What is Code Signing?
From Wikipedia, “Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed by use of a cryptographic hash.”
In order to sign the code, the publisher needs to generate a private-public key pair and submit the public key to a certification authority (CA) along with a request to issue a code-signing certificate. The CA verifies the identity of the publisher and authenticates the certificate request. The CA bundles the identity of the publisher with the public key and signs the bundle, creating the code-signing certificate.
Armed with the code-signing certificate, the publisher is ready to sign the code. When the code is signed, several pieces of information are added to the original file. This information is used by the recipient’s browser to authenticate the publisher and check for code tampering. The entire sequence takes place as follows:
- A hash of the code is produced
- Public-key algorithms are inefficient for signing large objects, so the code is passed through a hashing algorithm creating a fixed-length digest of the file
- The hash is a cryptographically unique representation of the file
- The hash is only reproducible using the unaltered file and the hashing algorithm that was used to create the hash
- The hash is signed using the publisher’s private key
- The hash is passed through a signing algorithm using the publisher’s private key as an input
- Information about the publisher and the CA is drawn from the code-signing certificate and incorporated into the signature
- The original code, signature and code-signing certificate are bundled together
- The code-signing certificate key is added to the bundle as the public key is required to authenticate the code when it is verified
Following this process, the signed code is ready to be distributed and verified.