code signing

(redirected from Code-signing)

code signing

A method of ensuring that an executable program has come from a valid software publisher and has not been altered by anyone in between. An EXE, CAB, driver or other executable file is digitally signed and transmitted along with a digital certificate from a certification authority (CA) such as VeriSign, Thawte or Go Daddy.

Verifying the Signed Certificate
After the code-signed executable is downloaded from a website, its certificate is extracted by the user's browser. From an internal list of CAs and their public keys, the browser uses the public key to verify the certificate's signature.

Verifying the Signed Executable
Next, the publisher's public key is used to verify the signature created from the executable's binary content. The public key decrypts the signature back into the digest, which is compared to the newly computed digest at the client side. If they match, the executable has not been tampered with. For more details, see digital certificate and digital signature.

Object and Code Signing
The terms object signing and code signing are used interchangeably; however, object signing refers to any file delivered in this manner. Code signing refers only to executables, which is the major concern when downloading from the Internet. See PKCS.


The Short Version
The executable is signed with the software publisher's private key. When opened for use, its signature is verified. The details of the process are diagrammed below.







The Code Signing Process
The combination of the signed digital certificate and the signed executable file ensures that the executable has come from a valid publisher and has not been tampered with.


The Code Signing Process
The combination of the signed digital certificate and the signed executable file ensures that the executable has come from a valid publisher and has not been tampered with.
References in periodicals archive ?
In attacks dated 2014 and earlier, the group misused stolen code-signing certificates and employed unusual methods like compromising hotel Wi-Fi to place spying tools on targets' systems.
trust system behind code-signing has now been undermined, as the mere presence
Hosted at 100% Optical last month (February 7-9), more than 100 design entries were received for the competition, which boasted the prize of code-signing a capsule collection of frames with the company's founder Tom Davies.
Additionally, encryption is used for code-signing, document verification, and other digital certificates, noted Kissel.
As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware".
Using this technique researchers were able to build a ROP payload on racoon's stack to mount a rogue HFS volume that injects code at the kernel level and patch its code-signing routines.
The cryptographic attack, known as an MD5 chosen prefix collision, was used by Flame's creators to generate a rogue Microsoft digital code-signing certificate that allowed them to distribute the malware to Windows computers as an update from Microsoft.
Instead, Microsoft adopted a code-signing approach that works much like the holographic seals it uses on its packaging to guarantee authenticity.
Over the past decade thawte has issued over 600,000 SSL and code-signing certificates, and over a million free personal email certificates.
Initially, this service focused on server certificates but in recent years has been expanded to include certificates to support personal certificates and code-signing certificates.
By implementing individual, code-signing and device/server digital certificates through trusted identity validation procedures, ORC provides its customers with: