Code signing is used for determining if a particular software is genuine or not. Software vendors use this method for protecting the authenticity of a software. Code signing uses the concept of public key cryptography. In this process, a public key and private key pair is created where public key is known to all, however, the private key is kept secret. Public key is certified by a trusted certificate authority.
Here’s how code signing works:
For a particular software, the vendor calculates a hash function of the code to generate a number. Then, hash value is signed by encrypting it with its private key to create a signature. Now, the software long with the signature is distributed. When a user receives the software, hash function is applied to it and the result is saved. Then vendor’s public key is used for decrypting the signature and hash function is calculated. Now, the hash function created by the vendor is compared with the hash function created by the user. If these two values are same then, it is verified that the software is genuine.