What is “code signing”?

//What is “code signing”?
What is “code signing”?2019-01-17T00:51:48+00:00

What is “code signing”?

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to validate authenticity and integrity.

Developers must buy a code signing certificate from a Certificate Authority such as Comodo, GlobalSign or Digicert which typically costs a few hundred pounds (£) per year. Using that certificate, however, the developer can “sign” an executable file and upload it to a website. Users who download that software can then be assured the executable is genuine. Equally, and perhaps more importantly, their computers operating system (Windows, OSX or Linux) will also happily execute the program without showing alarming messages, or perhaps prevent it from not running at all.

Quickhash Codesigned Dialog

Corporates and government agencies, whose computer system are often heavily configured to disallow any software running that is not digitally signed, can also therefore benefit from a code signed executable of QuickHash, whereas before they could not.

However, even open-source developers who give their software away freely have to pay for such a certificate. I have to pay over £250 per year for the code signing certificate that I use to digitally sign QuickHash. To recoup those costs, I ask for a small payment to download the code-signed version of QuickHash. It is as simple as that. You are paying a small fee for the assurance and convenience of getting code signed software. If that is not necessary for you, just use the free unsigned version. Any profit gained each year goes towards the AWS web hosting costs. Any profit after that will most likely be donated to dog related charities for which I am fond.

Apple Mac OSX users note : this is not an application that has been signed using an Apple Inc certificate for the Apple App Store. It is digitally signed though, using a certificate from Digicert. You can check this in the terminal after downloading using the following command :

codesign -dv –verbose=4 Quickhash.app

and you should see information verifying the application as signed. Apple just like to get everyone to buy into their club.

Also, Apple OSX is likely to moan at you for trying to run a 32-bit program. Up to and including OSX Mojave, it should run. The OS after that I am likely to be forced to drop Quickhash For OSX because its too tricky compiling a 64-bit version for that OS.

Read the results of the survey that formed the decision to make QuickHash available as code signed