code signing


Also found in: Dictionary, Medical, Wikipedia.

code signing

A method of ensuring that an executable program has come from a valid software publisher and has not been altered by anyone in between. An EXE, CAB, driver or other executable file is digitally signed and transmitted along with a digital certificate from a certification authority (CA) such as VeriSign, Thawte or Go Daddy.

Verifying the Signed Certificate
After the code-signed executable is downloaded from a website, its certificate is extracted by the user's browser. From an internal list of CAs and their public keys, the browser uses the public key to verify the certificate's signature.

Verifying the Signed Executable
Next, the publisher's public key is used to verify the signature created from the executable's binary content. The public key decrypts the signature back into the digest, which is compared to the newly computed digest at the client side. If they match, the executable has not been tampered with. For more details, see digital certificate and digital signature.

Object and Code Signing
The terms object signing and code signing are used interchangeably; however, object signing refers to any file delivered in this manner. Code signing refers only to executables, which is the major concern when downloading from the Internet. See PKCS.


The Short Version
The executable is signed with the software publisher's private key. When opened for use, its signature is verified. The details of the process are diagrammed below.







The Code Signing Process
The combination of the signed digital certificate and the signed executable file ensures that the executable has come from a valid publisher and has not been tampered with.


The Code Signing Process
The combination of the signed digital certificate and the signed executable file ensures that the executable has come from a valid publisher and has not been tampered with.
References in periodicals archive ?
Therefore, DigiCert is a great choice for Audio4fun to digitally sign and update its new Code Signing Certificate for the best-selling product, Voice Changer Software Diamond.
Apparently, every time Apple ceases code signing for a firmware, it also closes the vulnerabilities that allow jailbreaks.
It had access to the Adobe code signing service, so the criminals could put in requests to have their malware certified as legitimate.
Developers of Windows Azure applications can sign their code with VeriSign Code Signing Certificates, which signal to end users that the applications come from a trusted publisher.
Until now, the area causing most concern to Smartphone 2003 developers is the difficulty of developing and testing on handheld devices that enforce code signing.
Nasdaq: SYMC) has announced it has completed its acquisition of VeriSignEoACAOs (Nasdaq: VRSN) identity and authentication business, which includes the Secure Sockets Layer (SSL) and Code Signing Certificate Services, the Managed Public Key Infrastructure (MPKI) Services, the VeriSign Trust Seal, the VeriSign Identity Protection (VIP) Authentication Service and the VIP Fraud Detection Service (FDS).
Cloud data protection, OASIS KMIP, code signing, new Global Encryption Trends study and a genuine World War II Enigma machine
the WebTrust Principles and Criteria for Certification Authorities - Extended Validation Code Signing v.
This is Symantecs fourth solution designed to serve the auto industry, in addition to Symantec Embedded Security: Critical System Protection, Code Signing, and Managed Public Key Infrastructure.
That case ruled software source code was speech protected by the First Amendment, and the same ruling could be used to argue that Apple's security code signing methods for iOS fall under that purview.
Enterprise Readiness of Consumer Mobile Platformsrated each platform on the basis of a number of criteria, including general device security, app security, code signing, authentication, device wipe ability, firewalling, and virtualisation, assigning each category a score out of five.
Pointed out by established security researcher Charles Miller (a four-time winner of the Pwn2Own hacking contest), the issue was that Apple's App Store's code signing could be bypassed by developers, spreading malware onto users' devices without their knowledge.