How useful are Client-Side Hashing in Code Signing for you?

Read time: 7 minutes

Let’s define Code signing in brief.

Code signing is a method of putting a digital signature on a file, document, software, or executable to test its authenticity and genuineness in regards to the functionality and features that it provides. This also ensures that the software entity (file, document, software, or executable) is not tampered with while in transit.

Code signing can be implemented in two ways: Client-side signing & Server-side signing.

Both mentioned Code signing methods that were popular until the SolarWinds’ attack came into the limelight and post that Client-side signing became the talk of the town as this doesn’t require to upload/move the signing files, hence preventing the attacks where malicious code is also getting signed as part of the original file/entity signing.

Time to understand the hashing function first:

The hashing algorithm is the cryptographic function that generates a fixed-length output that is called digest or hash value from a given input that may be of arbitrary size. The hash function has a property to generate a unique and one-way/non-reversible output which means we can’t get to the original input value by doing a reverse hash operation.

Let’s look at a hashing algorithm example with a simple hash function:

In the example above, a cryptographic hash function SHA-256 is shown that converts the arbitrary data into a fixed-size 256-bit hash value.

Now, let’s understand the Server-side Code signing in detail.

The following steps are performed while signing the code or any executable in a Server-side signing fashion:

1. A unique key pair is generated and based on this key pair a CSR (Certificate Signing Request) is generated by a requester/developer.
2. The CSR is sent to CA (certificate authority) with a code signing template.
3. CA issues the certificate post validation and returns the code signing certificate with the public key to the requester.
4. The code/executable to be signed is uploaded to the Code signing server by the requester.
5. Once the code/executable is uploaded, the hash value of the code/executable is calculated with the help of any cryptographic hash function and since this hash value is computed on the server-side, hence the name Server-side hashing.
6. The computed hash value is signed by the corresponding private key issued to the requester results in the digital signature.
7. The digital signature, code signing certificate, and hash function information are now combined into a signature block and placed into the software, which is sent to the receiver/consumer.
8. When the code/executable is received, the consumer’s computer first checks the authenticity of the code signing certificate.
9. Once the authenticity is confirmed, the digest is then decrypted with the public key of the created key pair.
10. The hash function is used on the code/executable to calculate the digest.
11. The resulting digest is compared to the digest sent by the requester. If the digests match, then the software is safe to install.

Let’s understand the Client-side signing in detail.

The following steps are performed while signing the code or any executable in a Client-side signing fashion:

1. A unique key pair is generated and based on this key pair a CSR (Certificate Signing Request) is generated by a requester/developer.
2. The CSR is sent to CA (certificate authority) with a code signing template.
3. CA issues the certificate post validation and returns the code signing certificate with the public key to the requester.
4. The hash value of the code/executable is calculated with the help of any cryptographic hash function at the client end itself. Since this hash value is computed at the client-side, hence the name Client-side hashing.
5. The hash value only i.e., digest of the code/executable to be signed is uploaded to the Code signing server by the requester.
6. The computed hash value is signed by the corresponding private key issued to the requester results in the digital signature.
7. The digital signature and hash function information is sent back to the client.
8. The digital signature, code signing certificate, and hash function information are now combined into a signature block and placed into the software at the requester/developer end.
9. When the code/executable is received at the consumer end, the consumer’s computer first checks the authenticity of the code signing certificate.
10. Once the authenticity is confirmed, the digest is then decrypted with the public key of the created key pair.
11. The hash function is used on the code/executable to calculate the digest.
12. The resulting digest is compared to the digest sent by the requester. If the digests match, then the software is safe to install.

Conclusion

Code signing has become a quintessential requirement for software developers and the reason is code signing ensures trust among users to install the software without worrying about anything. Although both the Code-signing methods are used in the industry to date, however, SolarWinds’ attack changed the code signing landscape in the industry a lot. Now, the client-side signing is a preferred choice considering the fact that it provides a significant advantage in terms of remote digital signature generation, reducing the overall bandwidth requirement due to only hash value upload, and avoiding the attacks of malicious code signed due to no code file movement within the environment.

Resources: www.encryptionconsulting.com/education-center/what-is-code-signing/