How Attestation Letters Are Changing Software Security in 2026

AI-generated, human-reviewed.

The process of obtaining a code signing certificate is undergoing a dramatic change. Developers and organizations must now provide attestation letters—signed by licensed attorneys or CPAs—to verify their legitimacy before a certificate authority will approve their code signing credentials. On Security Now, Steve Gibson explained how these requirements are reshaping software security and what it means for developers moving forward.

Why Are Attestation Letters Required for Code Signing?

Code signing certificates are the backbone of trustworthy software distribution: they let users and operating systems confirm that a program comes from a legitimate source. With malware attacks rising and supply chain threats becoming more common, certificate authorities (CAs) need stronger proof that applicants are genuine.

Attestation letters serve as an independent verification that the entity requesting a certificate actually exists and is legitimate. Certificate authorities are obligated to confirm organizational details, addresses, and even the identities of certificate requesters—sometimes through face-to-face meetings.

According to Security Now, this move is intended to block fraudsters from acquiring certificates under fake identities, a tactic increasingly used to sign malware as trusted software.

What Does the Attestation Process Look Like?

On Security Now, Steve Gibson shared his experience:

• Applicants must secure a letter from a duly licensed attorney or CPA. This professional must have firsthand knowledge of the applicant’s organization and its officers.
• The attesting professional completes a detailed form, confirming the legitimacy of the applicant and their business details.
• Certificate authorities then verify the credentials of the attesting professional (often by contacting licensing boards or regulatory agencies).
• In many cases, the attestation must be “wet-signed” (physically inked), with original documentation sent to the CA for approval.

The baseline requirements, which dictate the practices of CAs worldwide, have grown more complex—especially for developers operating as individuals or new businesses. Face-to-face validation and detailed identity checks are becoming standard.

Who Is Impacted by Code Signing Attestation?

Any developer or organization seeking a code signing certificate must comply. The process is especially challenging for:

• Small businesses and solo developers with limited legal contacts.
• Developers who’ve been grandfathered in with existing CAs, but must now establish new relationships.
• Anyone applying for a code signing certificate after the new policies take effect (March 2026).

The requirement is less about bureaucratic hoops and more about protecting users. By relying on licensed professionals who put their own credentials on the line, CAs hope to make it far harder for malicious actors to sneak into the certificate ecosystem.

What You Need to Know

• Attestation letters from attorneys or CPAs are now mandatory for code signing certificate issuance.
• Certificate authorities rigorously verify both applicant and attesting professional before approval.
• Expect more paperwork, higher costs, and delays when applying for new or renewed code signing certificates.
• These requirements are part of broader efforts to reduce malware and supply chain attacks in commercial software.
• For existing long-term CA relationships, you may be grandfathered in, but any new certificate will trigger the new process.
• Individual developers face extra challenges, including the need for face-to-face identity validation and multiple supporting documents.

The Bottom Line

Attestation is becoming an industry standard for code signing, designed to boost trust and shut out fraud. While the process adds complexity and cost for legitimate developers, the goal is to protect users from software signed under stolen or fake identities. If you plan to distribute software, be prepared to work with a licensed attorney or CPA—and act before new policies fully take hold.

Subscribe for ongoing security news and actionable advice:
https://twit.tv/shows/security-now/episodes/1065