It is important that your customers trust your software that they download from the internet and install. They need to know that it comes from you and not some third-party masquerading as you. And they need to know that it has not been altered during its lifetime by a third party, such as having malware inserted. Code signing helps your customers know that your company is the official publisher of the code and that no other third party has modified it since you signed it.
Learn more about Venafi CodeSign Protect
Code signing is simply a guarantee that the code of a program or software download has not been corrupted and tampered with after it was signed by the publisher. This is a short explanation, so in the following sections, we'll explore how code signing works and why it’s important.
Just as you want to be certain when you log into your bank account that you’ve given your password to the intended bank and not a man-in-the-middle attacker, it’s best to be sure that the programs and updates you download are safe are from the authentic publishers. To do that, we use the same public key infrastructure (PKI) used in HTTPS. When it’s used to sign and verify a software program, though, it’s called code signing.
Benefits of Code Signing
Code signing is a method of putting a digital signature on a program, file, software update or executable, so that its authenticity and integrity can be verified upon installation and execution. Like a wax seal, it guarantees to the recipient who the author is, and that it hasn’t been opened and tampered with. Microsoft developers, programmers and software engineers use code signing to prove, for instance, that your Windows 10 update actually came from Microsoft, and not a hacker who is trying to compromise your computer.
Code signing is what allows you to be sure you are downloading a file from the right author/publisher instead of an attacker who wants to take your information and data. Essentially, code signing lets you know that the code hasn’t been changed by a bad guy so you know it’s safe to install and run on your machine.
Code Signing Example
If you’ve ever seen that little popup that comes up when you try to run a program you’ve downloaded, the one that lists who the publisher is and asks “Are you sure you want to run this?” then you have seen code signing in action. That dialogue box is telling you that it really is a software patch for your Mac OSX from Apple Inc., and that it’s still in the same condition it was when they signed it.
From a developer’s point of view, there are 3 major components involved in the process of code signing: 1) code signing certificates 2) code signing applications 3) unsigned software files. The code signing applications usually come with the operating systems such as Microsoft Windows, Mac OSX, etc. The code signing certificates are often from Certificate Authorities (CAs). Let’s take a closer look at how code signing works as well as at the key concepts that are involved in this process.
Public Key Encryption
Encryption is when you encode a message to protect it from unwanted viewers. Usually this is done by passing it through a mathematical function (called a “key”) to change values, and decoding the message depends on having the key that returns the values back to their original state, allowing the message to be read. In public key encryption (or asymmetric encryption), the key that encodes the message and the one that decodes it are different (hence asymmetrical). It’s called public key, because one key is made widely available (the “public key”) while the other is kept private (the “private key”) to ensure the security of the message.
This kind of encryption relies on private keys being kept safe and secret and unavailable to those who would intercept or adulterate messages. Whether the public key is used to encode or decode the message depends on the nature of the transmission. If you want everyone reading the message, but you don’t want anyone tampering with it, you encode with the private key and decode with the public key. If you want everyone to be able to send a message, but don’t want them intercepted by the wrong person, you encode with the public key, but decode with the private key.
Hash functions are a method of cryptography that is designed to be irreversible. Rather than encoding with a key and using a key to decode, hash functions are meant to be one-way, using a mathematical function which changes the values in a way that can’t be undone. The most common analogy is that of mixing paint. For example, you can mix blue (the original values) with yellow (the hash function) to get green (the new values), and you’ll get green every time you mix them, but there’s no way to separate the two colors and recover the blue.
Hash functions are used whenever you need a set value, and don’t need to read the information a second time. Login passwords are the most common example: websites often hash them for storage, so that if there’s ever a breach, all the hacker has stolen is a bunch of gibberish values. Meanwhile, when you log into the website, it hashes your password again and compares it to the stored hash value. If what you entered matches what they have on file, they let you in. They don’t need to read the password itself, they just need the value.
Code Signing Certificates
Now back to code signing. Before the developers can sign their work, they need to generate a public/private key pair. This is often done locally through software tools such as `openssl`. Developers then give the public key and the organization’s identity information to a trustworthy CA. The CA verifies the authenticity of identity information and then issues the certificate to the developer. This is the code signing certificate which was signed by CA’s private key and contains the developer organization’s identity and the developer’s public key.
When developers are ready to “sign” their work to establish authorship, they take all the code they wrote and they hash it. The value that spits out is then encoded using the abovementioned private key (usually generated by the author), along with the code signing certificate that contains the public key and the identity of the author (proving the authorship). The output of this process is then added to the software to be shipped out.
This constitutes a code signing operation. The public key of the CA is already pre-installed in most browsers and operating system trust stores. When a user downloads the software, they use the CA’s public key to first verify the authenticity of the code signing certificate embedded in the signed software to confirm that it's from a trustworthy CA. The developer’s public key is then extracted from the certificate and used to decrypt the encrypted hash.
Then, the software is hashed again, and the new value is compared to the decrypted one. If the user’s hash value and the developer’s hash value match, then the software hasn’t been corrupted or tampered with during transmission. The user is then alerted that the software is as the developer last left it, and (if the developer is to be trusted) it’s safe to install and run.
As an end user, although code signing can provide you assurance of the authenticity and integrity of the downloaded software. However, you should also be aware that bad actors can create a public private key pair and generate a code signing certificate and make it appear as though they were endorsed by a valid CA. If anyone can create a code signing certificate, how do you know which certificates are trustworthy?
This is where root certificates come in. You can think of code signing certificates as if they were a family tree. In order to verify where code signing certificates have come from, you can trace them back to see which signing certificate is at the root of the tree—your root certificate. The root certificate determines if the other code signing certificates are trustworthy because you can trace the “chain of trust” back to the original signing authority.
This root authority could be a company like Microsoft or Apple. If your software’s signing certificate cannot find a trustworthy root certificate, then the system will advise you not to trust the certificate that has been used to sign the software you are attempting to download. Sometimes even a trusted authority may not be recognized because it has not been installed on a browser or in an operating system’s trust store. In these instances, you will need to manually install the root certificate on your trust store so the browser or the operating system recognize the root certificate as trustworthy and valid.
As a user, code signing has a couple of different functions that can help you know if you should trust software downloads and other interactions on the internet. The main purpose of code signing is to authenticate the author of the software, download or file. For example, a download file sent from Microsoft will appear to be much more trustworthy than a file from Joe Schmoe, and you are more likely to install it on your computer.
Code signing also allows you to see if there is a valid security certificate. Think of the certificate as being a wax seal on your download. If the seal is broken, you know the material inside may have been tampered with or compromised. If it is intact, you know the message inside is from the original sender, and the integrity of the original content has not been altered.
When you install software onto your computer, you are sure to have at least some updates in the future. When these updates are code signed with the same key used to "seal" your initial downloads, you can trust that future updates have come from the same source and are therefore safe to execute on your machine.
What Are the Types of Digital Certificates?
Different systems require different types of authentication. What works on a desktop is likely unsuitable for mobile systems and vice versa. Here are a few examples of the different certificates for both desktop and mobile software.
If you’re looking to sign and secure your software, you should first know what kind of software or system you are starting with and work from there.
What is the Use of a Digital Certificate?
A digital certificate is intended to give an identity to the software or code you’re publishing to your users. With a digital certificate, users can authenticate the software publisher. These digital certificates also inspire users’ trust in publishers because they are issued by certificate authorities. Digital certificates are also extremely useful for software publishers because they allow the publishers to track their software and track how many copies are downloaded.
How Long is a Digital Certificate Valid?
Another common question for those looking to get their own digital code signing certificate is how long a certificate is valid. Although the exact time frame can vary, depending on the issuer, digital certificates are typically only valid for a year or two.
This validity is short for a couple of reasons:
Code signing is used any place a developer wants a user to be sure of the source of a piece of software. This includes:
1. Windows applications and software patches
2. Apple software
3. Microsoft Office VBA objects and macros
4. .jar files
5. .air or .airi files
6. Essentially any executable
Be aware that, because of the distributed nature of Linux development, code signing is often not used for Linux-based software, so that software may come unsigned. If that happens, your computer will (if it gives any notice) will tell you it’s from an “unknown developer,” or something along those lines. Here are a few other applications and software that utilize code signing to increase their security.
Essentially, any executable file or software can use code signing to verify authenticity and provide additional security for users.
Code signing does a couple of very important things. It ensures the identity of the developer (the authorship), meaning a random attacker can’t pass off some malware as being a software patch from Microsoft or Apple. It double-checks the software to ensure that it hasn’t degraded, become corrupted or been tampered with upon installation. Comparing the user-generated hash against the developer-generated value ensures that the code looks the same now as it did when it was signed by the developer.
If developers are using a code signing certificate they acquired from a certificate authority (CA), then code signing also extends the trust of the CA to the developer, meaning a relatively unknown software company can still be reasonably trusted by the public.
The biggest downsides to code signing come when the system isn’t used properly. First, certificates are only good if the private keys (those used to encode the certificate) are kept safe and secret. If unscrupulous individuals gain access to the private key, they can potentially encode their own messages and software as if they were the developer, and the public key will verify the (false) identity. This leaves the user with no way of guaranteeing that the software was really from the intended developer. To this end, it is recommended that these keys to be stored in Hardware Security Modules (HSM) appliances.
Second, any hackers or developers with malicious intent can obtain a code signing certificate from a CA, if they really want to. What deters most of them is that they have to provide their identity information to the CA to obtain one, which makes the crime easier to attribute to them if they distribute malicious code. Potentially, though, a developer with a valid certificate could distribute harmful code to the public.
Third, when companies have hundreds or thousands of developers and just as many code applications that require signing, it becomes difficult to have visibility into all code signing activities. Code signing private keys are often left unprotected, stored on a developer or build server computer. In addition, companies without a well-defined code signing process that uses an automated means to enforce code signing processes, do not have the ability to secure their code signing process which leaves them vulnerable to private key theft.
Finally, code signing is really only as good as the end user’s judgment. If a user is willing to accept and install software of unverified integrity or identity, code signing is useless. Like the warning label on a bottle of bleach, it’s only effective if the user heeds the cautions listed there.
Hopefully, you now understand how code signing works as well as the answer to the questions, “what is code signing?” and “what is a code signing certificate?” With this information tucked securely under your belt, you can see why code signing certificates are not only useful for software developers, but also for anyone who sends secure information online.
The best way for companies to significantly mitigate the risks that cybercriminals obtain and use their code signing credential is to enforce secure code signing processes. Key components of that process should include requiring that keys are securely and centrally stored and ensuring that code signing processes are well defined and automatically enforced.
For more information on how Venafi can help secure your code signing process, and how to keep your systems safe from hackers, check out our Venafi Next-Gen Code Signing solution or watch our code signing webinar.