Everything you wanted to know about Code Signing but were afraid to ask

1. Why can’t I sign scripts with my TLS/SSL certificate?

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), use encryption to transfer data securely between clients and servers. Certificates are issued with their intended purpose coded and signed into the certificate itself.

This means that TLS/SSL certificates can only be used to secure communications in real-time between a server and a client. To sign your scripts, you need a certificate intended specifically for digital signatures.

2. How do I create a Code Signing Certificate?

For internal use only, you can create a self-signed code signing certificate. While useful for testing purposes, it will generate a security alert for anyone other than you. To create a self-signed certificate with PowerShell, try using New-SelfSignedCertificate (part of the PKI module).

$cert = New-SelfSignedCertificate -DNSName "www.domain.com" -CertStoreLocation Cert:\CurrentUser\My -Type CodeSigningCert -Subject “Example Code Signing Certificate”

To create a code signing certificate for products to be used by others, you will need to purchase one from a respected Certificate Authority (CA). Although we cannot recommend any particular Certificate Authority, Microsoft lists several here specifically for EV Code Signing Certificates. The recommendations from Microsoft all also offer Standard Code Signing Certificates, and some offer Individual Code Signing Certificates.

Note: there is no such thing as a free code-signing certificate for public use. Be wary of anyone who says there is or offers any kind of “free trial”.

3. How do I create a Certificate Signing Request (CSR)?

Windows: Digicert offers a free utility and instructions to create a CSR here.

Mac: Apple has instructions for using Keychain to create a CSR here.

4. Why should I timestamp my signature?

A timestamp is a small data strand that gets included along with the signature when a script or executable is signed. The signature, along with the timestamp, ensures the signature was made at a time when the certificate was still valid. That means your code will not expire when the certificate expires because the system validates the timestamp.

5. What type of certificate do I need?

That depends upon your use case. To help you make a decision, we’ve laid out the basic differences here.

Standard Code Signing (OV/Regular)

Standard Code Signing Certificates are also known as Regular or Organization Validated (OV) Code Signing Certificates.

Standard certificates allow reputation to build organically as files are downloaded. The certificate is stored in an encrypted file on the purchaser’s computer and remains portable to other computers by simply copying the file. This type of certificate can sign drivers for Windows versions before Windows 10 and are trusted on virtually every platform (and browser, where applicable).

EV Code Signing

In Extended Validation (EV) Code Signing Certificates, the private keys are stored externally to prevent any unauthorized use.

EV code signing certificates offer instant reputation with SmartScreen, Microsoft’s reputation-based scanner. They require two-factor authentication, meaning they are distributed on an encrypted hardware token that is required for signing. This type of certificate is required for Windows 10 kernel-mode driver signing and is trusted on virtually every platform (and browser, where applicable).

Individual Code Signing

The Individual Code Signing Certificate is specially designed for independent web developers, software developers, freelancers, etc., who are looking to safeguard their software code, scripts, internal software properties, objects, etc., with a digital signature.

Microsoft Authenticode Code Signing

Some code signing certificates are specifically marketed as Authenticode code signing certificates, but any trusted code signing certificate can be used to sign Authenticode. Microsoft defines Authenticode as “a Microsoft code-signing technology that identifies the publisher of Authenticode-signed software. Authenticode also verifies that the software has not been tampered with since it was signed and published.” So, it’s not a certificate type at all, rather a method of signing used by everything signed on a Windows machine with a Microsoft API. Read more about Authenticode Digital Signatures here.

6. So, how do I sign my code?

Fortunately, SAPIEN products make it easy for you to sign your code.

Once you have installed your code signing certificate, you can easily sign your scripts themselves (PowerShell, VBScript, JScript) and your packaged executables and MSI files by selecting Sign Script.

PrimalScript
PowerShell Studio

In the resulting window, leave the Certificate field blank to sign with the first available certificate in your personal store, or select a certificate on your machine.

Choose a timestamp server and click OK to save.

PrimalScript

Once you have set up your script signing, you can select “Automatically sign scripts when saving” and your scripts will be signed automatically every time you save them.

PrimalScript

In PowerShell Studio, you can enable “Automatically sign .ps1 scripts when saving” in options and your PowerShell scripts will be automatically signed every time you save them.

PowerShell Studio

Related

Check out these articles to learn more about Code Signing:

As always, if you have any feedback or suggestions, let us know in the comments or in our support forums.