What is Code Signing?

Definition: Code signing is a process of digitally signing a program, file, software update or executable, so that it’s authenticity and integrity can be verified upon installation and execution.

Code Signing explained

Code signing certificates are used by software developers and distributors to digitally sign executables and software programs so that end-users are able to verify that the code they receive has not been tampered with. The ultimate aim is to alleviate the end user’s concern that the software can be downloaded from a trusted source.

A code signing certificate is a digital certificate that prominently displays the name of the publisher and, if required, a timestamp, and is issued by a Certificate Authority. The digital certificate binds the identity of an organization to a public key that is mathematically related to a public key pair and is traceable back to a trusted Certificate Authority. The use of private and public key systems is called Public Key Infrastructure (PKI). The developer signs code with its private key and the end user uses the developer’s public key to verify the developer's identity;

  • If the system trusts the certificate, the download or execution will proceed
  • If there is no certificate, or If the system does not trust the root or the hashes do not match (i.e., if the signature has been tampered with), the download is interrupted with a warning informing the user that the software may not be trusted.

The integrity of the system relies on securing keys from unauthorized access. Best practice would be to store keys in secure, tamper-proof, cryptographic hardware devices such as Hardware Security Modules (HSMs).

How to increase the protection of code signing certificate private keys?

Effective 15 November 2022, the code signing certificate key pair must be generated and stored in a hardware security module (HSM) that meets or exceeds the requirements of FIPS 140-2 Level 2 or Common Criteria EAL4+. This means the key pair will be generated in a device, where the private key cannot be exported. This will help to reduce code signing certificate private key compromise, which mitigates risk to relying parties of installing signed malware in their systems.
 
 

----
Source: Utimaco

News

Another successful HSM training

Technical training on HSMCREAplus successfully delivered another online hands-on technical training on Utimaco hardware security module (HSM).

Read more ...

Protecting digital identities

Protecting Digital Identities, 14 September 2022, Vienna, AustriaWould you like to get the latest information on PKI & IoT, eSigning & eIDAS and PQC?Join us on 14 September 2022 in Vienna! 

Read more ...

CREAplus obtained the Excellent SME certificate

Excellent SMECREAplus received the Excellent SME certificate, issued by the Chamber of Commerce and Industry and credit rating agency Coface.

 

Read more ...

Protecting Digital Identities - Save the Date!

Excellent SMESave the date! Plan to attend our event "Protecting Digital Identities" on Wednesday, 14 September 2022, in Vienna, Austria. 

Read more ...

u.trust 360 v4.0 - Centralized Management and Monitoring Platform

u.trust 360 v4.0u.trust 360 v4.0 - the next generation of easy and convenient HSM administration is available now! 

Read more ...