eastbaycyber

Code Signing: Definition, How It Works, and Where You’ll See It

Glossary 7 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-16
Definition

Code signing is the process of applying a cryptographic digital signature to software so that systems and users can verify who published it and whether it has been modified since it was signed.

Code signing is a practical security control that uses a digital signature and a signing certificate to prove software integrity (the code hasn’t been modified) and usually publisher identity (who signed it). In day-to-day operations, code signing shows up everywhere—from OS installers and drivers to scripts and CI/CD releases—and it’s a key part of modern supply chain security.

How code signing works

At a high level, code signing relies on public key cryptography and a certificate-based trust model (PKI). The workflow looks like this:

  1. A publisher obtains a code signing certificate - A Certificate Authority (CA) issues a certificate that binds the publisher identity to a public key. - The publisher holds the corresponding private key (ideally in hardware-backed storage or an HSM).

  2. The build system generates a hash of the code - The signing tool computes a cryptographic hash (digest) of the executable/package/script. - Any change to the code changes the hash.

  3. The hash is signed with the publisher’s private key - The signature is attached to the artifact (embedded in a PE file on Windows, included in package metadata, stored as a detached signature, etc.). - Many ecosystems also attach the certificate chain needed for verification (leaf cert + intermediates).

  4. Optional but critical: timestamping - A timestamp authority (TSA) signs the time the signature was created. - This allows signature validity to outlive certificate expiration as long as the cert was valid at signing time (policy-dependent).

  5. Verification happens at install/run time - The verifier computes the file hash again and checks it matches the signed hash. - The verifier validates:

    • Integrity: signature matches the content.
    • Chain of trust: certificate chains to a trusted root.
    • Policy: EKU includes code signing; meets OS/app store requirements.
    • Revocation: cert hasn’t been revoked (CRL/OCSP), where enforced.
    • Time: signature time is acceptable (especially if timestamped).

What code signing does (and doesn’t) guarantee

  • Does guarantee (when verified correctly):
  • The code hasn’t been modified since it was signed.
  • The signer possessed the private key at signing time.
  • The certificate chain met the trust policy at verification time (and/or at signing time with timestamping).

  • Does not guarantee:

  • The software is “safe” or free of malware. Attackers can sign malicious code using stolen certificates, mis-issued certificates, or compromised signing keys.
  • The publisher’s operational security is sound. A compromised CI system can sign attacker-modified builds if it has access to signing keys.

Why signature validation fails (common causes)

Signature verification commonly fails due to:

  • Content changes after signing (tampering, repackaging, post-build patching)
  • Missing or untrusted intermediate certificates
  • Certificate expiration without a timestamp
  • Certificate revocation
  • Incorrect usage/policy (wrong EKU, not meeting platform rules)
  • Network/inspection issues preventing revocation checks (OCSP/CRL blocked)

Where you’ll encounter code signing

Code signing is not a niche concept—it shows up across operating systems, packaging formats, and automation pipelines.

Endpoint installs and application launches

  • Windows (Authenticode)
  • Executables (.exe), libraries (.dll), installers (.msi), scripts, and especially drivers are commonly signed.
  • SmartScreen and other reputation systems may weigh signatures in allow/deny prompts.

  • macOS

  • Applications are signed and often notarized for smoother execution without warnings.
  • Gatekeeper validates signatures and notarization status depending on system configuration.

  • Linux

  • The kernel module signing ecosystem exists, but day-to-day you’ll more often see package signing (APT/RPM) and repository metadata verification.

Package managers and repositories

  • OS updates and repositories
  • Debian/Ubuntu APT uses repository signing (Release file signatures).
  • RPM-based distros verify package signatures.
  • The trust anchor is typically a distro-managed keyring, not a public CA.

  • Language ecosystems

  • Some ecosystems use signatures, checksums, attestations, or transparency logs rather than classic “CA-issued code signing certs.”
  • The operational takeaway: verify what your ecosystem actually enforces, and don’t assume “downloaded from registry” equals “verified publisher.”

CI/CD pipelines and release engineering

If you ship software, you’ll run into code signing as a build/release step:

  • Signing build artifacts before publishing releases
  • Signing container images or producing attestations (increasingly common)
  • Key management for signing keys (HSM/KMS, short-lived credentials, approvals)
  • Auditing: who/what signed, when, from which pipeline

If you’re formalizing “what could go wrong” in the build-and-release path, a tabletop exercise can help teams map realistic failure modes (stolen signing keys, malicious dependency injection, compromised runner images). See: what is a tabletop exercise.

Enterprise controls and allowlisting

Security teams encounter signatures when implementing:

  • Application allowlisting
  • Policies like “allow only signed code from trusted publishers.”
  • Script enforcement
  • PowerShell execution policies may require signed scripts in certain modes.
  • EDR and telemetry
  • Signed vs unsigned code is a common triage signal—but not a final verdict.

Quick verification commands (practitioner-friendly)

Use these to validate what a system will likely see.

Windows: verify Authenticode signatures

# Check signature status, signer, and timestamp
Get-AuthenticodeSignature -FilePath .\installer.exe | Format-List *

# Helpful: pull signer subject and status quickly
(Get-AuthenticodeSignature .\app.exe).SignerCertificate | Select-Object Subject,Issuer,NotAfter,Thumbprint

If you’re hunting suspicious binaries, “Signed” is not enough—look for unexpected publishers, recently issued certs, or anomalous signing times.

macOS: inspect code signature

# Verify and show details
codesign --verify --deep --strict --verbose=2 /Applications/App.app

# Display signature info
codesign -dv --verbose=4 /Applications/App.app 2>&1 | sed -n '1,120p'

Linux: check package signature (example patterns)

# Debian/Ubuntu: verify repository metadata and package provenance via APT mechanisms
apt-cache policy <package>

# RPM-based: check a specific RPM package signature
rpm -Kv package.rpm

(Exact verification depends on distribution and configured keyrings.)

Operational best practices (fast checklist)

- Store signing keys in HSM/KMS; never on developer laptops.
- Separate build and signing steps; require approvals for signing releases.
- Use timestamping where supported.
- Monitor for certificate expiry and revocation events.
- Verify signatures in deployment pipelines (not only on endpoints).
- Treat unexpected signer changes as an incident signal.

For the “what do we fix first?” side of the house, pair signature enforcement with disciplined patching and lifecycle management—especially for developer tooling, build agents, and endpoints that run installers. See: patch management best practices a practitioners guide.

If you’re managing a lot of endpoints and frequently validate downloads while traveling or on untrusted networks, a reputable VPN can reduce exposure to certain network-level tampering and interception risks (though it does not replace signature verification). Options include NordVPN (Check NordVPN pricing →) or Surfshark (Try Proton VPN →).

For personal/admin credential hygiene around developer accounts, certificate portals, and code-hosting platforms, a dedicated password manager can help reduce account takeover risk (which often precedes signing-key abuse). Consider 1Password (Try 1Password →).

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Related terms

Digital signature

A cryptographic value proving integrity and authenticity, created with a private key and verified with a public key.

Code signing certificate

A certificate with appropriate key usage (often EKU) indicating it’s meant for signing code.

Authenticode

Microsoft’s signing and verification technology for Windows binaries and related file types.

Certificate chain (chain of trust)

The path from a leaf certificate to a trusted root CA (or internal enterprise root).

Timestamping (TSA)

A signed record of when a signature was created, enabling long-term validation after certificate expiration.

Revocation (CRL/OCSP)

Mechanisms to mark certificates as untrusted before their expiration (e.g., if a key is compromised).

Notarization (macOS)

A platform workflow where software is scanned/registered with Apple services and validated at runtime in addition to signing.

Application allowlisting

A control that permits execution only for approved apps—often based on signatures, publisher identity, and hashes.

Supply chain security

Practices to prevent compromise of dependencies, build systems, and delivery channels; code signing is one control within this broader discipline.

Last verified: 2026-05-16

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.