InstallShield Tips and Tricks

Code Signing

Related Resources

CONTENTS

What is Code Signing?
Why is Code Signing Important for Software Installation?
How Does Code Signing Work?
Code Signing Best Practices

What is Code Signing?

Code signing is a security process that uses cryptographic signatures to verify the identity of a software publisher and ensure that code has not been modified since it was signed. By attaching a digital certificate issued by a trusted Certificate Authority, code signing establishes trust and protects users from installing malicious or tampered software.

Why is Code Signing Important for Software Installation?

During installation, code signing guarantees that the software package is authentic and intact. This prevents attackers from injecting harmful code and reassures users that the application originates from a verified source. Operating systems and browsers often block unsigned or improperly signed installers, making code signing essential for smooth deployment.

How Does Code Signing Work?

The process typically includes:

Developer signs the code using a private key.
A digital certificate from a trusted CA validates the publisher’s identity.
End-user systems verify the signature before installation.

Code Signing Best Practices: Our Top Tips

1. Use Strong Cryptographic Keys and Secure Storage

Always generate signing keys within a FIPS-compliant device, such as a hardware security module (HSM), rather than storing private keys in files (e.g., PFX) on build servers. This prevents key theft and unauthorised code signing.

2. Leverage Certificate Authorities and Chain of Trust

Obtain code signing certificates from recognised Certificate Authorities (CAs) that are trusted by major operating systems (Windows, macOS, Linux).

Ensure your signing process supports the full chain of trust: public key, intermediate certificate, and root certificate. This guarantees that signatures are universally verifiable during installation.

3. Implement Time Stamping

Always time stamp your signed software. Time stamping ensures that signatures remain valid even after the certificate expires, which is critical for long-life products and devices. This extends trust and avoids installation failures years after release.

4. Adopt Short-Term Certificates and Lifecycle Management

Use short-term certificates (valid for less than a year) where possible, especially in regulated industries. This allows for frequent key rotation, rapid compliance updates, and reduces the risk of long-term key exposure.

Maintain robust certificate lifecycle management to ensure keys and certificates are renewed and rotated regularly.

5. Choose the Right Trust Model

For public distribution, use Public Trust Code Signing certificates to ensure broad recognition and compliance with industry standards.

For internal or consortium use, Private Trust Code Signing may offer more control and flexibility but requires careful management of your own trust hierarchy and infrastructure.

6. Integrate Code Signing into Your Build and Installation Process

Use tools like InstallShield or similar to automate and customise the signing process for both binaries and installers. Ensure your installation workflow verifies digital signatures and blocks unsigned or improperly signed binaries, aligning with modern OS requirements (e.g., Windows 11).

7. Monitor and Respond to Evolving Standards

Stay informed about updates from the CAB Forum and other regulatory bodies, as standards for code signing (e.g., validity periods, hardware requirements) continue to evolve. Be proactive in updating your signing practices to maintain compliance and security.

Watch this short video to learn more about InstallShield:

Frequently Asked Questions

What is code signing?

Code signing is the process of digitally signing software to verify the publisher’s identity and ensure the code has not been altered since it was signed.

Why is code signing important during installation?

It guarantees that the installer is authentic and hasn’t been tampered with, reducing the risk of malware and ensuring a smooth installation process.

How does code signing work?

A developer signs the code using a private key and attaches a digital certificate from a trusted Certificate Authority. When installing, the system checks the signature to confirm authenticity.

What happens if software isn’t code signed?

Unsigned installers may trigger security warnings or be blocked by operating systems and browsers, making installation difficult or impossible.

Does code signing protect against all security threats?

No. It ensures integrity and authenticity but does not scan for vulnerabilities or malware in the code itself

What types of certificates are used for code signing?

Common types include standard certificates and Extended Validation (EV) certificates, which offer higher trust levels.

How often should code signing certificates be renewed?

Certificates typically expire every 1–3 years. Renewing them ensures continued trust and compliance with industry standards.

Is code signing required for all platforms?

Most major platforms (Windows, macOS, mobile app stores) strongly recommend or require code signing for installers and updates.

Resources

Data Sheet

InstallShield 2025

Build Seamlessly in the Cloud with InstallShield Licensing Capabilities

Data Sheet

Compare InstallShield Versions

Compare features by the latest releases.

Webinar

Enabling Successful Software Installs with New Digital Signing Standards

Register for the upcoming webinar and be better equipped you with the knowledge and tools necessary to navigate changes to digital signing standards effectively for a seamless installation experience.

Data Sheet

Cloud License Server with InstallShield

Get your questions answered about how to eliminate the time and effort required to set up and manage local License Servers. Easily configure your builds from the DevOps build pipeline with InstallShield’s Cloud License Server.

Online Event

“Unpacking MSIX”: Panel Discussion

Watch this roundtable discussion to learn more about how developers can retain as much code as possible as they continue to innovate and modernize applications.

Webinar

TechTalk: InstallShield “Suite” Secrets

In this TechTalk you’ll learn about Suite, a project type within InstallShield, and how it resolves the problem of installing multiple packages, learn how Windows features in Suite works, and how secure it is to send packages via an installer.

From the Blog

Blog

How Organizations Are Migrating Software Installations to the Cloud

Software licensing is rarely simple, especially for organisations that are moving their software to the cloud, with a mix of legacy systems, and growing security demands. In our recent webinar, we explored how two very different companies are tack...

Blog

Are Outdated Software Installers Putting Your Business at Risk?

Why is it Important to Use an Up-to-Date Software Installer? When an installer fails, it’s easy to dismiss it as a minor inconvenience—simply retry the process. However, this seemingly small issue can signal more significant problems. Without ...

Blog

Digital Signing Software Applications in 2024

In the fast-paced realm of software development, digital signing stands as a cornerstone for ensuring the integrity and security of applications. As we delve into the state of digital signing in 2024, it’s crucial to explore its evolution, i...

View All Blog Posts

Want to learn more?

Whether you are an existing customer needing assistance, or new to Revenera's Software Installation solutions, we are happy to help out with your Installation needs.

Talk to Sales Contact Support