What is Code Signing?

Code signing is simply a guarantee that the code of a program or software download has not been corrupted and tampered with after it was signed by the publisher. This is a short explanation, so in the following sections, we’ll explore how code signing works and why it’s important.

Just as you want to be certain when you log into your bank account that you’ve given your password to the intended bank and not a man-in-the-middle attacker, it’s best to be sure that the programs and updates you download are safe are from the authentic publishers. To do that, we use the same public key infrastructure.

What are the Benefits of Code Signing?

Code signing is a method of putting a digital signature on a program, file, software update or executable, so that its authenticity and integrity can be verified upon installation and execution. Like a wax seal, it guarantees to the recipient who the author is, and that it hasn’t been opened and tampered with. Microsoft developers, programmers and software engineers use code signing to prove, for instance, that your Windows 10 update came from Microsoft, and not a hacker who is trying to compromise your computer.

Code signing is what allows you to be sure you are downloading a file from the right author/publisher instead of an attacker who wants to take your information and data. Essentially, it lets you know that the code hasn’t been changed by a bad guy, so you know it’s safe to install and run on your machine.

What are Some Examples of Code Signing

If you’ve ever seen that little popup that comes up when you try to run a program you’ve downloaded, the one that lists who the publisher is and asks “Are you sure you want to run this?” then you have seen code signing in action. That dialogue box is telling you that it really is a software patch for your Mac OSX from Apple Inc., and that it’s still in the same condition it was when they signed it.

How Does Code Signing Work?

From a developer’s point of view, there are 3 major components involved in the process of code signing: 1) code signing certificates 2) code signing applications 3) unsigned software files. The code

signing applications usually come with the operating systems such as Microsoft Windows, Mac OSX, etc. The code signing certificates are often from Certificate Authorities (CAs). Let’s take a closer look at how the process works as well as at the key concepts that are involved.

What are Code Signing Certificates?

Before the developers can sign their work, they need to generate a public/private key pair. This is often done locally through software tools such as `openssl`. Developers then give the public key and the organization’s identity information to a trustworthy CA. The CA verifies the authenticity of identity information and then issues the certificate to the developer. This is the code signing certificate which was signed by CA’s private key and contains the developer organization’s identity and the developer’s public key.

When developers are ready to “sign” their work to establish authorship, they take all the code they wrote, and they hash it. The value that spits out is then encoded using the abovementioned private key (usually generated by the author), along with the code signing certificate that contains the public key and the identity of the author (proving the authorship). The output of this process is then added to the software to be shipped out.

This constitutes a code signing operation. The public key of the CA is already pre-installed in most browsers and operating system trust stores. When a user downloads the software, they use the CA’s public key to first verify the authenticity of the code signing certificate embedded in the signed software to confirm that it’s from a trustworthy CA. The developer’s public key is then extracted from the certificate and used to decrypt the encrypted hash.

Then, the software is hashed again, and the new value is compared to the decrypted one. If the user’s hash value and the developer’s hash value match, then the software hasn’t been corrupted or tampered with during transmission. The user is then alerted that the software is as the developer last left it, and (if the developer is to be trusted) it’s safe to install and run.

What Does Code Signing Do?

As a user, code signing has a couple of different functions that can help you know if you should trust software downloads and other interactions on the internet. The main purpose of code signing is to authenticate the author of the software, download or file. For example, a download file sent from Microsoft will appear to be much more trustworthy than a file from Joe Schmoe, and you are more likely to install it on your computer.

Code signing also allows you to see if there is a valid security certificate. Think of the certificate as being a wax seal on your download. If the seal is broken, you know the material inside may have been tampered with or compromised. If it is intact, you know the message inside is from the original sender, and the integrity of the original content has not been altered.

When you install software onto your computer, you are sure to have at least some updates in the future. When these updates are code signed with the same key used to „seal“ your initial downloads, you can trust that future updates have come from the same source and are therefore safe to execute on your machine.

Where is Code Signing Used?

Code signing is used any place a developer wants a user to be sure of the source of a piece of software. This includes:

1. Windows applications and software patches
2. Apple software
3. Microsoft Office VBA objects and macros
4. .jar files
5. .air or .airi files
6. Essentially any executable

Be aware that, because of the distributed nature of Linux development, code signing is often not used for Linux-based software, so that software may come unsigned. If that happens, your computer will (if it gives any notice) will tell you it’s from an “unknown developer,” or something along those lines. Here are a few other applications and software that utilize code signing to increase their security.

• iOS: Code signing in iOS for the App Store is done using Xcode. The purpose of singing your app is simply to let iOS know who signed the app originally and to make sure it hasn’t been altered since it was originally signed by the developer. If you need to revoke your iOS certificate, you will need to use your developer account or Xcode to complete the process.
• Xcode: Xcode is used by iOS to code sign apps and ensure their security. Before any device can be uploaded and approved for the iTunes store it must have a valid Apple Developer ID with a valid certificate or profile. To successfully integrate your app, you will need to use a development certificate. To run the app on any device, you must use a distribution certificate to send out the app and test it.
• C#: Visual C# uses strong name signing to get a unique sign code that is not available to anyone else in the world and cannot be spoofed. When using Visual C#, you can simply sign your deployment using the sn.exe tool. This functions as your signature by using sigcheck tool printing “Strong Name: Signed.”
• Windows Certificate: Nearly any executable can be signed with a digital signature to verify the security and integrity of the file. For the file to be considered secure in Windows, it must be signed by a recognized certificate authority. Anyone who distributes malware under a valid certificate is held legally accountable for the software they distribute.
• Visual Studio: Visual Studio is particularly helpful when it comes to strong name signing for assemblies—a notoriously difficult task. Strong name signing through Visual Studio allows other computers to trust the software developer.

Essentially, any executable file or software can use code signing to verify authenticity and provide additional security for users.

What are the Strengths of Code Signing?

Code signing does a couple of very important things. It ensures the identity of the developer (the authorship), meaning a random attacker can’t pass off some malware as being a software patch from Microsoft or Apple. It double-checks the software to ensure that it hasn’t degraded, become corrupted or been tampered with upon installation. Comparing the user-generated hash against the developer-generated value ensures that the code looks the same now as it did when it was signed by the developer.

If developers are using a code signing certificate they acquired from a certificate authority (CA), then code signing also extends the trust of the CA to the developer, meaning a relatively unknown software company can still be reasonably trusted by the public.

What are the Weaknesses of Code Signing?

The biggest downsides to code signing come when the system isn’t used properly. First, certificates are only good if the private keys (those used to encode the certificate) are kept safe and secret. If unscrupulous individuals gain access to the private key, they can potentially encode their own messages and software as if they were the developer, and the public key will verify the (false) identity. This leaves the user with no way of guaranteeing that the software was really from the intended developer. To this end, it is recommended that these keys be stored in Hardware Security Modules (HSM) appliances.

Second, any hackers or developers with malicious intent can obtain a code signing certificate from a CA, if they really want to. What deters most of them is that they have to provide their identity information to the CA to obtain one, which makes the crime easier to attribute to them if they distribute malicious code. Potentially, though, a developer with a valid certificate could distribute harmful code to the public.

Third, when companies have hundreds or thousands of developers and just as many code applications that require signing, it becomes difficult to have visibility into all code signing activities. Code signing private keys are often left unprotected, stored on a developer or build server computer. In addition, companies without a well-defined code signing process with automated enforcement do not have the ability to secure their code signing process which leaves them vulnerable to private key theft.

Finally, code signing is really only as good as the end user’s judgment. If a user is willing to accept and install software of unverified integrity or identity, code signing is useless. Like the warning label on a bottle of bleach, it’s only effective if the user heeds the cautions listed there.

Learn more about machine identity security, and how it can benefit your organization!