What is Code Signing?

Definition: Code signing is a process of digitally signing a program, file, software update or executable, so that it’s authenticity and integrity can be verified upon installation and execution.

Code Signing explained

Code signing certificates are used by software developers and distributors to digitally sign executables and software programs so that end-users are able to verify that the code they receive has not been tampered with. The ultimate aim is to alleviate the end user’s concern that the software can be downloaded from a trusted source.

A code signing certificate is a digital certificate that prominently displays the name of the publisher and, if required, a timestamp, and is issued by a Certificate Authority. The digital certificate binds the identity of an organization to a public key that is mathematically related to a public key pair and is traceable back to a trusted Certificate Authority. The use of private and public key systems is called Public Key Infrastructure (PKI). The developer signs code with its private key and the end user uses the developer’s public key to verify the developer's identity;

  • If the system trusts the certificate, the download or execution will proceed
  • If there is no certificate, or If the system does not trust the root or the hashes do not match (i.e., if the signature has been tampered with), the download is interrupted with a warning informing the user that the software may not be trusted.

The integrity of the system relies on securing keys from unauthorized access. Best practice would be to store keys in secure, tamper-proof, cryptographic hardware devices such as Hardware Security Modules (HSMs).

How to increase the protection of code signing certificate private keys?

Effective 15 November 2022, the code signing certificate key pair must be generated and stored in a hardware security module (HSM) that meets or exceeds the requirements of FIPS 140-2 Level 2 or Common Criteria EAL4+. This means the key pair will be generated in a device, where the private key cannot be exported. This will help to reduce code signing certificate private key compromise, which mitigates risk to relying parties of installing signed malware in their systems.
 
 

----
Source: Utimaco

News

CREAplus Supported DragonHack 2022 Hackathon

DragonHackCREAplus is already the second time in a row supporter and sponsor of DragonHack, Slovenian student hackathon. 

Read more ...

CREAplus Successfully Delivered Event "Security on autopilot"

Security on autopilot26 participants attended our event "Security on autopilot" on 12 May 2022!

Read more ...

Technical Training on Hardware Security Module (HSM)

Security on autopilotCREAplus, authorized Utimaco training partner, is going to deliver an online hands-on technical training on general purpose hardware security module (HSM), on 8 - 9 September 2022.

Read more ...

CREAplus Successfully Delivered Two Trainings on HSM

Security on autopilotCREAplus successfully delivered two online hands-on technical trainings on Utimaco hardware security module (HSM) for a large multinational corporation in April 2022.

Read more ...

Event: Security on autopilot

Security on autopilotFinally, a physical event again! Join our event "Security on autopilot" on Thursday, 12 May 2022, in Ljubjana, Slovenia.

Read more ...