code signing

(redirected from Code-signing)

code signing

A method of ensuring that an executable program has come from a valid software publisher and has not been altered by anyone in between. An EXE, CAB, driver or other executable file is digitally signed and transmitted along with a digital certificate from a certification authority (CA) such as VeriSign, Thawte or Go Daddy.

Verifying the Signed Certificate
After the code-signed executable is downloaded from a website, its certificate is extracted by the user's browser. From an internal list of CAs and their public keys, the browser uses the public key to verify the certificate's signature.

Verifying the Signed Executable
Next, the publisher's public key is used to verify the signature created from the executable's binary content. The public key decrypts the signature back into the digest, which is compared to the newly computed digest at the client side. If they match, the executable has not been tampered with. For more details, see digital certificate and digital signature.

Object and Code Signing
The terms object signing and code signing are used interchangeably; however, object signing refers to any file delivered in this manner. Code signing refers only to executables, which is the major concern when downloading from the Internet. See PKCS.


The Short Version
The executable is signed with the software publisher's private key. When opened for use, its signature is verified. The details of the process are diagrammed below.







The Code Signing Process
The combination of the signed digital certificate and the signed executable file ensures that the executable has come from a valid publisher and has not been tampered with.


The Code Signing Process
The combination of the signed digital certificate and the signed executable file ensures that the executable has come from a valid publisher and has not been tampered with.
References in periodicals archive ?
The company provides a full suite of certificate products spanning all validation levels for website certificates, certificates for code-signing and email-signing, and the Comodo certificate manager platform.
trust system behind code-signing has now been undermined, as the mere presence
Hosted at 100% Optical last month (February 7-9), more than 100 design entries were received for the competition, which boasted the prize of code-signing a capsule collection of frames with the company's founder Tom Davies.
Additionally, encryption is used for code-signing, document verification, and other digital certificates, noted Kissel.
But he warned that even if that code-signing measure were put in place today, it could take 10 years or more to iron out the USB standard's bugs and pull existing vulnerable devices out of circulation.
The cryptographic attack, known as an MD5 chosen prefix collision, was used by Flame's creators to generate a rogue Microsoft digital code-signing certificate that allowed them to distribute the malware to Windows computers as an update from Microsoft.
The code-signing was first unveiled by deputy prime minister Nick Clegg, who has been insisting on a stricter monitoring of the banking system.
Instead, Microsoft adopted a code-signing approach that works much like the holographic seals it uses on its packaging to guarantee authenticity.
Over the past decade thawte has issued over 600,000 SSL and code-signing certificates, and over a million free personal email certificates.
org/wiki/MD5#Collision_vulnerabilities) MD5 algorithm utilized state-sponsored malware known as Flame and was able to forge a Windows code-signing certificate and distribute itself through patches to millions of users.
Initially, this service focused on server certificates but in recent years has been expanded to include certificates to support personal certificates and code-signing certificates.
As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware".