1. white paper
To Increase Downloads,
Instill Trust First
Code signing from VeriSign certifies
the publisher and integrity of the code
2. white paper
+ Building trust: The first step
to distributing software 3
+ Code signing delivers confidence 3
+ How code signing benefits
a software publisher 5
+ What kinds of applications can I sign? 5
+ VeriSign’s code signing solution 6
+ Best practices for code signing 7
+ Conclusion 8
+ About VeriSign 9
Contents
3. white paper
3
To Increase Downloads,
Instill Trust First
Code signing from VeriSign certifies
the publisher and integrity of the code
+ Building trust: The first step to distributing software
Distributing your software through online and wireless channels brings substantial
benefits: You can save money, get your code out faster, and bypass the inventory and
fulfillment constraints of shipping out discs and getting space on retailers’ shelves.
But how can you make best use of those digital channels to circulate your code as
widely as possible?
Start by looking at the process of downloading software from your prospective customer’s
or user’s point of view. They see potential risk in installing code. No matter how exciting
your new functionality and the promise of your latest application, individuals and
companies are concerned that they may be putting viruses or malware on their machines.
Those viruses and malware can wreak havoc: Stealing personal and financial data,
damaging files and systems, and compromising company-confidential information.
The potential impact of malware is even more serious in the mobile environment,
where malicious code can spread through the network to everyone who subscribes to
the provider’s wireless services. Fixing the damage can cost mobile network providers
huge amounts of time and money. Even worse, some damage can’t be easily fixed.
When companies lose the trust of their customers, they usually lose the customers, too.
So before potential customers or users can feel comfortable downloading your code, and
before most platform and network providers will run it, they need to know two things:
First, who you are, and second, that the code hasn’t been changed since you published it.
+ Code signing delivers confidence
Code signing provides customers and users a verified, third-party answer to these two
questions, removing the biggest hurdles to widespread acceptance and distribution of
your code. Customers feel confident buying software in the retail environment because
shrink-wrapped packaging and mainstream distribution provide implicit third-party
verification of the publisher and assurance that the code hasn’t been tampered with. Now
they can feel the same confidence buying code online because code signing provides
explicit third-party confirmation of the source of the code and its integrity. This increases
prospective users’ trust in your business and ultimately boosts your sales and downloads.
VeriSign Code Signing helps build user trust because users see it in action: When they
attempt to download a signed application, a pop-up dialogue box informs them of the true
identity of the publisher and asks whether they wish to continue or cancel downloading.
Users can see if code is signed with a trusted Certificate Authority (CA), self-signed,
or unsigned. When used externally, a self-signed certificate is about as convincing as a
homemade photo ID, and platforms do not recognize its root. Unsigned or self-signed code
triggers an alert that the software publisher is unknown and could be detrimental to the
system. Users are unlikely to download any application that is not signed by a trusted CA.
4. white paper
4
Users know when code comes from a recognized software publisher because they
see a dialogue box, similar to this one, that tells them the publisher’s identity.
But when code is unsigned, self-signed, or signed by an obscure CA, the system
does not recognize the root and displays this warning, which makes it unlikely
that users will proceed with downloading and running the application.
5. white paper
5
+ How code signing benefits a software publisher
As a software publisher, the biggest benefit you’ll get from code signing is help in
establishing user trust in your online applications. Trust stimulates user adoption of
digitally shrink-wrapped, code-signed downloadable applications and helps you sell more
software online. Also, code signing enables you to respond more rapidly to changes
and opportunities in the market because it frees you from reliance on slow and costly
traditional distribution channels so you can reach a worldwide market in near-real time.
Code signing also helps protect your intellectual property, making it much harder for
criminals to use your company name to distribute bogus software or to tamper with your
code. If they do change your code, the code signing certificate will be revoked, which
warns the end user that the software is no longer verifiable. This may also free your
business of legal responsibility for any damages caused by altered code.
With the reassurance of code signing, platform providers, network providers, and device
manufacturers are more likely to accept your applications in their environments, giving
you faster, easier access to more channels and more users. Code signing also makes it
possible for you to enter partnerships or sales contracts with major companies, increasing
your potential market size.
Last but not least, users are learning to avoid any applications that are not code-signed.
Soon code signing won’t be optional but an essential prerequisite for any company that
wants to distribute software online.
+ What kinds of applications can I sign?
You can sign any type of software as long as it requires installation by the user. The
software can be for internal or external use. Types of code that you can sign include:1
• Packaged software
• Web applications
• Freeware
• Shareware
• Enterprise applications
• OEM software
• Operating systems
• Utility software
• Device drivers
• Middleware for software integration.
Code signing supports your commercial sales and external distribution efforts by
reassuring would-be users and buyers with the digital equivalent of shrink-wrap. It also
satisfies the requirements of most platforms, networks, business customers, and partners,
all of which are increasingly demanding code signing before entering into an agreement.
Even if you’re focused only on internal distribution of code to users within your
company, code signing is still important. Potential users will already know who you are
but might not be able to run your code if your IT department requires all code to be
signed. Many IT organizations now prevent anyone from running unsigned applications,
and won’t run applications unless they know which individuals are responsible for it.
1
Online interactive survey of software developers and decision makers, conducted by VeriSign, 7/2008
and Code Signing users interview, conducted by VeriSign, 12/2008
Code signing is
essential to your
business, for
several reasons:
+ Protects your intellectual
property and business
reputation
+ Meets the requirements
of platforms and network
providers as well as
business customers
+ Builds customer confidence
and trust
+ Eliminates disruptive
security alerts that might
turn away customers or
increase support inquiries
+ Helps increase market
reach and adoption of
downloadable software
6. white paper
6
+ VeriSign’s code signing solution
VeriSign® Code Signing Certificates and Signing Accounts allow you to “shrink-wrap”
online software with a digital signature that verifies the authenticity of you as a publisher
and the integrity of the application.
Whether you use a code signing certificate or a code signing account, it will only be
effective in inspiring user confidence if the users trust the CA. A certificate from a CA
users have never heard of may generate security warnings and make them suspicious,
leading them to check further before they proceed.
Choosing VeriSign as your CA increases the odds that users will download your software,
because it’s the world’s most trusted and widely recognized Internet security brand.2
As
the leading CA, VeriSign supports more desktop and wireless platforms than any other
code signing provider. VeriSign roots come pre-installed on most platforms and devices,
so your VeriSign code-signed software will almost certainly install smoothly, without
triggering the security warnings and error messages that make potential users anxious.
Annual audits by KPMG confirm the thoroughness of VeriSign’s approach to identity
assurance. Before VeriSign issues you a certificate, VeriSign authenticates that you are
part of a legally registered organization. In addition, VeriSign contacts each signing
entity using independently verified contact information to ensure that the registered
organization has indeed requested the certificate.
Code Signing Certificates
VeriSign® Code Signing Certificates support Microsoft Authenticode®, Microsoft Office
and VBA, Sun Java™, Adobe® AIR™, and Macromedia Shockwave. Once you obtain your
certificate, you can sign your files using a signing utility specific to the platform.
With a Code Signing Certificate, you can sign multiple applications as long as your
certificate is active. Each time you sign code, the certificate generates a digital signature
using a unique private key that authenticates the code source and code integrity. You
sign all code with the same digital signature using public key cryptography.
When a user’s system software or application encounters your signed code, it uses a
public key to decrypt the signature. By comparing the hash used to sign the application
against the hash on the downloaded application, the system determines whether the
code is properly signed. If your code passes this test, most systems will install it without
further prompts. If your code fails this test, the system will do one of several things
depending on the platform, application, and client security settings: It can warn the end
user, not allow the download, or allow the download without interruption.
Typically, a code signing certificate is valid for one to three years. However, you can save
on the cost of maintaining your code by using VeriSign’s free time stamping service,
which allows customers to verify that the code signing certificate was valid at the time
of the digital signature, and that the code has not been changed since.
Signing Account
VeriSign Signing Account currently supports Microsoft Mobile2Market. A VeriSign
Signing Account uses the same combination of public and private keys as a Code Signing
Certificate, but instead of a certificate that allows you to sign multiple applications with
the same signature, the Signing Account lets you create a unique digital signature for
each iteration of the code. This makes it easier to track and manage the development
process and released versions of code. So, if an application is distributed wirelessly, and a
problem occurs with a new version or upgrade, you can recall just the faulty code, without
impacting the rest of your published applications.
Who requires code
signing—and why
Platform providers
Code signing is already a
requirement for any program
written for the .NET environment,
kernel mode, Adobe AIR,
and some mobile platform
certifications such as Microsoft
Mobile2Market and Symbian
Signed.® These platforms will
generate warning messages or
refuse to install an application
unless it’s code signed by a
recognized Certificate Authority
(CA). Windows platforms such
as Vista and Server 2008
also require code signing for
the Windows Logo program
certification. Trends in the
industry indicate that soon all
operating systems, application
development platforms, and
mobile devices will only install
signed code.
Network providers
Network providers are especially
wary of buggy or malicious
applications and many of them
will not run unsigned code.
In a network environment,
the potential consequences of
downloading malicious code
include destruction of the mobile
device, service interruption,
spread of the malicious
application, identity theft, and
financial damage. The cost of
this damage could run into the
billions of dollars within minutes.
Not only do network providers
fear disruption to service, they
also fear any kind of negative
experience that might drive away
customers. Retaining customers
is essential to network providers’
business models for sustaining
and increasing profitability.
2
Extended Validation and VeriSign Brand, Conducted by TecEd, 10/2007
7. white paper
7
When you enroll for a Signing Account, you purchase a Publisher ID and a bundle of
Content IDs. The Publisher ID is a digital certificate that contains your organizational
information. To sign code, you log into the Signing Account portal using the Publisher
ID for authentication, upload your code, and sign your content. If you are eligible to
use Windows Privileged Access, you then take the extra step of sending the code to a
third-party testing house for an enhanced security check. VeriSign then creates a unique
code signing certificate, the Content ID, and attaches it to your code. When users click
to download the code, the Content ID provides their devices a signature that the devices
check against the VeriSign public key. If the signature and key match, those devices will
download and execute the code.
If you’re a publisher handling a large number of applications and frequent builds,
VeriSign provides a SOAP-based Publisher API in addition to the normal browser-based
interface for signing code. You can use the API to script your signing activities and
integrate them into the overall application development process.
For more information about VeriSign Code and Content Signing Products,
please download “Securing Code Transfer with Signing: A Technical Overview”
or go to www.verisign.com/code-signing
+ Best practices for code signing
In conversations with software developers and publishers as well as users, VeriSign has
heard of a variety of code signing practices. Some of these approaches work better than
others. Based on this input, we offer the following best practices that can enhance the
value of code signing.
Give each developer his or her own certificate. Companies often share a certificate
among all developers working on the same program, but for security reasons it’s good
to be able to track the changes made by individual developers.
Sign frequently. Some companies sign code several times a day. That may or may not
be necessary, depending on your development procedure, but the majority of companies
see value in signing applications at every build.
Make sure your certificates offer time stamping. Time stamping allows users to verify
that the code signing certificate was valid when the software was signed, even if the
certificate has since lapsed. With time stamping, you won’t have to keep renewing
certificates on software you’re no longer modifying, saving you time and effort and
reducing a certificate’s total cost of ownership.
Automate the process with Publisher API. If your development process employs
continuous build, use the same certificate throughout so that you can keep everything
in testing identical to the client experience. Consider Publisher API for daily build
or a frequent build cycle.
Use certificates for change control and quality assurance. If you don’t use continuous
build, designate a production certificate. You can issue individual developers self-signed
certificates that are trusted only on their development computers. When code is ready for
production, a manager can sign it with a code-signing certificate that is trusted by the
production environment. This way, you can prevent untested code from being installed
on your production environment.
Who requires code
signing—and why
Consumers
Consumers are less wary than
network providers, but they are
increasingly cautious about what
they install on their machines.
When they see pop-ups that
warn them about possible Trojan
or ActiveX problems, they’ll
either back out of installing
the software or they’ll call for
support. Consumers feel most
comfortable buying software
in a shrink-wrapped package
from a major chain store, but
today, just 34.6% of developers
distribute their software through
traditional channels, while 43.8%
distribute software online and
34.6% through wireless services.3
Code signing is the new shrink
wrap: a way for consumers to
benefit from the wider range of
choice available through online
distribution while getting the
same assurance of provenance
and code integrity that they
used to get only from physical
packages.
Business-to-business customers
If you’re considering entering into
a partnership or sales contract,
code signing may be a necessary
precondition. Code signing helps
all parties to an agreement verify
that developers have followed
the guidelines for controlling
applications. This builds partners’
trust in the integrity of your
code, so they’re likely to deploy
those applications more widely,
and adopt upgrades and new
functionality more readily.
Ultimately, this could increase
both your sales and share of
customer.
3
Online interactive survey of software developers and decision makers, conducted by VeriSign Internal Research
on Software Developers, 7/2008
8. white paper
8
Sign all applications for wireless platforms, .NET environments, and kernel mode.
Otherwise, it’s virtually impossible to distribute them.
Choose a certificate from a leading CA. Eight out of ten software publishers choose
VeriSign4
because it is the market-leading CA, with its root certificates preinstalled
on most devices and embedded in most applications. Publishers recommend choosing
a strong CA brand, one that helps build customer recognition, support, and a good
reputation5
. If your application is code-signed with a VeriSign certificate, almost all
platforms will trust it and install it without error messages. Root certificates from smaller
CAs are not as likely to be included in the platform, and users may get warning messages.
Don’t put off code signing for any reason. In a recent VeriSign® customer survey,
customers said that the cost of the code-signing solution was minimal compared to
the product cost and potential loss of customers that would result from not using code
signing products6
. Stay current with the industry best practice!
+ Conclusion
Code signing is becoming mandatory for software publishers
Code signing is the best way to meet the requirements of today’s code transfer
environment, which demands publisher verification and proof of code integrity. By
certifying origin of the code and guarding against unauthorized code changes, code
signing creates a digital “shrink-wrap” for code that builds the confidence of users,
platform providers, network providers, and device manufacturers. Code signing is a win/
win—by protecting your own reputation and that of your business, you also protect your
buyers and users, which in turn increases their adoption of your downloadable software.
In a Code Signing users interview conducted by VeriSign in December 2008, software
publishers and developers commented that customers increasingly say they won’t
purchase unsigned products. Publishers observed that code signing makes it easier for
them to distribute software over the Internet and increases customers’ willingness to
download code. Several commented that as soon as a certificate expires, users start
calling the software publisher, and the publisher starts calling VeriSign to renew.
They can’t let the reassurance of code signing lapse.
VeriSign is the best choice for code signing solutions because it supports more
development platforms than any other CA. Its certificate roots are most ubiquitous
and are backed by the most trusted and most widely recognized security brand on the
Internet7
. With a VeriSign certificate authenticating your code, users are more likely to
download it and their systems are likely to install it without question. And once VeriSign
has helped you establish user trust, you have the chance you’ve been looking for: To
impress customers and users with the innovation and functionality of your software,
increase sales and distribution, and grow your business.
4
Online interactive survey of software developers and decision makers, conducted by VeriSign, 7/2008
5
Code Signing users interview, conducted by VeriSign, 12/2008
6
Code Signing users interview, conducted by VeriSign, 12/2008
7
Extended Validation and VeriSign Brand conducted by TecEd, 10/2007