Securing Software Distribution with Digital Code Signing
This post was originally published on the CA Security Council blog.
Code signing certificates from publicly trusted Certification Authorities (CAs) fulfill a vital need for authentication of software distributed over the Internet in our interconnected world. As the commonly referred to “Internet of things” continues to grow, consumers have access to millions of applications for their desktops, laptops, and mobile devices. Creative software engineers provide us with applications to cover any of our potential needs or interests. Cybercriminals and others with malicious intent recognize this as an opportunity and seek to trick us into installing malicious software (malware) — programs that hijack our computers, steal our money, or try to inflict harm.
Code signing certificates play a key role in helping users identify authentic software code from reputable publishers and receive the assurance that the code has not been tampered with beforehand. Effectively, code signing certificates help create a “digital shrinkwrap” on the software. Not only do users benefit because the digital signature identifies the source of the code, but software publishers are also able to protect and safeguard the integrity of their brand.
The CASC is starting an initiative to add information regarding code signing to our website. The use of code signing certificates is not as popular as using SSL certificates, but the risk might be greater.
To start the initiative off, we have created a white paper. This paper provides an overview of code signing, some configuration choices, and best practices. Please note that the white paper is introductory and the user of the code signing certificate will have to understand what options are supported in his environment.
In the future, the CASC will discuss code signing problems, solutions and industry new developments.
Updated October 23, 2013: Here is the Entrust code signing white paper.