<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/">
    <channel>
        <title>signmycode</title>
        <link>https://paragraph.com/@signmycode</link>
        <description>Code Signing Certificate Provider</description>
        <lastBuildDate>Fri, 10 Jul 2026 18:51:33 GMT</lastBuildDate>
        <docs>https://validator.w3.org/feed/docs/rss2.html</docs>
        <generator>https://github.com/jpmonette/feed</generator>
        <language>en</language>
        <copyright>All rights reserved</copyright>
        <item>
            <title><![CDATA[460-Day Code Signing: A New Era of Trust and Automation Begins Today]]></title>
            <link>https://paragraph.com/@signmycode/460-day-code-signing</link>
            <guid>FGcSpIGDyefI4Avm3bZb</guid>
            <pubDate>Thu, 19 Feb 2026 04:37:35 GMT</pubDate>
            <description><![CDATA[Prepare for 460-day code signing limits. Automate renewals, modernize signing workflows, and maintain trusted releases without last-minute renewals.]]></description>
            <content:encoded><![CDATA[<p>Code signing certificates changed from being stored in the form of plain files to being stored on hardware solutions such as USB tokens and HSMs.</p><p><strong>The shift was initiated by some&nbsp;industry giants and the&nbsp;CA/Browser Forum (CA/B Forum)</strong>, which eventually led to stronger protection for&nbsp;private keys. This was done by ensuring that the certificates do not get easily extracted or misused.</p><p>Three years after this event happened, there is going to be another major change. This change will now focus on the lasting validity of the certificates in addition to how the certificates are stored.</p><h2 id="h-new-rule-shorter-lifespan-stronger-security" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0 first:!mb-0">New Rule: Shorter Lifespan, Stronger Security</h2><p>The CA/B forum has introduced a new policy that comes into effect from March 1, 2026. According to this policy,&nbsp;<strong>the maximum validity of the code signing certificates has been decreased from 39 months (three years) to 460 days (about 15 months).</strong></p><h3 id="h-whats-after-february-2026" class="text-2xl font-header !mt-6 !mb-4 first:!mt-0 first:!mb-0">What’s After February 2026?</h3><p><strong>DigiCert</strong>&nbsp;will stop issuing 2 and 3-year public code signing certificates just before the deadline (24 February 2026) and will only issue up to 459 days of validity once the new rules kick in.</p><p>While&nbsp;<strong>Sectigo/Comodo/Certera</strong>&nbsp;are shifting to the same 459-day cap earlier in late February 2026, and changing multi-year product terms, like:</p><ul><li><p><strong>1-year Code Signing certificates</strong>&nbsp;will remain available via your current delivery method.</p></li><li><p><strong>Multi-year terms will require certificate re-issuance during the purchased term</strong>, because each issued certificate is limited to a maximum of 459 days, which means the certificate’s validity will no longer cover the full product term.&nbsp;</p></li><li><p>It means the&nbsp;<strong>order for the token and shipping</strong>&nbsp;will be limited to 1 year (365 days).</p></li><li><p><strong>HSM-based orders</strong>&nbsp;can be issued for 3 years, but re-issue would be required after 459 days.</p></li></ul><blockquote><p><strong>Please Note:&nbsp;</strong>As a reseller, our cut-off date is 2-3 days before CA’s date, which is Feb 15, 2026. Kindly purchase and issue your multi-year code signing certificate on/before 15th Feb 2026 to avoid frequent renewals and continue the 39 months validity.</p></blockquote><h3 id="h-the-shorter-lifespan-for-the-certificates-will" class="text-2xl font-header !mt-6 !mb-4 first:!mt-0 first:!mb-0">The shorter lifespan for the certificates will:</h3><ul><li><p>Use automation and switching keys frequently.</p></li><li><p>Strengthen the&nbsp;software supply chain&nbsp;to withstand new threats.</p></li><li><p>To track changing cryptography and corresponding laws.</p></li></ul><h2 id="h-importance-of-shorter-validity" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0 first:!mb-0">Importance of Shorter Validity</h2><p>The changes have been made not to cause any inconvenience to the developers, but in order to minimize the risk.</p><ul><li><p>If the private key is compromised, the certificate with a small duration can have limited exposure.</p></li><li><p>The certificates can also maintain cryptography with the evolving standards.</p></li><li><p>The shorter validity can lead to the&nbsp;best practices for key management&nbsp;and certificate renewal.</p></li></ul><p>This shift follows previous shifts in the certification of the SSL/TLS, where the validity periods were reduced gradually to enhance agility and trust.</p><h2 id="h-who-is-affected" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0 first:!mb-0">Who is Affected?</h2><p>No matter if you are an individual developer or a company that develops an app or uses&nbsp;trusted code signing certificates, it will affect you. The degree of change will be influenced by the way your signing environment is configured.</p><ul><li><p><strong>Hardware Token Users</strong>: <span data-name="red_circle" class="emoji" data-type="emoji">🔴</span> High — tokens and certificates need replacement every 15 months. Shorten renewal cycles or migrate to cloud-based signing.</p></li><li><p><strong>Cloud Signing Service Users</strong>: <span data-name="green_circle" class="emoji" data-type="emoji">🟢</span> Low — automation via platforms (e.g., DigiCert KeyLocker, Azure KeyVault) handles this. Maintain existing automated workflows.</p></li><li><p><strong>Developers with Legacy Systems</strong>: <span data-name="orange_circle" class="emoji" data-type="emoji">🟠</span> Moderate — manual renewals become frequent and error-prone. Update CI/CD pipelines with automatic signing APIs.</p></li></ul><p><strong>Source</strong></p><p><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://signmycode.com/blog/code-signing-certificate-validity-changes-a-new-era-of-trust-and-automation">460 Day Code Signing Certificate Validity: A New Era of Trust and Automation</a></p>]]></content:encoded>
            <author>signmycode@newsletter.paragraph.com (signmycode)</author>
            <category>codesigning</category>
            <category>softwaresec</category>
            <category>appsecurity</category>
            <category>codesecurity</category>
            <category>smartscreen</category>
            <enclosure url="https://storage.googleapis.com/papyrus_images/d959a13971b9ba65ed0de18778e554cc4b80b9995363dbcc05709b847c064027.jpg" length="0" type="image/jpg"/>
        </item>
    </channel>
</rss>