If you intend to distribute software or any type of files over the internet, Codesigning helps in convenient distribution.
Codesigning is the process of signing code files to confirm the author and guarantee that it has not been altered or corrupted since it was signed. It is a mandatory step in avoiding warnings shown to the users when they download and run a file.
Codesigning cements the legitimacy of an app to its users. Having a certificate makes sure a file doesn’t get altered or corrupted on its the way from the developer to the end-user.
If you choose to distribute executable apps from a website, you have to go through some inconvenience that developers in the past didn't, at least not on the same level. Latest releases of macOS and Windows warn users that you're not a well-established publisher. As a result, you might end up losing potential users. Having a coding certificate helps reduce such warnings.
Writing an app is hard enough. The last thing you want to see is a non-trustable badge on your App name.
A Certified Authority (CA) issues a certificate after successful validation of the data provided. It is possible to register as a company or an individual. For individual verification, a National ID and a selfie holding it would suffice.
This certificate is used to sign files. But, it is not guaranteed that after signing an app, the end-users would stop seeing warnings when they download and run your app.
There are many CA's who provide code signing certificates of different kinds. Basic certificates take time to build up reputation displaying warnings meanwhile.
It depends on the demographics of the users downloading the app to make the warnings to go away quicker. More information is provided in this document from Microsoft. Note that Microsoft doesn't give away the number of downloads required to build up a reputation.
CA's also sell extended validation certificates wherein the validation is rigorous. Microsoft Windows doesn't show warnings for files signed with an EV certificate.
Unsurprisingly, EV certificates cost three times as much as the basic code signing certificates. For most use-cases, a basic certificate should suffice with the only downside of initial users having to go through warnings.
There are two options that stand out amongst others: Microsoft's sign tool and DigiCert's utility. The latter being the simpler option.
In case of a desktop application, it is important to sign the installer file, .exe files and DLL's. If you use third-party DLL's, there is a good chance it must be already signed. You can check if a file is already signed by reading its properties data from the context menu.
These are some of the well known Certified Authorities:
There are third-party distributors who sell the same certificates on a discounted price. I saved close to $40 by getting my certificate from this distributor.
Even if you get the certificate from a third-party, the original CA would be the one performing validation and issuing the certificate. The distributor in this case simply hands over your case to the CA.
Note that Comodo is the only option for Individual verification. It is available through third-party distributors as well.
It is possible to generate a self-signed certificate. Microsoft clearly mentions this certificate should only be used for testing purposes.
For validation identity and to getting rid of warnings on operating systems, a certificate from an authorised CA is the only option.
I have used a basic codesigning certificate to sign FsmPro which is a cross-platform app that helps developers design robust code and saves development and review time. If you're a software developer and incorporate state machines in your projects, FsmPro could help you and your team save resources and spend more time in making your designs better.
Create your free account to unlock your custom reading experience.