Code Installation Trust Decision

Bruce Morton

The code has been signed, the user has started installation, and verification has taken place. How does the user know whether or not to accept the code?

Here is a typical code verification security warning:

The user must make their trust decision based on the above. The statement provides the following:

  1. File Name: In this case it is AdbeRdr1010_en_US.exe
  2. Publisher Name: Adobe Systems, Incorporated
  3. Code-Signing Certificate: The user would need to click on the publisher name

How to make the installation trust decision:

  • Were you planning to install software? If so, proceed.
  • Check the file name and see if it indicates the software you were planning to install. In this case it is Adobe Reader 10, which the name seems to indicate.
  • Check the publisher name and see if this matches who you think wrote the software. This may be hard as the software download site may be different than the publisher’s site.
  • Check the code-signing certificate and see if the publisher’s name is in the certificate. Also, the user can see which CA issued the certificate and may trust the certificate based on the CA.

Here is a trust dialogue for code that you might not trust:

The file name is “App.exe,” which is not likely specific enough. The publisher’s name is “Unknown Publisher,” which means that a public CA did not verify the code-signing certificate. The code may not be harmful, but it was likely signed with a self-issued code-signing certificate. This means you cannot trust who signed the code. Thus, you should not trust the code.

Code-Signing Series

This is the fifth post in our code-signing. Check out the full list to read past entries and see what’s upcoming.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.


Add to the Conversation