Code signing How-To¶
What is code signing and why is it required?¶
Windows¶
Code signing provides benefits to application security features like Windows Defender Application Control (WDAC). It allows the system to cryptographically verify that a file hasn’t been tampered with before any code is to run.
Windows doesn’t require software developers to digitally sign their code. Users can install applications from sites other than the Microsoft Store if they allow such applications to run. When code sign is provided, Windows reduces the number of warnings when running.
macOS¶
App code signing process in macOS
“On devices with macOS 10.15, all apps distributed outside the App Store must be signed by the developer using an Apple-issued Developer ID certificate (combined with a private key) and notarized by Apple to run under the default Gatekeeper settings. Apps developed in-house should also be signed with an Apple-issued Developer ID so that users can validate their integrity.”
Starting with OmegaT 6.0.2, OmegaT is distributed as a notarized application for both the old Intel CPU machines and the new Apple CPU machines (starting with M1).
How to obtain a certificate?¶
A certificate can be obtained from certification authority companies. Both Microsoft and Apple specify which companies are compatible with their respective platforms.
Windows¶
Many certification authority companies provide a certification for code signing for Windows.
Certum Open Source developer certificate program¶
Certum® is one of the certification authority services provided by Asseco Ltd.
They provide discounted a code signing certificate to FOSS projects. They not only check developer individual identities but also check the project itself.
Comodo certificate for individuals¶
Comodo provides a certification with affordable prices for individuals.
macOS¶
Apple is the only authority that provides a certification for code signing and notarization. The certification comes with an Apple Developper account.
Certificate issued by Apple¶
A developper account comes with an Apple verified developper ID.
Application notarized by Apple¶
Apple provides the notarization service based on the Apple verified developper ID.
Tools¶
Windows¶
signtool.exe¶
signtool.exe is a utility bundled with Windows SDK.
SignTool is a command-line tool that digitally signs files,
verifies the signatures in files, and time stamps files.
The tool is installed in the \Bin folder of the Microsoft Windows SDK installation path,
for example C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe.
You can find more information at
https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool
Linux¶
osslsigntool¶
osslsigncode is a small tool that implements part of the functionality of the Microsoft tool signtool.exe - more exactly the Authenticode signing and timestamping. osslsigncode is based on OpenSSL and cURL, and thus should be able to compile on most platforms where the commands exist.
See https://sourceforge.net/projects/osslsigncode/ for more informations.
OpenSC¶
OpenSC is an open source smart card tools and middleware. It supports PKCS#11/MiniDriver/Tokend.
The list of supported hardware is at OpenSC Wiki.
openssl-pkcs11¶
macOS¶
The tools and processes are described here: