Code signing has expanded from a Windows desktop distribution requirement into a foundational layer of software supply chain security. The statistics behind that shift reveal two concurrent trends: rapid growth in legitimate adoption driven by regulatory and platform mandates, and equally rapid growth in misuse as threat actors exploit the trust that signatures convey.

This article compiles usage statistics, incident data, and market figures from published research and industry sources to give a grounded picture of where code signing stands in 2026.

 

Adoption Statistics: Where Organizations Stand

 

Overall implementation rate

According to Encryption Consulting’s Global Encryption Trends 2025 Report, 54% of organizations had implemented code signing by 2024, and 87% of respondents indicated plans to increase their use of cryptographic controls. That 54% implementation figure represents significant growth from prior years but also indicates that nearly half of software-producing organizations still distribute without signatures.

The gap between large enterprises and smaller publishers is pronounced. Enterprise adoption is driven by security policies, platform requirements (Microsoft Defender Application Control, enterprise software distribution systems), and compliance mandates. Independent developers and smaller software publishers have historically signed at lower rates, although platform-level enforcement and the availability of low-cost options like Microsoft Trusted Signing are narrowing that gap.

 

DevSecOps pipeline integration

Code signing’s most significant operational trend is its movement from a manual release-time activity to an automated CI/CD pipeline step. GitLab’s 2024 Global DevSecOps Report found that 56% of developers said their organization had adopted a DevSecOps platform. Within those organizations, signing is increasingly a pipeline gate rather than a manual checklist item.

Pipeline-integrated signing has direct consequences for the hardware delivery question. Physical USB tokens cannot be used in cloud CI/CD runners; the growth of pipeline-integrated signing has accelerated demand for cloud HSM signing services and provider-managed signing platforms. Microsoft Trusted Signing, DigiCert KeyLocker, and SSL.com eSigner all saw adoption growth in 2024 and 2025 partly driven by teams modernizing their signing workflows for pipeline compatibility.

 

The Digital Signature Market: Scale and Growth

The digital signature market (which encompasses code signing, document signing, and identity verification applications) was projected at $9.94 billion in 2024 and is forecast to reach $70.25 billion by 2030, representing a compound annual growth rate of approximately 38.5% (Encryption Consulting Global Encryption Trends 2025 Report). Code signing is one component of this market, with growth driven by regulatory pressure, supply chain security mandates, and expanding platform requirements.

The CA/B Forum Code Signing Certificate Working Group, whose minutes are publicly available, confirmed that Windows and the Microsoft ecosystem represent the primary target platform for code signing both in terms of volume and in terms of documented abuse. Apple and Android ecosystems operate stricter trust models and have historically seen less general-cybercrime abuse, though higher-impact state-actor incidents occur on those platforms.

 

The Regulatory Shift: Key Policy Changes 2023 to 2026

 

Date Change Impact
June 2023 CA/B Forum CSBR: all code signing private keys required on FIPS 140-2 Level 2+ hardware Eliminated software (PFX file) certificate delivery; forced migration to hardware tokens and cloud HSMs
August 2024 Microsoft removed EV certificate SmartScreen reputation bypass Equalized OV and EV reputation-building through download telemetry; removed primary commercial differentiation of EV for non-kernel use cases
March 2026 CA/B Forum Ballot CSC-31: maximum certificate validity reduced from 39 months to 460 days Ended multi-year certificate purchasing; requires more frequent renewal cycles; aligns with shorter-lived TLS trends

 

The 460-day validity reduction effective March 2026 has renewal implications for organizations that had budgeted on 2- or 3-year certificate cycles. Certificates ordered before March 2026 under the old maximum validity may have different terms than certificates ordered after. Many CA pricing pages have not fully updated to reflect the change, which is causing purchasing confusion.

 

The Signed Malware Problem: Statistics and Scale

The most counterintuitive usage statistic in code signing is that malware is often more likely to be signed than legitimate software. Trend Micro’s research found that a larger percentage of malware samples downloaded to computers carry valid digital signatures than the percentage of benign software that is signed. The practical implication: for security products and enterprise policies, a valid Authenticode signature is a weak positive signal for safety, not a strong one.

Several documented campaigns illustrate the scale of certificate abuse:

 

BaoLoader campaign (2018 to 2025)

Security researchers uncovered a seven-year campaign in which threat actors cycled through at least 26 code signing certificates to distribute malware disguised as productivity software (PDF editors, browser utilities). The certificates were obtained from legitimate CAs by registering shell companies or through identity fraud. When one certificate was revoked, the operation obtained a new one and continued. The longevity of the campaign demonstrates that certificate revocation, while necessary, is insufficient as a standalone defense when new certificates can be obtained.

 

Hijack Loader and Lumma stealer (2024)

In late 2024, HarfangLab researchers uncovered the Hijack Loader campaign using legitimate code signing certificates to sign malware deploying the Lumma information stealer. The legitimate signatures allowed the malware to bypass security checks and reach more victims than unsigned payloads would have. This campaign contributed to renewed attention on certificate validation rigor at the CA level.

 

Microsoft Trusted Signing abuse (2025)

In early 2025, security researchers documented threat actors abusing Microsoft’s Trusted Signing service to sign malware. The service was designed for legitimate developers with low-friction onboarding. The short-lived certificates it issues were attractive to attackers because the per-certificate cost and bureaucratic barrier were lower than obtaining traditional OV certificates. Microsoft updated its validation and abuse detection processes in response. The incident illustrates the tension between accessibility and abuse resistance in any signing infrastructure.

 

The CA/B Forum’s Code Signing Certificate Working Group minutes from October 2025 captured a key observation about the signed malware problem: the abuse methods divide into two categories. The first is imposter companies obtaining certificates through fraudulent identity documentation. The second is stolen or compromised legitimate certificates being used by attackers. Neither problem has a simple general solution. Stricter validation slows legitimate issuance; faster revocation helps but only after detection. The working group acknowledged that even with improved processes, ‘certificates issued to imposter companies that are difficult to distinguish from legitimate ones’ remain a challenge.

 

Supply Chain Incidents: The Context Behind the Policy Changes

The policy changes of 2023 and 2024 were responses to documented supply chain incidents that demonstrated the stakes of signing infrastructure compromise:

  • SolarWinds (2020): Attackers compromised SolarWinds’ build environment and inserted malicious code into signed software updates distributed to approximately 18,000 customers. The update carried SolarWinds’ legitimate Authenticode signature. Every conventional security check passed. The breach affected US government agencies including the Treasury Department, Department of Homeland Security, and others. The SolarWinds incident is directly cited in OWASP’s A08 category (Software and Data Integrity Failures) as the canonical supply chain signing compromise.
  • AnyDesk (2024): AnyDesk disclosed a compromise of its production systems in February 2024. Code signing certificates and source code were among the affected assets. AnyDesk revoked affected certificates and issued new ones. The incident prompted organizations running AnyDesk to audit whether they had the compromised-certificate versions in their environments.
  • Microsoft service outages from certificate expiry (December 2024): Microsoft Teams experienced an outage on December 18, 2024, and Office 365 suffered an approximately 18-hour global outage shortly after. The root cause in both cases was certificates buried in libraries and dependencies that expired unexpectedly. These incidents are widely cited as evidence that certificate lifecycle management is a production reliability problem, not just a security problem.

 

Expanding Scope: Where Code Signing Is Growing

Beyond traditional Windows desktop executables, code signing adoption is expanding into:

  • Container images: Cosign (part of the Sigstore project) enables signing of container images in OCI registries. CNCF-backed projects and cloud-native organizations are increasingly requiring signed container images as supply chain security policy. The Sigstore project had signed billions of artifacts by late 2024.
  • Firmware and IoT: The expansion of code signing requirements to IoT firmware is documented in Encryption Consulting’s 2025 trends report. Regulatory pressure in healthcare, automotive, and industrial IoT is driving firmware signing mandates.
  • npm and Python packages: npm package provenance (linking packages to the build environments that produced them via OIDC attestation) and PyPI’s work on package signing represent the expansion of signing concepts into the open-source package ecosystem.
  • Serverless and cloud functions: Some platforms are extending signing requirements to serverless function code to provide integrity guarantees for cloud-native workloads.

 

The Signing Gap: Who Is Not Signing

Despite the 54% adoption figure, the signing gap is real and consequential. Analysis of software distribution patterns shows that unsigned software triggers Windows SmartScreen and UAC warnings that directly suppress installation rates. Enterprise deployment blocks unsigned software by policy, making unsigned software effectively invisible to IT-managed endpoints.

The organizations most likely to be in the non-signing 46%:

  • Independent developers and open-source projects distributing outside major app stores
  • Small software companies without dedicated release engineering processes
  • Internal tooling distributed without formal release processes
  • Organizations in regions with lower certificate market penetration

The cost and friction barriers for smaller publishers have decreased significantly with the availability of Microsoft Trusted Signing at approximately $10 per month and ACME-style automation approaches for managing the signing process. Whether this translates into adoption among the current non-signers is a trend to watch through 2026 and 2027.

 

Frequently Asked Questions

 

What percentage of software is currently signed with a code signing certificate?

Precise ecosystem-wide data is not publicly available and varies significantly by distribution channel. Software distributed through app stores (Microsoft Store, Apple App Store, Google Play) is universally signed as a condition of distribution. Software distributed directly (downloaded from vendor websites) shows much lower signing rates. The Encryption Consulting 2025 figure of 54% organizational adoption provides a supply-side indicator; the percentage of individual software titles that are signed is likely lower because that figure is skewed by many unsigned utilities and open-source projects. Platform enforcement is the main mechanism moving these numbers upward.

 

Is signed malware more common than unsigned malware?

Trend Micro’s research documented that a higher percentage of malware downloads carry valid signatures than benign software downloads carry signatures, when measured across broad telemetry. This does not mean most malware is signed; the absolute volume of unsigned malware remains higher. What the statistic captures is that the security signal value of a signature has degraded: threat actors have learned to obtain or steal signatures, making signature presence alone an unreliable safety indicator. Security products weight signature presence alongside reputation, behavioral analysis, and other signals rather than treating it as a standalone trust signal.

 

Where can I find current code signing usage data?

Primary sources for current data include: the CA/B Forum public meeting minutes and mailing list archives at cabforum.org; Encryption Consulting’s annual Global Encryption Trends Report; VirusTotal’s annual Transparency Reports; Sonatype’s State of the Software Supply Chain report; and the Sigstore project’s public transparency logs at rekor.sigstore.dev for open-source artifact signing volumes. These sources collectively provide the most reliable current data on signing adoption, abuse patterns, and policy evolution.

Previous Post
Next Post