When an end-user’s browser loads the code, it checks the authenticity of the software using the signer’s public key, signature and the hash of the file. If the signature is verified successfully, the browser accepts the code as valid. If the signature is not successfully verified, the browser will react by warning the user or rejecting the code, according to the level of security being used.
The signature is verified as follows:
- The original code is passed through the hashing algorithm creating a hash
- The public key of the publisher is extracted from the bundle and applied to the signature information; applying the public key reveals the hash that was calculated when the file was signed
- The expiry date of the public key is checked
- The public key is checked against the revocation lists to be sure that it is valid
- The two hashes are compared; if equal, then the code has not changed and the signature is considered valid
- If the file is considered valid, it is accepted by the browser; if the file is not considered valid, the browser displays a trust dialogue like the one above