Their in-OS protection systems will present a user with an array of roadblocks and warnings to stop them from doing so. And they don’t make it obvious how to bypass them.
And MacOS, the other major consumer OS, does almost the exact same thing. And newer Apple computers that contain their native processors won’t run unsigned software compiled for them at all. So if you want people to be able to use your software, you need to get in the habit of signing it.
Another reason to sign your software is that it will improve adoption among businesses. Today’s cybersecurity professionals have neither the time nor the inclination to vet unsigned software unless it’s the only option. And most major corporate networks restrict the download or installation of unsigned software—with good reason. When a single chunk of altered code can lead to a multimillion-dollar data breach, there’s no room for error.
Last but not least, you should be signing your code to protect your reputation. If you’re an independent developer that makes a living on the software you create, you can’t afford for someone to use it as an avenue for a malware attack. If that happens, affected users will make no distinction between you and the people responsible for the attack. And the reputational harm you suffer could be irreparable.
Code Signing Is Worth It for Developers
The bottom line here is that developers—including you—should be creating a process to sign all of the code they release. Doing so will help improve your reputation and increase the odds that end-users will be able to run your creations. And at the end of the day, that’s what it’s all about for developers, isn’t it?
But be aware, signing your code means you’re putting your personal stamp of approval on your work. So you should also take great pains to write code that’s secure from the ground up, too. After all, an attacker doesn’t need to alter your code if you leave them an opening to use what you’ve already written.
If you’re new to software development—and even if you’ve been around the block a few times—I suggest you read The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities if you can find a reasonably-priced copy. It’ll teach you everything you need to know about secure coding, so you can sign your software with complete confidence that it won’t come back to haunt you.
And that’s all there is to it. Hopefully, you’ve learned why code signing is so important and why you should be doing it. Now go get to it!