Skip to main content
banner image
venafi logo

What Is a Code Signing Certificate?

What Is a Code Signing Certificate?

what is code signing
August 13, 2020 | Christin Dunlop

If I’m a developer of code and I sign my code with a code signing certificate, I am keeping my code safe from hackers and malware, right? Well the answer is, you are only partially safe.
 

What is a code signing certificate? Code signing certificates are a valuable security tool for developers. A code signing certificate utilizes an encryption algorithm in the form of a digital x.509 certificate issued from a trusted Certificate Authority in conjunction with a time stamp to secure code files. Code signing certificates are not exclusively useful for software, but can also be used for applications, scripts, and even firmware.


Developers can use these code signing certificates to ensure the code they provide to their end-users has not been altered especially with viruses, malware, or spyware. Similar to the way websites use TLS certificates to validate a secure connection to a verified website, code signing certificates use a similar Public Key Infrastructure (PKI) methodology. Developers sign their code with a private key, which is securely stored, and the end user will use the public key from that developer to validate the code has not changed since it was signed by the developer. In the circumstance where the code has been altered, the signature will provide an untrusted alert just as a website with an untrusted or expired certificate does with TLS.

Code signing certificates allow developers to provide their customers with assurance that the code (in whatever format it might be) is unaltered as well as confidence that the code they are downloading came from that developer.
 

Now that we have an understanding of what a code signing certificate is and how it can be used to protect a developer’s code, let’s look at why simply signing your code with a code signing certificate is not enough on its own. Let’s go back to just before Thanksgiving in 2014 when Sony Pictures was hacked. Hackers gained access to the Sony network and planted malware that crippled many employees’ computers with a worrisome warning message followed by a massive data breach which included the releases of previously unseen films, a staggering amount of employee personal information, and the destruction of a significant amount of corporate data. After long investigations, at a cost to Sony of over $15 Billion, it was later discovered that the attackers gained access to the Sony network through dozens of unprotected SSH private keys. An SSH private key operates under a very similar Private Key Infrastructure as code signing private keys do.
 

Back to the Sony example, a few months after the breach, malware known as “Destover” was found online signed with Sony’s code signing certificate. This malware is the same as the one hackers used against Sony to delete massive amounts of data in the breach. How could these hackers have signed code with Sony’s code signing key? Well, just like the SSH keys, a private key in the PKI infrastructure is only as secure as it’s means of storage. Many private keys (SSH, TLS, and code signing) are not stored in secure locations. Administrators will save a key in a file system or even on their desktops and these keys are often never rotated. The trouble is that once someone has access to your private key, they have essentially stolen your identity and can pose as you or your organization in the digital world. Hackers with access to Sony’s private code signing key can now release nefarious code of all kinds that will be trusted and downloaded by individuals without ever receiving a warning from a virus or malware scanner.
 

Code signing can be an extremely powerful security tool for developers and can provide comfort to end users. However, as we illustrated, the private keys in all Private Key Infrastructures must be securely and adequately protected in order to provide full protection of the developer’s code as well as the organization or developer’s reputations. Another means of protecting your private keys and therefore your code (or infrastructure) is by rotating the private key. Rotating a private key means the previous key will no longer work and a new private key is now used in its place. Often, it can be quite cumbersome to rotate a private key because you must first identify where it is used and replace those occurrences with the new key; this is often nearly impossible without the appropriate software to assist. Key rotations provide an added layer of security by ensuring that even if a private key was somehow compromised, it can no longer gain access or “sign”.
 

In summary, code signing can be a powerful security tool for developers as long as the private key is properly managed through storage and rotation.
 

Related posts


 

Like this blog? We think you will love this.
code-signing-abuse
Featured Blog

Study Shows Widespread Abuse of Code Signing Certificates

A study by Vi

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Christin Dunlop
Christin Dunlop
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more