What are code signing certificates?
Code Signing Certificates are used to digitally sign binaries (Executables and DLLs).
Why to sign binaries?
Signing the binaries ensure that the files are from a trusted source (you/your company) and that they have not been tampered by someone else.
What to sign?
You should use them if you are distributing binaries that you built to a customer. These include the executable (EXE) for your application and any libraries (DLLs) you built to modularize the application. Chances are, that you are also creating a windows installer to package your application. You should sign it too.
What do I need for signing?
- Your binaries
- A code signing certificate
- A code signing tool
Just like an SSL certificate, your code signing certificate has a validity period. If you forget to renew your SSL certificate, browsers will not allow the users to get into your site. Well, unless they are really desperate and bypass the protection. In which case, I would like to know what content you have up there! Thankfully, the certificate providers keep spamming you about the impending expiry and you get a new certificate, put it on your server and every thing is hunky-dory.
The same approach however will not work for code signing. You do not put the certificate/private key with your application. You use it to sign the binaries and embed that information in the binaries itself (it actually modifies your binary). Your certificate might expire 2 years from now, but the binaries must keep on working beyond that. To do this, we utilize a Timestamp server from a trusted authority. This is done during the code signing phase. The signing tool hits the timestamp server and embeds the information in your binary. Congratulations, your application is now Omnitemporal! Operating systems will never warn the user that the code signing certificate has expired, even after the actual expiry date of the code signing certificate has long gone.