Protect Software & Applications Code
When you install an application, script or driver on any recent OS, you often see a dialog box come up saying that the binary you are about to run is signed by such and such company, or is unsigned. If it is signed, that means the developer used a code signing certificate. Just like emails or online transactions, code can be signed using the same technology of public key cryptography.
This allows a company to make sure people who receive their applications know that it really came from them. If you go to any of the popular CAs, they will sell you these types of certificates. Then, you simply need to use a process to sign your code when you create your application.
Example of Authenticode
Microsoft provides something called Authenticode. This is a procedure that the company offers for driver makers. When you submit a driver for testing, Microsoft will sign this driver with a code signing certificate, making it secure. Recent versions of Windows do not accept 64bit drivers that are not signed in this way. If you want to sign your own application or code, Visual Studio provides the SignTool command to do the same thing.
All it does is take a digital certificate that you downloaded into your local store from a CA, then signs the binary file with it. Linux developers have the SignCode tool that does something very similar. In both cases, the private key on your certificate is used to sign the file, creating a unique hash, and anyone can then check using your public key that the file was actually made by you.
This process prevents anyone else from distributing code or apps in your name, potentially infecting systems. This is the most secure and safe way to help raise security for users. As normal computer users are educated on the dangers of malware, seeing this dialog pop up saying who created the file can be useful. Sensitive environments can even be configured to only allow signed code to run. All of that is made possible thanks to code signing certificates.