As an end user, code signing can give assurance of the authenticity and integrity of the downloaded software. However, you should also be aware that bad actors can create a public private key pair and generate a code signing certificate and make it appear as though they were endorsed by a valid CA. If anyone can create a code signing certificate, how do you know which certificates are trustworthy?
This is where root certificates come in. You can think of code signing certificates as if they were a family tree. To verify where certificates have come from, you can trace them back to see which signing certificate is at the root of the tree—your root certificate. The root certificate determines if the other code signing certificates are trustworthy because you can trace the “chain of trust” back to the original signing authority.
This root authority could be a company like Microsoft or Apple. If your software’s signing certificate cannot find a trustworthy root certificate, then the system will advise you not to trust the certificate that has been used to sign the software you are attempting to download. Sometimes even a trusted authority may not be recognized because it has not been installed on a browser or in an operating system’s trust store. In these instances, you will need to manually install the root certificate on your trust store so the browser or the operating system recognize the root certificate as trustworthy and valid.
Learn more about machine identity security, and how it can benefit your organization!
