Code signing implementations  provide a way to affix a digital signature and time-stamp to youre code using private and public key systems. This systems works much the same way a website is secured by an SSL Certificate. For example, in the case of .NET, a developer uses a unique key to sign his executables or libraries each time version is released.  This key will belong exclusively to an individual developer or group (or sometimes even just an object or an application). The author can either generate this key on his own or obtain one from a trusted certificate authority (CA).

Certificate Authorities

In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates for use by other parties. It is an example of a trusted third party. CAs are characteristic of many public key infrastructure (PKI) schemes. In code signing for software and applications there are a limited number of these authorities. Among commercial certificate authorities VeriSign is perhaps the best known, followed by Thawte, Comodo, GlobalSign and Godaddy.

Commercial CAs charge to issue certificates that will automatically be trusted by most web browsers (Mozilla maintains a list of at least 36 trusted root CAs, though multiple commercial CAs or their resellers may share the same trusted root).

Large companies, educational entities and government entities may have their own CAs.

It is absolutely necessary in today’s environment, where the originator of a given program may not be easy to verify – for example Java applets, ActiveX controls and other active web and browser scripting code. As important,  is the ability to safely provide updates and patches to existing software. Most Linux distributions, as well as both Apple Mac OS X and Microsoft Windows update services use code signing to ensure that it is not possible to maliciously distribute code via the patch system. It allows them to not have to worry about distribution security, such as mirror sites which may not be under the authors’ complete control, or any other intermediate piece of the deployment.

Trusted identification via a  Certificate Authority (CA)

Ideally, the public key used for code signing is traceable back to a trusted root authority, preferably using a secure public key infrastructure (PKI).  Keep in mind that has nothign to do with whether or not the code itself can be trusted, only that it comes from the originating developer,  (or from a particular private key to be more exact.). A certificate authority provides a root trust level which is able to assign trust to others by proxy. If a user is set to trust one of these certificate authorities and receives an executable signed with a key generated by that CA, he can choose to trust the executable becuase anything from that source is considered trustworthy.