What is Code Signing?

— Riley Dickens, consultant, Encryption Consulting

When downloading software from the Internet, consumers must always be wary of third parties masquerading as the developer of the software. With a resource like code signing, users can be assured the software they are downloading is from a safe source. Code signing is an operation where a software developer or distributor digitally signs the file being sent out, to assure users that they are receiving software that does what the creator says it will. The signature also acts as proof the code has not been tampered with or modified from its original form.

Code signing has become more and more important for software developers and distributors. An attacker can easily mask themselves as a legitimate source to plant malware on a victim’s computer. Code signing assures these types of attacks cannot occur, as long as users only download software deemed safe by their operating system. Nowadays, when software is downloaded onto a computer, the operating system checks for the digital certificate created through code signing, to assure the safety of the software that will be installed. If no digital certificate is found, then the user is alerted to this fact, and prompted to either download the software anyway, or stop the download process.

The digital identities used to validate the authenticity and integrity of applications, firmware, and software must be properly managed and protected. Weak digital certificate management can easily lead to the degradation of application integrity or malicious actors exploiting these assets as a means of attack.

Join Encryption Consulting and Futurex for a webinar on December 9, where will discuss the potential ramifications of such attacks, how they can be mitigated, and how organizations can evolve existing code signing islands into a secure, well-defined process.

How Code Signing Works

Code signing has several steps, shown above and described below.

• A unique key pair must first be created. The key pair is a public-private key pair, since code signing utilizes public key cryptography.
• Once the key pair is created, the public key is sent to a trusted certificate authority, or CA, which verifies that the key belongs to the owner and returns the public key to the software developer, along with a digitally signed certificate. The certificate, with the attached public key, confirms the trustworthiness of the developer and any software they create.
• Now that the public key and a digital code signing certificate have been returned, the code of the software is run through a hash function. A hash function is a one-way function which turns the entered text into an arbitrary mixture of values that cannot be reversed. This provides a value to compare with when the data is sent to the consumer.
• The output, or digest, is then encrypted by the private key. The reason the private key is used for encryption, as opposed to the public key, is because the developer wants anyone to be able to read the message, but no one to be able to tamper with it.
• The digest, code signing certificate, and hash function are now combined into a signature block and placed into the software, which is sent to the consumer.

When the software is received, the consumer’s computer first checks the authenticity of the code signing certificate. Once the authenticity is confirmed, the digest is then decrypted with the public key of the originally created key pair. The hash function is then used on the software’s code, and the resulting digest is compared to the digest sent by the developer. If the digests match, then the software is safe to install.

As tactics for misleading Internet users evolve, so too do the methods for protecting those users. Code Signing offers a method of stopping the distribution of malicious software to vulnerable individuals, as long as warnings of a lack of a code signing certificate are heeded. This authentication acts as a two-way street, with code signing promoting trust on both sides of the exchange. Not only can the user trust the sender, but the developer can also trust their software got to the correct location and is not being misused.

Don’t Miss the Webinar on December 9

To learn more, register for our webinar with Encryption Consulting and Futurex on Wednesday, December 9 at 11:00 a.m. CT.