Documents | What does "signed by publisher" mean?

If you look applications with Singed by Publisher green badge, it means the application was signed by SSH private key which owned by the publisher's GitHub account.

You can verify it manually by following steps.

How to verify an app was signed by publisher or not?

Prerequirements of this article

  • Windows OS
  • Installed Git for Windows
  • Set the PATH environment variable to "C:\Program Files\Git\usr\bin" for executing "openssl" and "ssh-keygen" commands in command prompt.

Step 1. Get the SSH public key of publisher's GitHub account

  1. Open link the publisher's GitHub profile page.
    fig.1
  2. Append ".keys" to the URL, and open it.
    fig.2
  3. Then, you will look the publisher's SSH public keys.
    fig.3

Step 2. Get the public key of the application signed

  1. Open certificate link, and download .cer file of the application signed.
    fig.4
  2. Open command prompt, and extract the public key from .cer file (DER format) and save it to file with PEM format by following command.
    > openssl x509 -in ".cer file path" -inform DER -pubkey -noout > "PEM public key file path"
  3. Convert public key format from PEM to SSH by following command.
    > ssh-keygen.exe -i -m PKCS8 -f "PEM public key file path"
  4. Then, you will look the public key with SSH format that used for code signing.
    fig.5

Step 3. Compare public keys

Compare public keys with SSH format both from Step 1 and Step 2.

If these public keys are same, it means the application was signed by private key which owned by the publisher.

If you trust the publisher, and validated the application signed by publisher's private key in this way, you may be able to trust the application.

An unhandled error has occurred. Reload 🗙