What Is Code Signing?

Hackers frequently take software — whether offline or online — rearrange and change the code to make it malicious, and then upload it online so users download the free program and the malicious code it contains. To ensure users do not run into this problem, code signing is used. Code signing is a method by which the original programmer or company that made the program signs the program and, when the program is installed, it is authenticated to ensure the program has had no coding added or changed. This does not require any special software on the user’s side, and the user is able to verify the programmer's identity. While this is intended as a form of security, a hacker who creates a program or finds away around a signing can create artificial and misplaced trust.

Programs are constantly sold both online and offline. When someone buys a program offline from a trusted supplier or retailer, the user has very little reason to worry about hackers injecting malicious code into the program. This is because, unless the software developer intentionally made a dangerous program, there is no way for someone to tamper with the software and make it malicious. When a user downloads a program from the Internet, there is no such guarantee.

To protect users who buy or download programs online, code signing is implemented. Code signing is separated into two parts: the developer and the end-user. The developer uses a cryptographic hash, a one-way operation that disguises the code of the program, and then combines his or her private key with the hash. This creates a signature that is implanted onto the program.

When the user receives the program, the second portion of the code signing process occurs. The program examines the certificate and a public key that the programmer placed in the program. Using the public key, the program is able to run the same hash on the current programming, and then it checks the original against the current version being installed. If both the installed program and the original sync up, this shows the user that nothing has been altered. This process is done automatically, and the programs needed for this authentication should be pre-installed on the computer’s operating system (OS).

While code signing is a powerful method for ensuring security, it does have flaws. If the user is downloading a program from a hacker, then the authentication will show the original program is intact. This would lead a user to a false sense of security; the program is made to be malicious, so security is not achieved in this sense. Sophisticated hackers also can get around the hash to inject coding, rendering code signing useless.