What is Code Signing?
Code signing is a process of digitally signing software, firmware, or mobile applications to assure the end users of their authenticity and integrity. Developers digitally sign the code with a private key and a code signing certificate that serve as proof that the code originates from a verified source and has not been tampered with since it was signed. This helps end users trust the software they are installing or running. If the software or code is tampered with after it has been digitally signed, the digital signature will invalidate and users will be warned not to trust the code/software.
- What is code signing?
- What is the purpose of code signing?
- Applications of code signing
- How code signing works?
- Why is code signing important?
- What are the benefits of code signing?
- Who needs to adopt code signing practices?
- What is Timestamping?
- What is hash signing or client side hashing?
2. What is the purpose of code signing?
Protect software and applications at every stage of their lifecycle – development, build, distribution, and maintenance – and foster customer trust by providing proof of:
-
- authenticity – the signer is verified and legitimate
- integrity – the software hasn’t been altered since signing
- non-repudiation – the signer cannot deny having signed the file
2023 EMA Report: SSL/TLS Certificate Security-Management and Expiration Challenges
3. Applications of code-signing
There are several enterprise use cases where code signing is used:
- DevOps: To ensure that the software artifacts, such as compiled code, containers, or PowerShell scripts are signed before being deployed to production environments.
- SecOps: To ensure that all software running within the organization is properly signed and comes from trusted sources.
- Software Distribution: To sign desktop applications, mobile apps, or software updates to allow users to verify its authenticity and integrity of software.
- Software Development Kits (SDKs) and Frameworks: To sign SDKs and frameworks that are distributed to developers. By signing these components, developers can verify their authenticity and ensure they have not been tampered with.
- Infrastructure Provisioning: To validate and verify the integrity of configuration scripts, automation code, or infrastructure-as-code templates.
- Virtualization and Cloud Environments: To validate the integrity of virtual machine images, containers, and cloud-based software components.
- Software Integration and APIs: To sign software integration modules or API libraries and ensure that the code used to connect different systems or services is trustworthy and has not been tampered with.
- IoT Security: To sign firmware and ensure that IoT devices remain secure throughout their lifecycle
4. How Code Signing Works?
Signing the software (on developer’s end)
- A software developer at an organization writes the code and prepares it for distribution.
- The software developer generates a public-private key pair and then applies for a code signing Certificate (on behalf of their organization) from a trusted Certificate Authority (CA). The Certificate Authority verifies the organization’s legitimacy and issues a digitally signed code signing certificate including a public key to the organization. This certificate serves as proof for the organization’s identity. The private key associated with the code signing certificate must be generated and remain secured on compliant hardware (FIPS level 2 HSM or crypto token).
- The next step in the code signing process is to generate a hash value of the software code to be signed. A hash function (such as SHA-256) is used to convert the code to be signed into a unique fixed-length string. This output of hashing is called a digest or hash value.
- The digest is then encrypted with the private key from the code signing certificate.
- The encrypted digest, organization’s code signing certificate (containing the public key), and the hash function are combined into a digital signature that is appended to the code. This signature is unique to the code and the signer and provides the integrity and authenticity of the software.
- Once the digital signature is applied, the software is ready for distribution or publishing.
Verifying the software (on consumer’s end)
- When users receive the software and attempt to install it, the Operating System on their computers checks the authenticity of the code signing certificate and then decrypts the digest with the public key (included in the code signing certificate). This is kept aside for comparison.
- Next, the OS calculates a new hash for the code and the resulting hash digest is compared to the original decrypted hash digest (the one that was kept aside). If the digests match, then the OS will indicate that the software has not been modified or altered since it was signed and it is safe to install.
5. Why is code signing important?
If a software is released without being signed, there is no means for end users to verify its authenticity and integrity of code. Software users need to be able to verify that the code came from an authentic and verifiable source. Developers need to be able to protect and confirm the integrity of their code, proving that it was not tampered since it was signed.
Without the code signing and verifying that the software comes from a legitimate publisher, any malicious actor could impersonate your brand and fool users into downloading malware. Also, developers would not be able to guarantee the integrity of their code.
code signing is crucial in order to prevent malware injection, software and code tampering, and impersonation attacks that cause:
- Security threats – i.e. Ransomware
- Data breaches
- Compliance issues and penalties
- Financial losses
- Reputational damage
Examples of attacks involving misuse of code signing keys and certificates
- SolarWinds – The attackers compromised SolarWinds’ software build process, injecting malicious code into legitimate software updates (The SolarWinds Orion Platform), which triggered a widespread software supply chain attack, compromising the data and systems of more than thirty thousand organizations.
- Codecov Software Supply Chain Attack (January 2021) – Attackers gained unauthorized access to Codecov’s infrastructure and modified the bash uploader script via a docker image. This allowed them to extract sensitive credentials and customer information from Codecov’s systems.
- Docker Hub Cryptocurrency Mining Attack – The attackers tampered with a specific Docker image and included a cryptocurrency mining script. When users pulled and executed this image, their systems became unwitting participants in a large-scale cryptocurrency mining operation.
- Event-Stream NPM Package Attack – The attackers gained control of the “event-stream” package during a code ownership transfer and injected malicious code into the package for a highly targeted software supply chain attack.
6. What are the benefits of code signing?
- Ensures Security – By ensuring that the code is not altered or corrupted since it was signed, code signing validates the software integrity and reduces the risk of downloading malware or malicious code, therefore helping to prevent cyber attacks and securing the software supply chain.
- Promotes User Trust – Establishes the authenticity of the software, building trust and confidence between end users and software providers, leading to increased adoption.Ensures Compliance – Helps adhere to security policies and compliance regulations around software development and consumption.
- Upholds Brand Reputation – Helps improve the reputation of software developers and distributors by demonstrating their commitment to security and user safety.
- Protects Intellectual Property – Protects the intellectual property of developers and prevents unauthorized use, theft or distribution of their software.
7. Who needs to adopt code signing practices?
Any organization that produces software of any kind. It is used by software developers and distributors.
Secure A Zero Trust Future With An Integrated, Human-Machine Identity Security Approach
8. What is Timestamping?
A time stamp is a piece of information included in the digital signature that indicates the date and time the software was signed. The validity of a code signing certificate is generally from 1 to 3 years. Once the validity period is over, the certificate expires, and the digital signature becomes invalid if a timestamp is not applied, raising security warnings. Timestamping provides a means to verify the legitimacy of the code signing signature even after the certificate used for signing expires or is revoked. A time stamp tells the software consumer when the code was signed and if the certificate was valid at the time of signing. Time stamping is an excellent way of extending trust regardless of the certificate validity period.
9. What is hash signing or client side hashing?
Hash signing or client side hashing is a process where the client hashes the code to be signed and uploads the hash to the signing service instead of uploading the code source file directly. This approach not only reduces the performance latency that is caused by uploading a large size file but also enhances security by not exposing the source code to external environments.
Let’s get you started on your certificate automation journey