How to Apply for and Use Code Signing Certificates

Introduction to Code Signing Certificates

Code signing certificates are used to digitally sign software code to verify the identity of the software publisher and ensure the integrity of the code. This assures users that the software is from a trusted source and has not been tampered with or maliciously modified after its release. This is crucial for building user trust and preventing the spread of malware.

Uses of code signing certificates:

• Verify software publisher identity: Code signing certificates authenticate the source of the software, assuring users it comes from a legitimate developer or organization.
• Ensure code integrity: Digital signatures can prove that the code has not been altered since it was signed, preventing malware injection or tampering.
• Increase user trust: Signed software can eliminate security warnings from the operating system or browser, boosting users' confidence and encouraging them to install and use it.
• Prevent malware spread: Code signing helps users identify and avoid installing unsigned or potentially malicious software from unknown sources.

Applying for a Code Signing Certificate through ServBay

1. Open the SSL certificate management panel: In ServBay's sidebar, click "SSL Certificates" to access the certificate management platform.

2. Click the Add button: Click the "+" button in the top right corner.

3. Fill in the certificate information: On the "Request Certificate" page, provide the following details:

   • Common Name: Enter your organization name or personal name, e.g., ServBay, LLC or Sam NG.
   • Usage Purpose: Select the certificate purpose as Code Signing.
   • Request Method: Choose ServBay CA.
   • Issuer: Select ServBay User CA.
   • Algorithm: Choose an encryption algorithm like ECC or RSA.
   • Key Length: Choose a key length, such as 384 or 2048.
   • Password: Important! Set a password to protect your private key. Remember this password, as it cannot be recovered if lost. The default password is ServBay.dev.

4. Click the "Request" button: After completing all steps, click "Request" to submit the certificate application. ServBay will issue the certificate automatically.

Exporting and Using the Certificate

1. Enter the SSL certificate management panel.
2. Locate the issued code signing certificate.
3. Click the action button: Click the export icon to the right of the certificate.
4. Select the export directory: In the pop-up window, choose where to save the exported certificate.
5. Use a code signing tool: Import the exported .p12 file into your code signing tool (e.g., codesign (macOS), signtool (Windows), etc.) and unlock it with the previously set password. You can then use the certificate to digitally sign your code.

Example of Signing Code with a Code Signing Certificate

$ gcc test.c -o /tmp/test # Use gcc to generate a binary file for testing

$ security find-identity -v -p codesigning # Find certificates available for code signing
  1) ...
  2) 99C183BC3796067FAFBA6F232D1C3C3425DAABDA "ServBay, LLC"
     2 valid identities found

$ codesign -f -s "99C183BC3796067FAFBA6F232D1C3C3425DAABDA" --timestamp /tmp/test # Use the found certificate ID to sign
test: replacing existing signature

$ codesign -dvvv /tmp/test # Verify if the signature is correct
Executable=/tmp/test
Identifier=test
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=445 flags=0x0(none) hashes=9+2 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=777e597ce37ad27e7b90d2aaaeeb9f1449170639
CandidateCDHashFull sha256=777e597ce37ad27e7b90d2aaaeeb9f1449170639a73e8090b1d9d1245d7f191b
Hash choices=sha256
CMSDigest=777e597ce37ad27e7b90d2aaaeeb9f1449170639a73e8090b1d9d1245d7f191b
CMSDigestType=2
CDHash=777e597ce37ad27e7b90d2aaaeeb9f1449170639
Signature size=7247
Authority=ServBay, LLC
Authority=ServBay Public CA - ECC Code Signing
Authority=ServBay Public CA - ECC Root
Timestamp=Nov 7, 2024 at 18:26:48
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=1 size=80

$ echo "abcde" > test # Try to disrupt the binary's certificate signature

$ codesign -dvvv test # Verify the signature again
test: code object is not signed at all

Certificate Renewal

ServBay's code signing certificates are valid for 800 days. Before the certificate expires, you can click the button on the right to renew it. Each renewal extends the validity period by 800 days from the current date.

Certificate Deletion

1. Enter the SSL certificate management panel.
2. Locate the certificate you want to delete.
3. Click the action button: Click the trash can icon next to the certificate.
4. Confirm deletion: In the pop-up menu, select "Delete" and confirm the deletion.

Summary

I hope this document helps you apply for and use code signing certificates on the ServBay platform. If you have any questions, please contact ServBay customer support for assistance.