How and Why to Codesign Applications
If you intend to distribute software or any type of file over the internet, Codesigning helps with convenient distribution. Codesigning is the process of signing code files to confirm the author and guarantee that it has not been altered or corrupted since it was signed. It is a mandatory step in avoiding warnings shown to the users when they download and run a file.
Furthermore, codesigning cements the legitimacy of an app to its users. Having a certificate makes sure that a file doesn’t get altered or corrupted on its way from the developer to the end-user.
If you choose to distribute executable apps from a website then you have to go through some inconvenience that developers in the past didn’t; at least not on the same level. The latest releases of macOS and Windows warn users that you’re not a well-established publisher. As a result, you might end up losing potential users. Having a coding certificate helps the cause of reducing such warnings.
Writing an app is hard enough. The last thing you want to see is a non-trustable badge on your Apps’ name.
The Certificate
A Certified Authority(CA) issues a certificate after successful validation of the data provided. It is possible to register as a company or an individual. For individual verification, a National ID and a selfie holding it would suffice.
This certificate is used to sign files. But, it is not guaranteed that after signing an app, the end-users would stop seeing warnings when they download and run your app.
There are many CA’s who provide code signing certificates of different kinds. Basic certificates take time to build up reputation displaying warnings meanwhile.
It depends on the demographics of the users downloading the app to make the warnings to go away quicker. More information is provided in this document from Microsoft. Note that Microsoft doesn’t give away the number of downloads required to build up reputation.
CA’s also sell extended validation certificates wherein the validation is rigorous. Microsoft Windows doesn’t show warnings for files signed with an EV certificate.
Unsurprisingly, EV certificates cost three times as much as the basic code signing certificates. For most use-cases, a basic certificate should suffice with the only downside of initial users having to go through warnings.
How to sign files
There are two options that stand out amongst others: Microsoft’s sign tool and DigiCert’s utility, with the latter being the simpler option.
In the case of a desktop application, it is important to sign the installer file, .exe files, and DLLs. If you use third-party DLLs then there is a good chance that it must be already signed. You can check whether a file is already signed by reading its properties data from the context menu.
Where to buy certificates from?
These are some of the well known Certified Authorities:
There are third-party distributors who sell the same certificates at a discounted price. I saved close to $40 by getting my certificate from this distributor.
Even if you get the certificate from a third-party, the original CA would be the one performing validation and issuing the certificate. The distributor in this case simply hands over your case to the CA.
Note that Comodo is the only option for individual verification, and is available through third-party distributors as well.
Free certificate?
It is possible to generate a self-signed certificate. Microsoft clearly mentions this certificate should only be used for testing purposes.
For validation identity and to getting rid of warnings on operating systems, a certificate from an authorized CA is the only option.
Final Thoughts
I have used a basic individual codesigning certificate to sign FsmPro which is a desktop application for designing state machines and auto code generation. If you’re a software developer working with state machines as a part of development, FsmPro could help you save your development time.
I hope that this article has been a helpful introduction to codesigning applications. As the world becomes more digitally-oriented it’s natural for legal documents to become increasingly digitized as well. With this in mind, having a good grasp of codesigning (and how to implement it according to your needs) will be very helpful indeed. Thanks for reading!
