Category Archives: Code Signing

Protect Your Private Keys: Three Easy Steps for Safe Code-Signing

December 19, 2013 by Bruce Morton     No Comments

A recent article by the Microsoft malware protection center, “Be a real security pro – Keep your private keys private,” reminded me of some best practices. There are far too many cases of illegitimate code being signed by a stolen private key for legitimately signed code-signing certificates. In these cases, the owners of the private [Read More...]

Java Secures Supply Chains through Code Signing

December 11, 2013 by Bruce Morton     No Comments

This post was originally published by Bruce Morton & Erik Costlow on the CA Security Council blog. We have recently discussed the benefits of code signing in two posts: Securing Software Distribution with Digital Signatures and Improving Code Signing. These posts covered the role of code signatures as a “digital shrinkwrap” designed to answer a simple question: [Read More...]

Filed Under: Code Signing Tagged With: Java, Oracle

Securing Software Distribution with Digital Code Signing

October 23, 2013 by Bruce Morton     No Comments

This post was originally published on the CA Security Council blog. Code signing certificates from publicly trusted Certification Authorities (CAs) fulfill a vital need for authentication of software distributed over the Internet in our interconnected world. As the commonly referred to “Internet of things” continues to grow, consumers have access to millions of applications for their [Read More...]

Code Signing: Best Practices

July 27, 2012 by Bruce Morton     1 Comment

The biggest issue with code signing is the protection of the private signing key associated with the code signing certificate. If the key gets compromised, then your certificate is worthless. A compromised key may also jeopardizethe software that you have already signed. Here are some best practices for code signing: 1. Minimize access to private [Read More...]

Self-Signed Versus Trusted CA Certificates

July 23, 2012 by Bruce Morton     No Comments

In most cases you have to sign your code in order to get it installed on the operating system. You can sign your code using a self-signed certificate or using a certificate issued by a publicly-trusted CA. Due to the costs of buying a code signing certificate from a publicly-trusted CA, some users will decide [Read More...]

What is Time-Stamping?

June 27, 2012 by Bruce Morton     No Comments

What happens to signed code when the code signing certificate expires? In many cases, an expired certificate means that the signature validation will fail and a trust warning will appear in the browser. Time-stamping was designed to alleviate this problem. The idea is that at the time, at which the code is signed, the certificate [Read More...]

Code Installation Trust Decision

June 21, 2012 by Bruce Morton     No Comments

The code has been signed, the user has started installation, and verification has taken place. How does the user know whether or not to accept the code? Here is a typical code verification security warning: The user must make their trust decision based on the above. The statement provides the following: File Name: In this [Read More...]

How to Digitally Sign Code

June 18, 2012 by Bruce Morton     No Comments

Various application platforms support code-signing and provide different tools to perform the signing. Here is a list of the more common code-signing types and references as to where you can find guides for the given application. Adobe AIR Adobe – Digitally signing an AIR file Apple Mac OS X Developer Library – Code Signing and [Read More...]

Verifying Code Authenticity

August 11, 2011 by Bruce Morton     1 Comment

When an end-user’s browser loads the code, it checks the authenticity of the software using the signer’s public key, signature and the hash of the file. If the signature is verified successfully, the browser accepts the code as valid. If the signature is not successfully verified, the browser will react by warning the user or [Read More...]

What is Code Signing?

July 15, 2011 by Bruce Morton     No Comments

From Wikipedia, “Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed by use of a cryptographic hash.” In order to sign the code, the publisher needs to generate a private-public key pair and [Read More...]