Standard and extended validations for code signing certificates

At Poll Everywhere, security is a top priority. We constantly evaluate our procedures and best practices and code signing is no exception.

(Read more: Why code signing is vital.)

Staying up to date with code signing practices for any business releasing binaries is important, and GoDaddy isn’t doing it anymore. If you are familiar with SSL certificates for websites but aren’t familiar with code signing certs, this article explains some of the differences in validation types and how it affects end user experience.

There are two main types of code signing certificates: Standard and Extended. Standard includes a few subtypes (Individual, Domain, and Organization Validation), but for code signing, consider them Standard Validation certificates.

What is a Standard Validation (SV) certificate?

It is the most basic form of certification validation. It proves an entity’s identity. Through a minor set of manual validations, you can trust a certificate that came from an individual or business with a standard validation certificate.

What are Extended Validation (EV) certificates?

At a surface level, SV and EV certificates aren’t very different. EV involves a more in-depth, manual review of the requester. The first of two primary purposes of an EV is identifying the company’s legal existence. The second is to enable encrypted communications with a website ( 2.1.1, 2.1.2). We recommend focusing on the first for code signing.

When a Certificate Signing Request is submitted for an EV certificate, multiple points of manual validation occur:

  • Physical existence.
  • Operational existence.
  • Proof of business ownership.
  • Proof of domain ownership.
  • Finally, they must prove they are the ones requesting the extended validation certificate.

The additional verification for legal existence is the major difference between SV and EV certificates.

Why would I need an EV certificate if SV can prove I own my domain?

This depends on needs and wants. After all, any certificate (assuming the same key lengths and types) provides the same level of protection via encryption. They are equally secure, but one is more trusted than the other. Some organizations prioritize trust more than others and are willing to pay for it.

Because of the rigorous validation, operating system and browser suppliers trust EV certs more than SV. On Windows, an EV cert allows your application to automatically bypass the Windows Defender SmartScreen utility from prompting the user if they want to run your application with a notification  like “your computer has been protected from running this program downloaded from the internet.” Smaller development studios might be alright with this message, but it may not be important to you. Users can still run your binary when signed with a standard validation. However, Windows Defender showing a warning might not be the best user experience. Some security-oriented businesses may not take this type of message lightly.

Which Certificate Authority is best?

There is no best option, as CAs change over time. It’s best to vet your own choices based on your locale and needs. Just know the validation process an EV supplier went through, and is under constant pressure to maintain, is much higher than the SV-only providers.

Why such a high cost for EV?

The cost comes down to automated vs manual verification. Trust isn’t free, and in the security world, labor isn’t cheap. Certificate Authorities need to pass a set of certifications to be recognized as a CA. Add on the high level of scrutiny a CA goes through to be able to supply an EV certificate and it suddenly makes sense. As of writing this article, there are only 29 CA’s offering EV certificates in the world! None of this is free; no part of this manual verification can be automated (yet).

Are there any free options for code signing?

Unfortunately, at the time of writing this article, there are no entirely free code signing options available for commercial use through a CA. If free code signing existed, malicious actors would likely use them to sign their own code!

Don’t confuse code signing certificates with TLS SSL certificates. Those are used for website encryption and can be obtained for free. ZeroSSL, Let’s Encrypt, and others offer free SSL certs for websites assuming you can verify domain ownership.

What if I want to learn more?

If you’re just in it to learn, there are plenty of resources out there. On Windows, Powershell has a built-in cmdlet called New-SelfSignedCertificate and Microsoft provides a guide on how to use it. They provide instructions on generating your own self-signed certificates for code signing during development as well.

If you want to play around with certificates, become your own CA. A tool to deal with most of the heavy lifting is available on Github called mkcert by fillosotile. Check it out!

Recap

  1. Understand business needs before deciding which validation type fits best. The certificates are similar but depending on which you choose, users will have a slightly different experience. Both cost money, but EV is significantly more expensive due to the depth of manual review. A limited set of EV suppliers exist and this list can change at any point.
  2. Do comparison shopping to ensure you are staying up to date with trusted EV suppliers. If they aren’t up to date with security standards, they will lose their trusted status which will affect your certificates!

If you are craving more information about EV certificates, you may find these articles useful:

Do you share our commitment to security? Take a look at our job openings! If you’re more interested in breaking things, take a look at our whitehat program to get more involved.