Code signing | How does it work?
With code signing, you authenticate and verify software applications. Let's take a closer look at the technology behind a digital certificate and some best practices for digitally signing your applications.
Published by
Simone Catania
Date
Users and organizations worldwide expect high-level security and smooth processes. A digital certificate offers a concrete solution. It ensures integrity and verifies the identity of software publishers, thereby protecting your digital space. Whether you are a Chief Technology Officer (CTO), a Chief Security Officer (CFO), a technical manager who deploys IT verification processes or an engineer who signs and verifies applications, you should take the time to learn how using a code signing certificate can boost confidence and trust around your digital product.
What is a digital certificate?
Digital certificates nowadays are standard products in the professional digital space. They can be compared to electronic credentials since they contain all relevant information to verify the identity of an individual, organization or system.
You probably already know about S/MIME certificates to secure email communication or TSL/SSL for authenticating network connections. They all fall into the digital certificate category and are described within the framework of public-key or asymmetric cryptography. This system, also used by technologies like IPsec or Bitcoin, consists of a pair of keys:
- public keys (openly distributed)
- private keys (kept confidential by the owner)
In the centralized trust model of the public-key infrastructure (PKI), digital certificates are issued by Certification Authorities (CA), organizations whose primary role is to digitally sign and publish public keys.
InterNetX is happy to be Premium Elite Partner DigiCert, the most recognized and trusted Certificate Authority (CA) worldwide.
X.509 standardizes digital certificates
Public-key certificates are standardized by X.509. This standard defines the format of digital certificates containing a public key and an identity. According to X.509 v3, a digital certificate has the following structure:
Code signing: digital protection for intellectual property
A code signing certificate falls into the category of digital certificates. This method is used to digitally sign a wide range of executable files and scripts, such as applications, Java applet, installation packages, script, MS Office macro, dynamic libraries, device drives, etc. It validates the publisher’s digital signature to ensure authenticity and verifies integrity, e.g. it checks software components have not been hacked. If the code has been tampered with after the author’s signature, the public key might alert the operating system of the changes. These certificates are not only used for offline code – applications and software distributed over the internet can be digitally signed as well.
This is how code signing works
This process offers high-level security by digitally signing the code. Code signing certificates use a unique cryptographic hash to bind the publisher’s identity to the software. The developers tag the code with the private key, while the operating system will retrieve the developer’s public key to verify the company’s identity.
Although a code signing certificate is quite similar to other digital certificates, it has some peculiar features. For example, at the moment of its generation, the key usage field can indicate “code signing” only, i.e. this certificate can be used only for this purpose and therefore cannot be exchanged or transferred. But above all, while S/MIME and SSL certificates encrypt the data in transit, a code signing certificate attaches the digital signature and does not encrypt, but hashes the executable, so any changes can be detected.
This is why you should use a code signing certificate
Do you know that most operating systems show a warning when installing unsigned software? This undoubtedly deters users from downloading your application. You should employ a code signing certificate for these two essential reasons: integrity and authenticity.
1. To ensure the integrity of the code
Today everything is distributed online, so it is imperative to put security first and make it visible. Make sure your users know they are dealing with harmless code. The certificate ensures that the source code has not been tampered with during the signing process. Still, code signing cannot guarantee the quality or functionality of applications themselves. The code can still contain vulnerabilities, but with the certificate you are showing you care about quality and are ready to fix any flaws.
2. To guarantee the authenticity of the publisher
The code signing certificate guarantees who the author of the application is and this is visible to the user. It helps the user during the decision stage when it comes to using or installing unknown software. You can use it to distribute applications securely and gain trust.
Six suggestions for a successful code signing process
While we strongly recommend always following best practices for security, it is important to be careful when dealing with the code signing process as well. If you want to apply a digital certificate to your applications, follow these steps to safely generate and store private keys.
1. Keep track of all operations
Start by recording all operations from the start as well as any changes during the code signing process. This is best practice and can help significantly for audits or investigations.
2. Verify the code and check for viruses before signing it
Before digitally signing and releasing any code, you should always validate it first. Establish a strict verification process that includes a virus scan within your organization so that, when you submit your code for signing, it is free from undesired effects and vulnerabilities. All of this applies to third-party libraries incorporated into your code as well.
3. Always timestamp the signed code
By applying the timestamp to the code, you will validate it even beyond the expiration or revocation date of the code signing certificate. This is because a timestamp freezes the digital signature, showing that the code was valid when the certificate was generated.
4. Restrict access to private keys
Access to private keys must be restricted to authorized personnel only in order to maintain confidentiality and information security. Restrict connection to the devices used for the code signing process. Adopt appropriate physical security measures and restrict access to the code signing keys.
5. Use hardware cryptographic devices to protect private keys
If stored in software, private keys are highly vulnerable to security attacks. Protect your code signing keys in cryptographic devices such as a smart card or a USB token. Make sure your hardware is protected by a PIN or passphrase and stored safely.
6. Revoke compromised certificates
If a compromised private key, malware, or suspicious code is detected, the CA should be notified and the certificate revoked.
Choose the certificate which best fits