Why Code Signing Is Important

Sophia Belnap

Digitally signing scripts and executables helps ensure that code has not been changed or corrupted and the software publisher's identity is verified. It is important to use this technique for several reasons.

Helps Users Know Whether To Trust Software

Whenever users install new software or run updates and patches to existing software, they must decide whether the software is trustworthy. Code signing helps users make that decision. A digital signature serves as a guarantee to users that the software author is who they think it is and that the code hasn't been altered in a potentially malicious way.

Increases Revenue and Distribution

Malware has become a big problem. Many mobile network providers and software publishers now require a trusted Certificate Authority before they will accept code for distribution. Developers who do not sign their code risk being blocked from distribution on major platforms which could significantly reduce revenue. 

Protects the Reputation of the Developer and the Integrity of the Code

Releasing unsigned code introduces the possibility that third parties can modify your code. At best, this could lead to the user not having the experience with your software that you intended. At worst, it could lead to the user downloading malware disguising itself as your software. Once this happens, users may no longer trust the software that you publish. 

Improves the Customer Experience

Even if your unsigned code hasn't been tampered with, because most systems now check for a valid certificate, users are likely to get security warnings about your software. This can be both concerning and annoying for users. Signing your code avoids these disruptions and helps your customer have a better experience.

Increases Safety in Distributed Environments

Websites and programs that utilize Java applets, ActiveX controls and other scripting code operate in distributed environments. It is not always easy to tell what the source of the code is in these environments. Signing your code helps ensure safety. 

Streamlines Security

Validating signed code relies on the use of certificate authority. Certification authorities are trusted companies that verify software developers and websites to ensure users can trust them. Many frameworks and operating systems are designed to automatically trust specific certification authorities. Using one of these CAs can help you streamline your security process. 

Allows Developers To Establish Trusted Status 

An alternative to going through CAs is to use the trust on first use model. In this model, the developer includes a self-generated key that can be stored inside the digital signature. The user can then choose to trust all software from that particular developer. This saves the user from having to verify trust every time. It also makes it possible for developers to integrate public keys with the installer and use them to make sure that any plugins, upgrades or other applications are verified to be from that developer.

Enables Developers To Upload to the App Store

Apple requires developers to sign their apps before they can run them on a device or upload them to the App Store. This requirement allows Apple to verify that the developer has a valid Developer ID. 

Helps Ensure the Safety of Drivers

Drivers can cause a system to become unstable or lead to security exploits. Because of this, Microsoft tests drivers and then signs the driver after it has determined it is safe. While users can choose to install unsigned drivers they are provided with a warning that the driver could be unsafe before doing so.

Provides Developers With More Control

Users sometimes want to do things with software the developers do not want them to do. For example, most gaming consoles prevent users from running games off copied disks to make it more difficult to distribute pirated software. Signed code makes it more difficult to circumvent the controls in place to prevent copied media from running on these machines.

Digitally signing code is an important technique that improves security and the user experience. Without signed code, many users would be vulnerable to malicious actors.