Skip to content Skip to site navigation Skip to service navigation

Code Signing

What are code signing certificates

Code signing is used to authenticate the originator and authenticity of a file. The identity is inserted directly into a program via code or with an executable file (.exe) by creating a digital signature through hashing a private key.

When to use code signing certificates

A code signing certificate allows software developers to add digital signatures to code and to include information about themselves and the integrity of their code within their software. The end users that download digitally signed 32-bit or 64-bit executable files (.exe, .ocx, .dll, .cab, and more) can be confident that the code really comes from a verified developer and there was no tampering by a third party since it was signed.

Requesting a code signing certificate

Who can apply for code signing certificates

Stanford faculty and staff

Preparation

  • Due to the new requirement for code signing process, it is required that your private key be securely generated and stored on an external FIPS-validated hardware device rather than your computer.

  • The following two devices are currently supported by our certificate vendor, Sectigo, as of 8/2023.

    • Thales/Safenet Luna and netHSM devices
    • Yubico FIPS Yubikeys (for ECC keys only)

  • The most economical option is Yubico FIPS Yubikey. (~$85 USD)

  • Please make sure you are in possession of a Yubico FIPS Yubikey before requesting code signing certificates.

Procedures

  1. For Yubikey users, run the following command to ensure your device is fips compliant

    ./ykman info

-or-

ykman.exe  info

  2. Open a SNOW ticket with Certificate Manager to request a code signing certificate.

  3. Attach the output of ykman from step #1

  4. You must provide an email that would be linked to the code signing certificate

  5. Once your request is processed, you will receive an email to "Verify Email Address"

How to Verify Email Address

General Process:

  1. Create a CSR via yubikey GUI and save it to local disk (ex: mycode.csr)
  2. Create attestation
  3. Export intermediaCA
  4. Concatenate attestation cert and intermediaCA and encode it in base64 (ex:attestation.b64)
  5. You will need both CSR (ex: mycode.csr in step 1) and base64 encoded attestation (step #4) to complete the verification

Please follow the step-by-step Sectigo documentation to complete your verification.

FAQ

  • This process looks complicated. Is there another option?

    Yes, you can also order code signing certificate directly with Sectigo or other certificate vendors.

Last modified October 11, 2023