Home » Software Security Blog » Self-Signed vs. Publicly Trusted CA Code Signing Certificates: Why Publicly Trusted CA Code Signing Certificates Are Better
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Being a software developer or publisher, you might have an idea of how technology is evolving to require identification before trusting your code and allowing it to be installed on an operating system.

Due to such strong requirements, you’ll want to consider signing your software, code, apps, and other executable files before making them available to users for installation. If that’s the case, using a self-signed certificate might have crossed your mind, because it can be attractive due to the cost savings.

But before you jump into considering anything, go through this article to know the difference between a self-signed code signing certificate and Publicly Trusted CA Code Signing Certificates provided by trusted certificate authorities like Sectigo, because there are some major problems that can be caused by a self-signed code signing certificate.

Unknown Publisher vs Verified Publisher

Self-Signed Code Signing Certificate vs. Publicly Trusted CA Code Signing Certificates

Self-Signed Code Signing CertificatePublicly Trusted CA Code Signing Certificates
Certain Sets of Standards & PoliciesDevelopers, publishers, or issuers like you provide their own policy, which will not be trusted by the browsers and the internet.Certificates are issued by trusted certificate authorities who follow standards set by the CA/B forum that’s trusted by browsers and the internet.
Verification of IdentityThe issuer of a self-signed code signing certificate has an unconfirmed identity, which is not trusted or displayed in the trust dialogue.Code signing certificate issued by a CA is trusted and displayed in the trust dialogue because thorough identity verification is performed before issuing it.
Warning or Error MessageWhenever someone tries to download or install an executable file signed using a self-signed code signing certificate, a warning message will be displayed, saying that the publisher is not verified while displaying the dialogue message Unknown Publisher.Executables signed using publicly trusted CA code signing certificates issued by recognized certificate authorities like Comodo will be trusted, and the user won’t see any warning or error message.
Authenticity & IntegrityRecipient of a self-signed code-signed file won’t be able to verify the authenticity and integrity of its publisher’s identification.Recipient of a publicly trusted code signed executables and files will be able to verify the authenticity and integrity of its publisher’s identification.
Validation TypesThere’re not different types of validation.Two different types of validation: Standard (Organization Validation) and Extended Validated Code Signing Certificates are issued by trusted certificate authorities.
Name of the PublisherThe publisher’s name won’t be displayed on the signed files and executables.The publisher’s name is displayed on the signed files and executables.
Certificate RevocationIt’s not possible to revoke Self-signed code signing certificates. So, it can cause a major problem if it gets compromised.If a code signing certificate issued by trusted certificate authorities gets compromised, it’s possible to revoke it within few hours.
Time StampingTime stamping of any file or app signed using a self-signed code signing certificate is not possible.Timestamping is possible. This will keep your signed executables and files valid even after the expiration of your code signing certificate.
PurposeSelf-signed certificates can only be used internally for testing purposes, because they won’t be trusted by browsers or operating systems. Instead, they’ll generate a warning message.Publicly Trusted CA Code Signing Certificates can be used for testing as well as commercial use, and browsers and operating systems will not generate any warning message.
Documents & Proof Required for IssuanceUsers can issue self-signed certificates on their own, without any validation or submission of proof that a publisher or an organization is a legal entity.Rigorous validation is required depending upon the certificate authority, which verifies the legality and genuineness of the organization. And, validation takes time–anywhere between 1-5 days.
Customer Help & SupportNo support available as you’re the one who’s issuing the certificate.Support & knowledgebase articles are readily available from your code signing certificate provider.
Validity PeriodA self-signed certificate typically has a very long validity period, exposing it to the latest vulnerabilities.Code signing certificate from trusted certificate authorities is provided with a validity period from 1 to 3 years.
Cryptographic FunctionsIt’s possible that a self-signed code signing certificate might use low cipher and hash technologies, making it less secure.A code signing certificate from a trusted provider comes with the latest encryption standard along with the best cipher and hash technologies in the industry.
Supported PKIIt doesn’t support the latest PKI (Public Key Infrastructure) functions such as Online Certificate Status Protocol and Certificate Revocation List (OCSP & CRL).It supports the latest PKI (Public Key Infrastructure) functions along with functions like OCSP & CRL (Online Certificate Status Protocol and Certificate Revocation List.)

Here’s What Happens if You Signed Your Files Using Self-Signed Code Signing Certificate

If you’ve signed your files, apps, or any other executables using a self-signed code signing certificate and published or made it available publicly, users will receive a warning message whenever anyone tries to download or install it.

In fact, the message your users will see is quite similar to the one they’d see when you don’t sign your codes and files. Ultimately, this results in a potential decline in downloads and conversion rate, while harming your reputation.

Unknown Publisher

On the other hand, if you signed your files using a code signing certificate issued by trusted certificate authorities, then the user won’t be shown any warning message–them a smooth experience during download as well as installation. Here’s an example of how a file signed using a trusted code signing certificate is displayed:

Verified Publisher

Signing Files Using Publicly Trusted CA Code Signing Certificates Doesn’t Mean Breaking the Bank

Signing your apps, software, executables, scripts, and other files using a code signing certificate issued by trusted certificate authorities doesn’t mean you have to pay a considerable amount of money. It’s affordable, no matter whether you’re an individual developer, publisher, or a software developer in an organization. Certificate authorities like Comodo, Sectigo, & Thawte offer cheap code signing certificates that are affordable for almost any budget.

Closing Thoughts: Self-Signed vs. Publicly Trusted CA Code Signing Certificates

Looking through the above comparison between a self-signed code signing certificate and code signing certificate issued by a trusted certificate authority like Comodo gives the clear idea that signing apps, software, and other files are all about trust and the longevity of your code.

So, it’s advisable to go with a code signing certificate issued by a trusted provider instead of self-signing it, because unwanted warning messages can make your apps untrustworthy while damaging your reputation.