Verifying Code Authenticity

Bruce Morton

When an end-user’s browser loads the code, it checks the authenticity of the software using the signer’s public key, signature and the hash of the file. If the signature is verified successfully, the browser accepts the code as valid. If the signature is not successfully verified, the browser will react by warning the user or rejecting the code, according to the level of security being used.



The signature is verified as follows:

  • The original code is passed through the hashing algorithm creating a hash
  • The public key of the publisher is extracted from the bundle and applied to the signature information; applying the public key reveals the hash that was calculated when the file was signed
  • The expiry date of the public key is checked
  • The public key is checked against the revocation lists to be sure that it is valid
  • The two hashes are compared; if equal, then the code has not changed and the signature is considered valid
  • If the file is considered valid, it is accepted by the browser; if the file is not considered valid, the browser displays a trust dialogue like the one above


Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

1 Comment

Add to the Conversation