Self-Signed Versus Trusted CA Certificates
In most cases you have to sign your code in order to get it installed on the operating system. You can sign your code using a self-signed certificate or using a certificate issued by a publicly-trusted CA.
Due to the costs of buying a code signing certificate from a publicly-trusted CA, some users will decide to try a self-signed certificate. Here is what you need to consider.
- Issued using software that the user has and controls
- Signatures will provide a trust warning indicating that there was an un-verified publisher and will display “Unknown Publisher”
- Compromised certificates cannot be revoked and could harm the users of your software
Certificates Issued from a Publicly-Trusted CA:
- CA performs identity verification which is displayed in the trust dialogue
- Compromised certificates can be revoked and if time-stamping was used code signed before revocation will remain trusted
For user trust and the longevity of your code, it is recommended that you use a certificate issued from a publicly-trusted CA.
This is the seventh post in our code-signing. Check out the full list to read past entries and see what’s upcoming.