Digital Signature « SSL Blog

Archive for the ‘Digital Signature’ Category

How to Digitally Sign Code

Monday, June 18th, 2012 | Bruce Morton

Various application platforms support code-signing and provide different tools to perform the signing. Here is a list of the more common code-signing types and references as to where you can find guides for the given application.

Adobe AIR

Adobe – Digitally signing an AIR file

Apple

Mac OS X Developer Library – Code Signing and Application Sandboxing Guide

Authenticode

Entrust – Authenticode Signing User Guide
Microsoft MSDN – Signing and Checking Code with Authenticode

Firefox XPI

Mozilla – Signing a XPI

Java

Entrust – Java Code Signing User Guide
Oracle – How to Sign Applets Using RSA-Signed Certificates
Oracle – Signing Code and Granting it Permissions

Microsoft Windows Macro and Visual Basic Signing

Entrust – Microsoft Windows Macro and Visual Basic Signing User Guide
Microsoft MSDN – Signing a VBA Project

Code-Signing Series

This is the fifth post in our code-signing. Check out the full list to read past entries and see what’s upcoming.

Tags: AIR file, Authenticode, Code Signing, Digital Signature, Java, Macro, Visual Basic, XPI signing
Posted in Code Signing, Digital Signature | Add Comment | No Comments »

Verifying Code Authenticity

Thursday, August 11th, 2011 | Bruce Morton

When an end-user’s browser loads the code, it checks the authenticity of the software using the signer’s public key, signature and the hash of the file. If the signature is verified successfully, the browser accepts the code as valid. If the signature is not successfully verified, the browser will react by warning the user or rejecting the code, according to the level of security being used.

(more…)

Tags: Code Signing, Digital Certificate, Digital Signature, hashing algorithm
Posted in Code Signing, Digital Signature | Add Comment | 1 Comment »

What is Code Signing?

Friday, July 15th, 2011 | Bruce Morton

From Wikipedia, “Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed by use of a cryptographic hash.”

In order to sign the code, the publisher needs to generate a private-public key pair and submit the public key to a certification authority (CA) along with a request to issue a code-signing certificate. The CA verifies the identity of the publisher and authenticates the certificate request. The CA bundles the identity of the publisher with the public key and signs the bundle, creating the code-signing certificate.

Armed with the code-signing certificate, the publisher is ready to sign the code. When the code is signed, several pieces of information are added to the original file. This information is used by the recipient’s browser to authenticate the publisher and check for code tampering. The entire sequence takes place as follows:

A hash of the code is produced
- Public-key algorithms are inefficient for signing large objects, so the code is passed through a hashing algorithm creating a fixed-length digest of the file
- The hash is a cryptographically unique representation of the file
- The hash is only reproducible using the unaltered file and the hashing algorithm that was used to create the hash
The hash is signed using the publisher’s private key
- The hash is passed through a signing algorithm using the publisher’s private key as an input
- Information about the publisher and the CA is drawn from the code-signing certificate and incorporated into the signature
The original code, signature and code-signing certificate are bundled together
- The code-signing certificate key is added to the bundle as the public key is required to authenticate the code when it is verified

Following this process, the signed code is ready to be distributed and verified.

Tags: Code Signing, Digital Certificate, Digital Signature, hashing algorithm
Posted in Code Signing, Digital Signature | Add Comment | No Comments »

Why Code Sign?

Friday, June 24th, 2011 | Bruce Morton

Internet users constantly run into situations where they need to download software from websites. In many cases, the user was not planning to download software. However, to experience or use the functionality offered by the website, they need to make a spot decision: “Run” or “Don’t Run.”

In this case, “run/don’t run” questions whether or not to run the code that was downloaded. How does a user decide? How does a user or browser know whether or not to trust the software? The answer is code signing.

To assist in the trust decision process, the software publisher can digitally sign their code. The digital signature answers the questions of authentication and integrity, that is:

Who signed the code?
Has the code been tampered with since it was signed?

Armed with this information, the user can now make the “run/don’t run” decision.

Unfortunately, the digital signature does not answer the following questions:

Can I trust the software publisher?
Does the code contain malware?

Unsigned code, on the other hand, provides no evidence of authenticity or integrity. The publisher is not identified and, therefore, cannot be held accountable. In addition, the code is subject to tampering. Unsigned code cannot be trusted, except under special circumstances.

What is Code Signing will be covered in the next post of this series.

Tags: Code Signing
Posted in Code Signing, Digital Signature | Add Comment | 1 Comment »

SSL

Archive for the ‘Digital Signature’ Category

How to Digitally Sign Code

Verifying Code Authenticity

What is Code Signing?

Why Code Sign?

Subscribe

Categories

Archives