code signing


Also found in: Dictionary, Medical, Wikipedia.

code signing

A method of ensuring that an executable program has come from a valid software publisher and has not been altered by anyone in between. An EXE, CAB, driver or other executable file is digitally signed and transmitted along with a digital certificate from a certification authority (CA) such as VeriSign, Thawte or Go Daddy.

Verifying the Signed Certificate
After the code-signed executable is downloaded from a website, its certificate is extracted by the user's browser. From an internal list of CAs and their public keys, the browser uses the public key to verify the certificate's signature.

Verifying the Signed Executable
Next, the publisher's public key is used to verify the signature created from the executable's binary content. The public key decrypts the signature back into the digest, which is compared to the newly computed digest at the client side. If they match, the executable has not been tampered with. For more details, see digital certificate and digital signature.

Object and Code Signing
The terms object signing and code signing are used interchangeably; however, object signing refers to any file delivered in this manner. Code signing refers only to executables, which is the major concern when downloading from the Internet. See PKCS.


The Short Version
The executable is signed with the software publisher's private key. When opened for use, its signature is verified. The details of the process are diagrammed below.







The Code Signing Process
The combination of the signed digital certificate and the signed executable file ensures that the executable has come from a valid publisher and has not been tampered with.


The Code Signing Process
The combination of the signed digital certificate and the signed executable file ensures that the executable has come from a valid publisher and has not been tampered with.
References in periodicals archive ?
We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software," the blog post says.
Developers of Windows Azure applications can sign their code with VeriSign Code Signing Certificates, which signal to end users that the applications come from a trusted publisher.
Until now, the area causing most concern to Smartphone 2003 developers is the difficulty of developing and testing on handheld devices that enforce code signing.
Code signing is used not only by software publishers but by all types of organizations writing software and firmware.
The evasi0n exploit bypasses code signing by interposing with an incomplete codesign bug in the dynamic loader.
ChosenSecurity Inc announced on Tuesday that the Unified Test Initiative (UTI) is using its TC TrustCenter division to provide a mobile code signing platform for global Java developers using the newly relaunched Java Verified programme.
Cui pointed out that current security solutions don't work with embedded systems like VoIP phones and printers and code signing isn't enough.
Enterprise Readiness of Consumer Mobile Platformsrated each platform on the basis of a number of criteria, including general device security, app security, code signing, authentication, device wipe ability, firewalling, and virtualisation, assigning each category a score out of five.
The goal for the Certs 4 Less mobile site is to tap into the ever growing use of mobile devices accessing the internet and to offer this additional option when purchasing an SSL Certificate and/or Code Signing Certificate.
This offer is also available to software developers who require a Code Signing Certificate to digitally sign their software.
Code Signing and other high assurance digital signatures - nShield Edge supports the typical laptop or workstation environment and is the perfect source of trusted signatures, even if quorum based user signing is required.
Certs 4 Less, in addition to its everyday competitive prices, will be offering 29% off to customers that order SSL Certificates or Code Signing Certificates between now and March 6 2012.