A Code Signing certificate is a special type of digital certificate fundamentally different from regular web SSL certificates. Its purpose is not site protection but confirming software authenticity. When a developer distributes a new program, driver, mobile app, or PowerShell script to users, they sign it with a Code Signing certificate. This signature guarantees two important things: first, who the true author of the program is, and second, that the program has not been altered by anyone during distribution. This is very important for modern operating systems and antivirus programs because unsigned software is often flagged as malicious.
Code Signing types and validation levels
There are two main types of Code Signing certificates: Standard and Extended Validation, or EV. The Standard certificate goes through regular validation and is mainly suitable for small developers and open source projects. The EV Code Signing certificate goes through enhanced validation, where company documents, business registration, and other official information are verified. The EV certificate is delivered as a separate USB token, which dramatically increases security. The Microsoft SmartScreen filter immediately considers only programs signed with EV certificates as trusted.
What formats Code Signing works with
A Code Signing certificate can be used to sign many types of files. Most common: Windows executable files EXE and DLL, Microsoft Installer packages MSI, ActiveX components, Java JAR files, Adobe AIR applications, Apple Mac programs, Microsoft Office macros, and PowerShell scripts. For mobile apps: Android APK files for Google Play, iOS apps are signed through an Apple Developer certificate.
Code Signing process
The signing process is usually performed using command line tools. For Windows, the signtool.exe utility is used, included in the Windows SDK. The command specifies the certificate file, timestamp server, and the file to be signed. The timestamp is very important because even after the certificate expires, signatures with timestamps continue to be valid.
EV USB token
The EV Code Signing certificate is mandatorily delivered as a hardware token, that is, a USB device compliant with the FIPS 140-2 standard. This greatly increases security because the certificate and private key cannot be extracted from the USB token.
Sayt.uz practice
Through Sayt.uz, full service is provided for obtaining and installing Code Signing certificates. Sectigo Standard Code Signing certificate from 890 thousand soum, DigiCert Standard from 1 million 290 thousand soum. EV Code Signing certificates from 2 million 490 thousand soum, delivered with a USB token. 94 percent of clients receive the certificate within 3 business days. Consulting for automating signing in CI/CD pipelines from 290 thousand soum.