Table of Content

Key Management Interoperability Protocol

Cybersecurity Frameworks

What is Code Signing? How does Code Signing work?

What is Code Signing? How does Code Signing work?

Code Signing is the process of using digital certificates to sign software, firmware, scripts, and executables to assure the end users and customers of the code’s integrity and authenticity. Developers and organizations digitally sign a code or apply a digital signature with a private key and a code signing certificate to assure users that the software originated from a trusted source and has not been altered or tampered with since it was signed.

If a code or software is tampered with after it has been signed, the digital signature that was attached will be invalidated, and the end-users will be warned not to trust this code or software. 

The software distribution cycle is often attacked or targeted by attackers, which is why code signing is very important. Code signing helps in protecting software integrity and authenticity to maintain the reputation of software and organizations. 

What is the Purpose of Code Signing? 

The primary purpose of code signing is to verify the origin of the code and ensure its integrity and authenticity. This process plays an important role in the digital security ecosystem, with multiple layers of trust and protection. The following are the purposes of code signing: 

  • Verifying Software Origin

    Code Signing authenticates the identity of the software publishers. A digital certificate that has been issued by a Trusted Certificate Authority is used and contains information about the publisher and the CA. The end-users can verify by checking the certificate for the software’s authenticity.

  • Ensuring Code Integrity

    Hash functions are used to ensure that the code has not been tampered with. When the software is signed, a unique hash value is generated from the code. After the code has been used, the hash is recalculated and compared to the original one. If no changes are detected, it will confirm that the code hasn’t been changed.

  • Enhancing User Experience and Trust

    Code Signing can reduce the number of security warnings and prompts during installation. If a software has been signed using a trusted certificate, the software won’t be flagged by the operating system as suspicious. This smooth user experience will improve user satisfaction.

Applications of Code Signing

There are several use cases of code signing, but these are the most critical ones:

  • Software Distribution

    Code Signing plays an important role in software distribution by making sure that the software downloaded from the internet is safe. Developers attach a digital signature to the software developed to guarantee its integrity and origin. Operating systems and modern web browsers stop or prevent unsigned software from being downloaded and installed in the users’ systems to prevent malware and other malicious code.

  • Updates and Patches

    Software updates and patches are very important for security and performance. So, code signing helps make sure the updates are from a legitimate source and aren’t tampered with. The signed updates are hashed and encrypted using the private key. An end user’s system verifies the hash using a public key to ensure the update’s integrity.

  • Device Drivers

    Device drivers are very important for enabling hardware components to communicate with the operating system. Code Signing drivers confirm the legitimacy and integrity of these device drivers, as signed drivers are useful in enhancing user confidence.

  • Mobile Applications

    Application stores like Apple’s App Store and Google Play require the developers to sign their applications before distribution. This, in turn, ensures the authenticity and integrity of the applications. These App Stores conduct frequent security checks on the signed applications to maintain a safer environment while downloading them.

How Does Code Signing Work?

Code Signing Working

Code Signing is a security technology used to provide assurance to end-users that the code downloaded is authentic and safe. Here is a detailed look into how the elements work together to secure software:

  • A public-private key pair and a Certificate Signing Request (CSR) are created for the publisher. A hash of the code is produced by passing it through a hashing algorithm, which creates a fixed-length digest of the file. This hash is a cryptographically unique representation of the file. The hash can be reproduced only using the unaltered file and the hashing algorithm was used to create the hash.  
  • The hash is passed through a signing algorithm using the publisher’s private key as an input. Information about the publisher and the CA is drawn from the code signing certificate and incorporated into the signature. 
  • The original code, signature, and code signing certificate are bundled together. The code signing certificate key is added to the bundle as the public key is required to authenticate the code when verified. The code is now ready for distribution and is packaged in a form allowing the user to verify authenticity. 

Why is Code Signing important?

Here is a detailed list of explanations of why code signing is important, along with some examples of attacks involving misused code signing: 

  1. Ensures Authenticity
    • Code Signing provides a digital signature that verifies the identity of the software publisher, ensuring that the software is authentic.
    • Prevents attackers from impersonating legitimate developers and distributing harmful software.
  2. Ensures Integrity
    • It ensures that the software has not been tampered with or altered after it has been signed. Even some minor modifications in the code will invalidate the signature and alert the end-users of potential issues.
    • Users can trust that the software they have downloaded and installed is exactly what the developer intended to do without any malicious modifications.
  3. Enhances Security
    • By verifying the source and integrity of the code, code signing helps protect users from downloading and installing malicious software.
    • Ensuring that the software distributed through various sources remains secure and untampered.
  4. Builds User Trust
    • Users are more likely to trust and install software that has been signed and is known to be from a verified source.
    • Signed code won’t trigger security warnings from the operating systems and security software and provides a smooth user experience.
  5. Compliance and Reputation
    • Code Signing is a regulatory requirement for many industries. This helps in ensuring compliance with security standards.
    • Developers and organizations who use code signing demonstrate their commitment to security, and this enhances their reputation.
  6. Supports Application Reputation Systems
    • Signed code can be more easily distributed through platforms and channels that require or prefer signed software.

A significant supply chain attack that targeted SolarWinds’ Orion software in 2020, also known as SolarWinds Supply Chain Attack, was due to misuse of code signing keys and certificates. Attackers infiltrated SolarWinds’ development environment and inserted malicious code into the Orion software updates, which were later signed by SolarWinds’ actual code signing certificates. This attack affected thousands of organizations around the world, leading to widespread data breaches and security concerns. 

Who Needs to Adopt Code Signing Practices? 

Code signing is used in any commercially packaged and distributed software. Trusted application stores, like the IOS AppStore or the Google Play Store, require code signing for a piece of software to be distributed on their platform. A lot of consumers will not download software unless it uses code signing, so even developers that aren’t on big-name platforms will implement code signing. 

There are several different types of certificates to use, depending on what systems the software being distributed works with. Desktop certificates include Microsoft, Java, Microsoft Office, VBA, and Adobe AI. Examples of mobile certificates are Windows Phone, Windows Phone Private Enterprise, Java Verified, Android, and Brew. 

Some examples of code-signed software are Windows applications, Windows software updates, Apple software, Microsoft Office VBA objects and macros, .jar, .air, and .airi files, and any type of executable file. For IOS applications, code signing uses Xcode. To upload software to the iTunes store, the user must have a valid Apple Developer ID with a valid certificate or profile before Xcode will sign the software. 

To integrate an application, the developer will need to use a development certificate. In order to run the app on any device, a distribution certificate must be used to send out the app and test it. Other platforms, like Windows, just require the use of a trusted certificate authority. C# and Visual Studio also offer their own code signing solutions. 

Timestamping 

In a scenario where you need to prove the date a certificate was signed, even if the certificate has expired, timestamping is crucial. 

The date and time of software signing are specified by including a timestamp, which is information added to a digital signature. Generally, a code signing certificate is valid for 1 to 3 years. The certificate expires once the validity period of the certificate is over; in this situation, if the timestamp is not applied, the digital signature becomes invalid, therefore raising the security warnings. 

The objective of timestamping is to verify the legitimacy and authenticity of the code signing signature even after the certificate utilized for signing expires or is revoked. It indicates when the code was signed and tells the software consumer if the code was valid at the time of signing.  

In conclusion, timestamping is a powerful tool that extends trust in digital signatures, regardless of the certificate’s expiration or revocation. Providing a clear indication of when the code was signed ensures the software consumer can always verify the code’s validity at the time of signing. 

Hash Signing or Client-Side Hashing 

Hashing or Client-Side Hashing is an important component in the code signing process. It increases security by ensuring that the code remains unaltered and authentic. Here is a detailed explanation of the term hashing: 

  1. Key Concepts of Hashing
    • In hash signing, a unique hash is created from the code before it is signed, which is later signed with the private key.
    • The main goal is to ensure the integrity and authenticity of the code. If there is any alteration in the code, the hash will change and make the signature invalid.
  2. Process of Hashing
    • Generate the Hash: A cryptographic function (e.g., SHA-256) is used to produce a hash value from the code. It is a fixed-length string that uniquely represents the code’s contents.
    • Sign the Hash: The developer’s private key is used to create a digital signature of the hash value generated. This signature connects the hash to the signer or developer’s identity.
    • Distribute the Signed Code: The signed hash generated above is bundled with the public key and distributed along with the code. This public key is used to verify the signature.
  3. Benefits of Hash Signing
    • Efficiency: As only the hash value is signed, and not the entire code, computation overhead decreases. Also, the verification is faster, too, as the hash value is much smaller than the actual code.
    • Security: No two pieces of code will produce the same hash, which makes hash functions – collision-resistant. Any changes in the code will lead to a different hash value, making tampering detectable.
    • Integrity Verification: End-users can verify the code’s integrity by generating a hash from the downloaded code and comparing it with the signed hash. If both the hashes match, the code will be verified as unaltered.

How to Digitally Sign Code? 

Digitally signing a code is very important for ensuring authenticity and integrity. This process involves obtaining a code signing certificate, using it to sign the code, and then distributing this signed code securely. Our code signing platform – CodeSign Secure, streamlines these processes, and here’s the detailed explanation: 

  • Obtain a code signing certificate through CodeSign Secure. We partner with trusted certificate authorities, and you need to complete their application process after identity verification and payment and after generating a CSR from our platform. You can also generate a self-sign certificate from our platform after entering the necessary details.
  • Install this code signing certificate in your environment using EC KSP (provided inside CodeSign Secure). Ensure that your code is in its final form and ready for distribution. CodeSign Secure integrates with tools like Microsoft SignTool, Oracle’s JarSigner, and so on for creating a digital signature with your private key which is present in a FIPS 140-2 Level 2 or higher HSM.

Self-signed vs. Publicly Trusted Code Signing Certificates

The difference between self-signed and publicly trusted code signing is important for making decisions about software security. 

Self-Signed Certificates

  • Creation: These certificates are created internally without any external validation. These are mostly created by the developers using a code signing platform.
  • Trust Level: These aren’t trusted by operating systems or browsers by default; that’s why these often face security warnings when installing the signed software.
  • Cost: These certificates are free to create as they do not require payment to any Certificate Authority (CA). These are suitable for internal or development use when global trust is not required.
  • Use Cases: Self-sign certificates are ideal for testing and internal development purposes where the focus is mainly on functionality rather than trust.
  • Limitations: External users will have issues using the software due to many security warnings. And without trusted validation, distributing the software to a greater audience will be difficult.

Publicly Trusted Certificates 

  • Creation: These certificates are issued by a trusted Certificate Authority (CA) after a thorough verification process of the receiver. But before that, it is required for the recipient or receiver to generate a Certificate Signing Request (CSR) from a code signing platform like CodeSign Secure.
  • Trust Level: These certificates are trusted by many or almost all operating systems and browsers. Also, these certificates remove security warnings during software installation.
  • Cost: Depending on the CA and the level of validation, cost can vary. The different types of certificates are – Standard, Organization Validation, and Extended Validation, with different levels of assurance.
  • Use Cases: These certificates are important for software distribution to the end-users, which means broad acceptance and trust. These enhance the credibility and user trust in open-source software.
  • Benefits: Publicly trusted certificates provide assurance that the software is authentic and has not been tampered with, as these reduce the risk of tampering or malicious software being accepted by the user. These meet industry standards and regulatory requirements for software distribution.

Application Reputation

Code Signing enhances an application’s reputation by providing its authenticity and integrity. This process offers numerous advantages, a few of them in detail are: 

  1. Authenticity and Integrity
    • Verification: Code signing helps verify that software comes from a legitimate source and that it has not been altered after signing.
    • Tamper-Proof: Even a slight change in the code after signing invalidates the signature attached to it. This helps in identifying indications of tampering.
  2. Fewer Security Warnings
    • Trusted Publishers: Operating systems and browsers only trust code signed by publicly or globally trusted CAs, which leads to fewer security warnings.
    • Enhanced User Experience: Users are less likely to encounter security alerts, which will lead to a smoother installation process and better user experience.
  3. Higher User Trust
    • Confidence: Users will gain confidence in the software when they know that it has been verified by a trusted third party.
    • Positive Perception: If a digital signature is attached to a code, that will improve the overall perception of the software and make it appear more professional.
  4. Mitigation of Malware and Phishing Risks
    • Reduced risk of malicious software: A signed code is less likely to be flagged as malware, which reduces the risk of false positives and ensures legitimate software is not mistaken for a threat.
    • Protection against phishing: Code signing helps protect against these kinds of attacks by verifying that the software has originated from a legitimate source.
  5. Boost in Application Reputation
    • Reputation Score: Code signing has a positive impact on an application’s reputation score on various platforms, leading to higher visibility and downloads.
    • Endorsement: The endorsement of a CA acts as a seal of approval, which also means that the software meets specific security standards.
  6. Compliance and Certification
    • Regulatory Requirements: Many industries have regulatory requirements for software security, and code signing helps meet those standards, ensuring compliance.
  7. Competitive Advantage
    • Market Differentiation: It can differentiate your software from competitors by highlighting its commitment to security and authenticity.
    • Customer Loyalty: Higher trust and fewer security concerns will lead to increased customer loyalty and retention.

Code Signing Best Practices

Here are the detailed best practices to follow: 

  1. Keep Private Keys Secure
    • Use Hardware Security Modules (HSMs): These cryptographic devices store the private keys in HSMs to protect them from theft and unauthorized access. These provide a tamper-resistant environment, which ensures keys are securely managed and never exposed.
    • Secure Environments: Private keys should be maintained in a secure and isolated environment. Access to these keys should be limited and should only be granted after using strong, complex passwords and MFA.
    • Regularly Rotate keys: Organizations should implement key rotation policies to replace keys periodically, which reduces the risk of keys getting compromised. Also, it is preferable to regularly audit key usage and update keys.
  2. Regularly Update Certificates
    • Certificate Renewal: Organizations should track the expiration dates of their code signing certificates and renew them before they expire to maintain trust and continuity.
    • Up-to-date Algorithms: Organizations or developers should ensure that the latest and most secure cryptographic algorithms are used in the certificates. They should use strong options like SHA-256 or SHA-3.
  3. Use Timestamping
    • Validity beyond expiry: Timestamping is applied to your digital signature to ensure it remains valid even after the certificate expires. These provide verifiable proof of the signature’s creation date and ensure long-term trust.
    • Trusted Timestamp Authorities: Organizations and developers should utilize trusted and reputable timestamp authorities (TSA) to add timestamps to their signatures. Also, they should first make sure that the TSA’s certificate is globally trusted.
  4. Monitor for Unauthorized Use
    • Certificate Usage Tracking: Use proper tools to monitor the usage and operations of your code signing certificates, like CodeSign Secure. Our tools allow you to set up alerts for unauthorized or unusual activities.
    • Audit Logs: It is highly recommended that detailed logs of all code signing activities be maintained, including who signed the code, when it was signed, and what was signed. Use CodeSign Secure for these detailed logs with intricate timestamping of these events. These audit logs should be regularly reviewed for any suspicious or unauthorized activities.
    • Revocation: Compromised or misused certificates should be revoked immediately.
  5. Boost in Application Reputation
    • Reputation Score: Code signing has a positive impact on an application’s reputation score on various platforms, leading to higher visibility and downloads.
    • Endorsement: The endorsement of a CA acts as a seal of approval, which also means that the software meets specific security standards.
  6. Compliance and Certification
    • Regulatory Requirements: Many industries have regulatory requirements for software security, and code signing helps meet those standards, ensuring compliance.
  7. Competitive Advantage
    • Market Differentiation: It can differentiate your software from competitors by highlighting its commitment to security and authenticity.
    • Customer Loyalty: Higher trust and fewer security concerns will lead to increased customer loyalty and retention.

Conclusion 

Code signing is a vital process for ensuring the authenticity and integrity of software. It protects users from malicious changes and confirms the software’s source. By following best practices and using trusted certificates, developers and organizations can protect their code, build user trust, and enhance the security of their software distribution processes.  

Encryption Consulting’s CodeSign Secure platform simplifies and secures the code signing process. We partner with trusted Certificate Authorities (CAs) and offer a user-friendly interface – CodeSign Secure for obtaining and managing code signing certificates simply. Our platform supports various signing tools like Microsoft SignTool, jarsigner, and even CI/CD Pipelines like – Jenkins, Azure DevOps, GitLab, and so on, ensuring compatibility with different development environments.  

Additionally, CodeSign Secure supports timestamping, which ensures your digital signatures remain valid even after the certificate expires. This feature enhances long-term trust and compliance. By securely distributing signed code via official websites, app stores, or trusted repositories, CodeSign Secure helps maintain the highest standards of software integrity and user confidence. 

Integrating Encryption Consulting’s CodeSign Secure into your development workflow not only safeguards your software but also elevates your reputation in the marketplace.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo