All About Authenticode

Authenticode is a technology developed by Microsoft to allow computers to verify the origin of programs, documents and other computer files.

What is Authenticode used for?

The most common use of Authenticode is to certify software that runs on Microsoft Windows. An Authenticode digital signature allows you to be sure that the software is genuine, not a Trojan or other malicious program masquerading as another product. It also allows you to detect if a program has been tampered with - for example, infected by a virus.

An Authenticode digital signature does not in itself prove that the software which carries it is harmless. However, the person or organization that signed the software had to prove who they were to the authority that issued the certificate. Therefore they are traceable, making it unlikely that a digitally signed file would be deliberately malicious.

How to tell if software is signed

Current versions of the major web browsers running under Windows display a security warning when you run software downloaded from the Internet, which shows whether the download has been digitally signed or not.

This program has not been digitally signed
This download has not been digitally signed.

This download has been digitally signed
This one has.

You can also tell whether software on your hard drive has been digitally signed or not by right-clicking the file in Windows Explorer and clicking Properties. If the program has been signed, the Properties window will have a Digital Signatures tab, showing who signed the file and when they signed it.

Is unsigned software dangerous?

All an Authenticode digital signature does is guarantee that the software was produced by the individual or company named in the certificate, which has been verified by the authority that issued the certificate. You still have to decide for yourself whether to trust that individual or company.

Software is not necessarily dangerous just because it has not been digitally signed. It isn't mandatory to sign code before it will run under Windows, so many software developers don't bother. And, although a code signing certificate is not especially expensive (just $179 for a one year Comodo code signing certificate), many hobbyist programmers and shareware developers make little or no money from their programs and don't feel that they can afford one. In that case, you have to use your own judgement as to whether the software you downloaded is genuine, as well as whether the developer is trustworthy.

How do you get an Authenticode certificate?

If you are a software developer or other distributor of computer files you can obtain a Software Publishing Certificate (more commonly known as a code signing certificate) from a certification authority such as Comodo, Thawte or Verisign You must pay a fee, and then submit documents to the certification authority to prove that you are who you claim to be. If your application is successful, you will receive a digital certificate which you can use to sign your executable files using tools provided by Microsoft.

Further information