Code Signing Certificates Types: Standard vs. Extended Validation (EV)

Written by Horatiu Vladasel · September 24th, 2024

In today's IT world, keeping software distribution secure and maintaining its integrity is crucial.

With cyber threats on the rise, users need to feel confident that the software they’re downloading hasn't been tampered and comes from a trusted source.

This is where code signing certificates come into play. They offer a robust solution to authenticate software publishers and validate the integrity of their code.

Let's take a look at the two main types of code signing certificates: Standard and Extended Validation (EV), and how they help build trust in software distribution.

Standard Code Signing Certificates

Standard code signing certificates are the baseline for establishing trust in software distribution.

These certificates go through an identity verification process conducted by a trusted Certificate Authority (CA).

Publishers are required to submit various forms of documentation and go through checks to confirm their identity and legitimacy.

A Certificate Authority (CA) is a trusted organization or entity that issues digital certificates.

Some of the most widely recognized CAs are: DigiCert, GlobalSign, and Comodo.

TipCheck out our detailed guide on Where to Buy Code Signing Certificates to explore the best options for your software needs.

Once the verification is complete, publishers can use the certificate to digitally sign their code.

This process uses a cryptographic hash function to generate a unique digital signature. This signature, encrypted with the publisher's private key, proves to end-users that the code hasn't been altered since it was signed.

Enhanced Assurance with EV Code Signing Certificates

Extended Validation (EV) Code Signing Certificates offer even more assurance than standard certificates.

These certificates go through a much more rigorous validation process, which includes extensive checks to confirm the legal existence, physical location, and ownership of the publisher's organization.

This rigorous process adds a higher level of trustworthiness, providing users with added confidence in the software's source.

A standout feature of EV certificates is how they display the publisher's identity during the installation process.

Unlike standard certificates, where the publisher's information might be less visible, EV certificates ensure that users are explicitly presented with the publisher's name or organization, often in a highlighted manner.

This increased visibility helps users make informed decisions about the software's authenticity and trustworthiness.

TipWant to learn how to use a USB eToken for EV Code Signing? Read our step-by-step guide on How to Use the USB eToken for Extended Validation Code Signing in Advanced Installer to get started.

For instance, imagine downloading software from the internet. When you try to install the software, a dialog box pops up, prominently displaying the publisher's name alongside the standard security warnings. With an EV code signing certificate, the publisher's identity is showcased prominently, making the end-user more confident about the software's authenticity and safety.

Verified Publisher stamp on App Install pop-up

Conclusion

When deciding between standard and EV code signing certificates, publishers must carefully consider their specific requirements and the expectations of their audience.

Standard certificates provide a strong foundation of trust and are great for most software distribution needs. They offer robust identity verification and code integrity assurance, meeting the basic security requirements for software publishers.

On the other hand, EV certificates are ideal for organizations seeking to enhance their credibility and user trust. The rigorous validation process and prominent display of identity contribute to a heightened level of assurance, making EV certificates a preferred choice for software publishers prioritizing trust and transparency.

NoteFor more detailed insights and resources on digital signing, check out our complete guide on:Digital Signing for Application and Software Developers - In-Depth Guide and Resources.

Written by
See author's page
Horatiu Vladasel

Horatiu is a Software Packager/Sequencer with over 10 years experience, who has worked as a Software Packager at IBM and is currently offering software packaging services to companies such as BT or Nationwide.

Comments: