A fundamental way to secure innovation
Code signing is a security control mechanism that proves the authenticity of files and program code. Authenticity is ensured via the creation and verification of digital certificates.
Code signing fulfills two use cases:
- Organizations can prove that the software is trustworthy
- End users can verify the authenticity of the software
This means that users can be sure that the software originates from the manufacturer, has been approved by an independent body, and has not been manipulated by an unknown third party.
How code signing works
1. Code signing requires generating an asymmetric key pair consisting of a public key and a private key.
2. The public key is then submitted to a Certification Authority (CA) and a code signing certificate is requested. The CA issues a certificate containing the public key after successfully verifying the company's identity.
3. The software producer signs the code with their public key, which can be checked for authenticity with the use of the issued code signing certificate.
Utimaco provides a variety of hardware security modules for the secure generation of public and private key pairs, including a Public Key Infrastructure solution for the verification of certificates and certificate lifecycle management.