+1-888-690-2424

Securing Software Distribution with Digital Code Signing

Bruce Morton

This post was originally published on the CA Security Council blog.

Code signing certificates from publicly trusted Certification Authorities (CAs) fulfill a vital need for authentication of software distributed over the Internet in our interconnected world.

As the commonly referred to “Internet of things” continues to grow, consumers have access to millions of applications for their desktops, laptops, and mobile devices. Creative software engineers provide us with applications to cover any of our potential needs or interests. Cybercriminals and others with malicious intent recognize this as an opportunity and seek to trick us into installing malicious software (malware) — programs that hijack our computers, steal our money, or try to inflict harm.

Code signing certificates play a key role in helping users identify authentic software code from reputable publishers and receive the assurance that the code has not been tampered with beforehand.

Effectively, code signing certificates help create a “digital shrinkwrap” on the software. Not only do users benefit because the digital signature identifies the source of the code, but software publishers are also able to protect and safeguard the integrity of their brand.

The CASC is starting an initiative to add information regarding code signing to our website. The use of code signing certificates is not as popular as using SSL certificates, but the risk might be greater.

To start the initiative off, we have created a white paper. This paper provides an overview of code signing, some configuration choices, and best practices. Please note that the white paper is introductory and the user of the code signing certificate will have to understand what options are supported in his environment.

In the future, the CASC will discuss code signing problems, solutions and industry new developments.

Updated October 23, 2013: Download Entrust’s complimentary white paper, “What is Code Signing?,” to discover more about what these certificates do and how they work.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

0 Comments

Add to the Conversation