Secure Software

Use your software securely

Sign Code With a Certificate

Does your company produce software? If so, Code Signing Certificates will keep the code safe. When a user installs a new program on their computer, the installation software verifies that it has a signature in the form of a Code Signing certificate. If not, the user will be warned that the software code comes from an uncertified source and that installing the program is therefore risky.

When software does have an OV or EV validated signature, the code-generating organization has to be verified by a trusted third party (CA). Installation authorised by certificate also ensures that no one has secretly changed the code. An EV-level certificate provides more information about the software vendor, and to obtain one therefore requires a more detailed verification of the organisation.

Wesentra furnishes its customers with reliable Code Signing Certificates from Entrust. Customers using the Entrust portal can produce them there, while others can have them delivered from Wesentra’s own portal.

Two Ways to Sign Code

The Code Signing Certificate is always installed on a Hardware Security Module (HSM), the special security feature of which is that the key on it can only be used – not transferred or copied.

But there are two different ways for software producers to sign their code:

1. One way is to deliver the code-signing certificate to an HSM on a USB memory stick which also contains the key to the certificate. It is a good idea to keep the stick somewhere secure, like a safe. When the program code needs to be signed, the HSM stick is inserted into the server or workstation, the stick is opened with a password, and the code is signed. At Wesentra, the delivery of the HSM stick is included in the price of the code-signing certificate.

2. The other is to install the code-signing certificate on a cloud-based HSM platform, such as Azure Key Vault. This is a better solution than using an HSM stick if the code was already produced in the cloud.