Code signing certificates ensure that code cannot be tampered with. They prevent malicious tampering with code to protect end-users.
Similarly, TLS/SSL certificates establish an encrypted connection between a browser or user’s computer and a server or website to protect end-users.
However, they are not the same thing and cannot be used interchangeably.
Code signing certificates are used to authenticate the software developer or publisher of the software and to ensure that the software has not been altered or compromised. Software developers can use code signing certificates to digitally sign applications, drivers, executables and software programs as a way for end-users to verify that the code they receive has not been compromised by a third party. Ein solches Zertifikat enthält die Signatur des Herausgebers, den Firmennamen und bei Bedarf auch einen Zeitstempel.
SSL (secure sockets layer) is the standard technology for securing an internet connection by encrypting data sent between a website and a browser (or between two servers). SSL certificates prevent hackers from seeing or stealing any information transferred, including personal or financial data.
TLS (Transport Layer Security) ist eine aktualisierte Version von SSL, die noch stärkere Sicherheit bietet. Some still refer to security certificates as SSL because it’s a more common term, but when you buy from DigiCert, you get the most trusted, up-to-date TLS certificates.
TLS certificates cannot be used for code signing. You must use separate certificates for code signing and for TLS.
Code signing certificates are used to encrypt software, whereas TLS certificates are used to encrypt connections on a website. However, both are used to protect end-users and companies.
If you don’t use these certificates, end-users will get warning messages that could prevent them from using your services.
You need a code signing certificate when deploying software and updates to protect your intellectual property, protect end-users, and meet industry and platform requirements.
Code signing certificates allow customers to verify that your code is authentic and has not been tampered with — protecting both you and your customers against fraud, malware and theft. Ihre Kunden erwarten, dass die Installation Ihrer Software nach dem Herunterladen reibungslos und professionell abläuft. Digitally signed programs can avoid warning messages during download and installation for better adoption.
Additionally, the partners, channels and platforms that distribute software expect you to safeguard their customers’ data and will require or expect code signing best practices.
DigiCert offers both code signing and EV code signing certificates. Code signing certificates offer an encrypted digital signature, while Extended Validation (EV) code signing certificates include all the standard benefits of digitally signed code plus a rigorous vetting process and two-factor authentication security requirement, so your users can have even greater confidence in the integrity of your applications. Plus, for Microsoft Defender SmartScreen Reputation filter, an EV code signing certificate gains you automatic trusted status to reduce warning messages and increase end-user trust.
If not managed properly, code signing can put your business at great risk. Incidents like the SolarWinds attack are good examples of the consequences of poorly implemented code signing practices.
Studies show that over half of IT security professionals are worried about cybercriminals stealing or forging certificates to sign code or applications, yet less than a third consistently enforce code signing policies. To make code signing management simpler, DigiCert has innovative solutions for today’s enterprises.
Secure Software Manager in DigiCert ONE™ is a modern way of managing code signing, by enabling automated security across Continuous Integration/Continuous Delivery (CI/CD) pipelines with portable, flexible deployment models and secure key management. Der Secure Software Manager unterstützt Best Practices für das Code Signing, zum Beispiel pro Vorgang einmalige private Schlüssel und Zertifikate sowie On-Demand-Schlüssel und rotierende Schlüssel. Secure Software Manager is compatible with most popular platforms and libraries, like Docker, Microsoft Authenticode, Java, OpenSSL and Android. Mit dem Secure Software Manager lässt sich Code bequem in den Produktentwicklungsprozess integrieren, wobei kryptografische Vorgänge, das Signieren und die Verwaltung auf kontrollierte, nachvollziehbare Weise ablaufen.