Thawte Code Signing Certificate FAQ

Date: July 1st, 2010 | Category: Code Signing FAQs, Thawte Code Signing Information

What are Code Signing Certificates and digital signatures?

Developers and software publishers use Code Signing Certificates to attach a unique digital signature to applets, plug-ins, macros and other executable files before publishing them. The digital signature contains identification information about the publisher and is used to confirm that the code has not been altered or tampered with since release.

[ Back to Top ]

Why do developers need to sign their code?

Easy online distribution has made it possible for developers to create fun and functional code, anywhere and everywhere. However, the potential for fraud and the spread of malicious code has increased as well. Software applications and platforms have developed security features to check for a digital signature and recommend whether or not code should be trusted. Some platforms, such as Adobe® AIR®, require digital signatures for all applications.

[ Back to Top ]

What do users see when they encounter signed code?

When a user encounters unsigned code, a security warning pops up or content fails to load, depending on the browser and security settings. Warnings create doubt and confusion for users and often result in support calls to the publisher or developer. When signed code is encountered, a pop-up notification shows the verified identity of the publisher and the user decides whether or not to trust the code. With a Thawte Code Signing Certificate, your code will be as safe and trustworthy to customers as shrink-wrapped software from a store shelf.

[ Back to Top ]

How does the application know to trust my digital signature?

A Code Signing Certificate is a type of digital certificate. When you apply for the certificate, you generate a private/public key pair and submit the public portion to a certificate authority, such as Thawte, along with documentation to prove your identity. Once the certificate authority authenticates and verifies the information, they issue a certificate containing your full organizational name and your public key. Thawte Code Signing Certificates are chained to our Root Certificate and trusted by leading platforms. It is possible to self-sign code, however, you do not have a trusted third party to vouch for the information you provide

[ Back to Top ]

Do I need different Code Signing Certificates for developing code in different platforms?

Each platform has slightly different ways of handling digital signatures. The Thawte Code Signing Certificates for Microsoft® Authenticode® (Multi-Purpose) offers maximum flexibility with a single certificate to sign code developed on multiple platforms. You can digitally sign 32- and 64-bit user-mode (.exe, .cab, .dll, .ocx, .msi and .xpi files), as well as code for Microsoft® Office 2000, Microsoft VBA, Netscape® Object Signing, and Marimba Channel Signing. Thawte offers additional Code Signing Certificates for:

  • Microsoft® Authenticode® (Multi-Purpose)
  • Sun Java®
  • Adobe® AIR®
  • Mac®
  • Microsoft® Office VBA

[ Back to Top ]

Why do Code Signing Certificates expire?

Applications and platforms that use code signing will check whether a certificate is valid as part of the security process. Digital certificates are designed to expire to protect both the certificate owner and the users who trust it. To renew a Code Signing Certificate, the certificate owner provides identification information and the certificate authority authenticates and verifies it. The Thawte Certificate Center makes it very easy to renew, manage, and track all of your code signing and SSL Certificates with a single sign-in.

[ Back to Top ]

Will my code still be valid even though my Code Signing Certificate expired?

A Code Signing Certificate is valid for the validity period purchased and an expired certificate cannot be used to sign code. However, a time stamp shows the validity of the certificate at the time the code was signed. Thawte does not run a time stamp server, however, you can use VeriSign time stamping by adding: “” to the signcode command line. For Sun Java, use

[ Back to Top ]

What happens if a code signing cert must be revoked?

A certificate may be revoked by its owner if it is lost or stolen, or it may be revoked by Thawte if the publisher is distributing malicious or intentionally harmful code. Thawte maintains a certificate revocation list (CRL). Applications and platforms which use code signing will check the CRL to verify whether a certificate is valid as part of the security process.

[ Back to Top ]

Who needs to use code signing?

Any publisher who plans to distribute code or content over the Internet or over corporate extranets risks impersonation and tampering. Thawte Code Signing Certificates provide a high level of assurance about the identity of the code publisher and its integrity.

[ Back to Top ]

Does Thawte certify code or guarantee it?

No. Thawte issues a certificate to the developer not to the code. The certificate certifies that the software really comes from the publisher who signed it – an extremely important consideration when prospective customers decide whether to trust it. The certificate also certifies that the code has not been altered or corrupted during transmission or download and is as the publisher intended it. Thawte will revoke a developer’s Code Signing Certificate if there is any indication that the developer abused the trust of the code signing infrastructure.

[ Back to Top ]

Why Choose Thawte For Code Signing Certificates?

Thawte is trusted by millions of people worldwide. When we issue an SSL Certificate, we know that our name will appear next to yours as the trusted third party who verified it. We take that trust seriously and lead the industry with rigorous authentication methods and a global infrastructure to support real-time certificate look-ups.

[ Back to Top ]

Article published on Code Signing 1-2-3 -

Print this article!