Tag Archives: Code signingCode signing

Adobe Code-Signing Certificate Compromised

October 3, 2012 by Bruce Morton     No Comments

Adobe announced they received two malicious utilities signed by a valid Adobe code-signing certificate. The code-signing certificate was compromised though an attack on their code-signing system. The code-signing certificate will be revoked on October 4, 2012, and will impact all code being signed after July 12, 2012. A supporting security advisory has been issued. The [Read More...]

Understanding SSL

August 7, 2012 by Bruce Morton     No Comments

Just thought I would let you know about a podcast called Sophos Techknow – Understanding SSL. Hopefully there won’t be much new for the regular readers of this blog, but the information may be valuable for those new to the SSL industry. I did want to make note of a few things. The podcasters discuss [Read More...]

Code Signing: Best Practices

July 27, 2012 by Bruce Morton     1 Comment

The biggest issue with code signing is the protection of the private signing key associated with the code signing certificate. If the key gets compromised, then your certificate is worthless. A compromised key may also jeopardizethe software that you have already signed. Here are some best practices for code signing: 1. Minimize access to private [Read More...]

Self-Signed Versus Trusted CA Certificates

July 23, 2012 by Bruce Morton     No Comments

In most cases you have to sign your code in order to get it installed on the operating system. You can sign your code using a self-signed certificate or using a certificate issued by a publicly-trusted CA. Due to the costs of buying a code signing certificate from a publicly-trusted CA, some users will decide [Read More...]

What is Time-Stamping?

June 27, 2012 by Bruce Morton     No Comments

What happens to signed code when the code signing certificate expires? In many cases, an expired certificate means that the signature validation will fail and a trust warning will appear in the browser. Time-stamping was designed to alleviate this problem. The idea is that at the time, at which the code is signed, the certificate [Read More...]

Code Installation Trust Decision

June 21, 2012 by Bruce Morton     No Comments

The code has been signed, the user has started installation, and verification has taken place. How does the user know whether or not to accept the code? Here is a typical code verification security warning: The user must make their trust decision based on the above. The statement provides the following: File Name: In this [Read More...]

How to Digitally Sign Code

June 18, 2012 by Bruce Morton     No Comments

Various application platforms support code-signing and provide different tools to perform the signing. Here is a list of the more common code-signing types and references as to where you can find guides for the given application. Adobe AIR Adobe – Digitally signing an AIR file Apple Mac OS X Developer Library – Code Signing and [Read More...]