Common Topics for Home Products

F-Secure code signing

Digital Code Signing

F-Secure signs installer packages and binary files digitally with code signing certificates obtained from trusted certification authorities. This is one way to assure anyone downloading and installing products from F-Secure that the downloaded package is prepared and coming from F-Secure Corporation and is unaltered. Microsoft Windows and Apple OS X operating systems check the digital signatures automatically when you start software installation but you can also check the signatures manually. Here is some basic information about the certificates we use for Windows and OS X code signing and some hints to the tools that can be used to show information about the signatures.

Windows code signing

Standard Authenticode certificate

Common name: F-Secure Corporation
Organization: F-Secure Corporation
SHA1 fingerprint: 35 D8 A1 37 2C A4 02 B0 C8 A4 39 BB 8A 31 1F 29 39 99 E8 AB
SHA256 fingerprint: AD 5F D7 86 36 44 26 C8 37 93 D5 48 EB B5 1F 47 93 EB 09 D4 A7 42 9A 87 59 E1 63 40 C1 D6 BE 80
Issued by: GlobalSign CodeSigning CA - G2 issued by GlobalSign Root CA

Extended Validation Authenticode certificate

Issuing an Extended Validation certificate requires extensive verification of the certificate requester's identity and the subject field of a certificate reflects this.

Common name: F-Secure Corporation
Organization: F-Secure Corporation
SHA1 fingerprint: 5F 82 67 96 43 A4 07 97 F9 14 92 46 24 F2 67 62 4B 98 BD F5
SHA256 fingerprint: EF AD 46 D3 E1 5B D7 30 35 B7 DF 17 9F 3A 9D 1B E2 D2 4C E5 3B 4E 36 C7 FB 45 02 65 AD 46 2C D4
Issued by: DigiCert EV Code Signing CA (SHA2) issued by DigiCert High Assurance EV Root CA

Use Windows Explorer to view "Digital Signatures" tab in file properties.

To manually check the signature of an installer package use

signtool.exe verify /pa /v [filename]

from command line. Signtool utility is available as part of Microsoft Windows SDK.

To check the SHA256 fingerprint of a certificate, first export the certificate from a file using Windows Explorer using Copy to File... in Certificate properties. Then use

openssl.exe x509 -in [certificate_file] -inform der -noout -fingerprint -sha256

to get the fingerprint.

Files signed with either of these certificates have also been time stamped with GlobalSign or DigiCert certificates respectively.

macOS code signing

Installer certificate

Common name: Developer ID Installer: F-Secure Corporation
Organization: F-Secure Corporation
Organizational Unit: 6KALSAFZJC
SHA1 fingerprint: 6B 8A 26 62 64 D1 B4 5A 49 03 C2 69 3E 59 6D A0 63 80 74 C0
SHA256 fingerprint: 46 61 84 AF DC C7 2F 07 98 24 BD 25 57 FB DF FA F9 92 A1 48 98 A6 92 3C 5D E3 B0 CD 01 64 7B AF
Issued by: Developer ID Certification Authority issued by Apple Root CA

Application certificate

Common name: Developer ID Application: F-Secure Corporation
Organization: F-Secure Corporation
Organizational Unit: 6KALSAFZJC
SHA1 fingerprint: D7 34 B1 F3 C0 BC 79 95 95 6A FD DD A3 78 1C CF FA 85 E0 8B
SHA256 fingerprint: 54 DE 5B 6F 35 6E 8A 1A D2 53 90 4C 81 41 8E 77 B0 F2 32 9C FB E3 4E ED 75 4E 84 CE 2D 57 9E 41
Issued by: Developer ID Certification Authority issued by Apple Root CA

New certificates from August 2017 onwards:

Installer certificate

Common name: Developer ID Installer: F-Secure Corporation (6KALSAFZJC)
Organization: F-Secure Corporation
Organizational Unit: 6KALSAFZJC
SHA1 fingerprint: 62 9C C0 72 D5 2C 43 1A C4 B8 35 7E 81 88 D5 8C 9F F4 D9 77
SHA256 fingerprint: A8 B5 DE F6 0F 91 50 5B 53 29 C4 81 C9 5C A3 DB 05 73 4B D5 41 39 0B 50 11 EB 65 5D 78 0E 93 6E
Issued by: Developer ID Certification Authority issued by Apple Root CA

Application certificate

Common name: Developer ID Application: F-Secure Corporation (6KALSAFZJC)
Organization: F-Secure Corporation
Organizational Unit: 6KALSAFZJC
SHA1 fingerprint: 90 EC CA 60 74 05 51 19 99 1D 27 B9 A3 A1 2E 84 6D 3C 9A 78
SHA256 fingerprint: B5 73 52 D7 2A 92 E9 86 62 29 DF 5B 94 8F 98 D1 19 64 78 AF 57 FA 82 BD 58 85 44 52 5E 72 F3 56
Issued by: Developer ID Certification Authority issued by Apple Root CA

Open the installer package in Finder and click the lock icon on the upper right corner of the installer window to view the certificate information.

To manually check the signature of an installer package use

pkgutil --check-signature [filename]

from command line. This command is usable also for mounted application bundles. The organizational unit can also be viewed with command

codesign --display --verbose=3 [application]

that reports it as TeamIdentifier value along with a time stamp. Pkgutil and codesign utilities are part of standard OS X installation.

To check the SHA256 fingerprint of a certificate, first mount the disk image (.dmg) and then export the certificate from the application using command

codesign --display --extract-certificates /Volumes/[mount]/[application.app]

. Then use

openssl x509 -in codesign0 -inform der -noout -fingerprint -sha256

to get the fingerprint.

About other signatures

Certain components in our solutions are licensed from our technology partners and a small number of files is signed by these partners.