Passing information over the internet by uploading and downloading files probably isn’t something you think about on a day-to-day basis. While you might not worry about someone overhearing a simple exchange of information, like an email to your mom, other information, such as your bank account password, is much more sensitive. This is where code signing comes into play to help keep your internet information safe.
Code signing is simply a guarantee that the code of a program or download has not been corrupted and changed after it was signed by the distributor. While this is a short explanation, let’s delve a little bit deeper to learn more about how code signing works and why it’s important.
Just as you want to be certain when you log into your bank account that you’ve given your password to the bank and not a man-in-the-middle attack, it’s best to be sure that the programs and updates you download are safe to install. To do that, we use the same public key infrastructure (PKI) used in HTTPS. When it’s used to verify a program, though, it’s called code signing.
Benefits of Code Signing
Code signing is a method of putting a digital signature on a program, file, software update, or executable, to verify its authenticity and integrity. Like the wax seal of old, it guarantees to the recipient who the author is, and that it hasn’t been opened and tampered with. Developers, programmers, and software engineers use code signing to prove, for instance, that your Windows 10 update actually came from Microsoft, and not a hacker who’s trying to invade your computer.
Code Signing Example
If you’ve ever seen that little popup that comes up when you try to run a program you’ve downloaded, the one that lists who the publisher is and asks “Are you sure you want to run this?” then you’ve seen code signing in action. That dialogue box is telling you that it really is a software patch for your Mac OS from Apple Inc., and that it’s still in the same condition it was when they signed it.
Code signing is what allows us to be sure we’re downloading a file from the right sender instead of a hacker who wants to take our information. Essentially, code signing lets you know that the code hasn’t been changed by a hacker so you know it’s safe to download.
Code signing is a process that involves several different steps to verify and secure code from a developer. Let’s delve into how code signing works and take a look at the steps developers must take in order to get a code signing certificate.
Today, many third-party publishers require software to be signed before they will distribute it. If you want your content to be more widely available, it’s in your best interest to enroll your data through a valid CA (certificate authority) to get a security certificate. This provides your users with proof that your downloads are safe for their computer.
Users know your content is safe because your certificate authority provides two keys for code signing: one private key and one public key. The public key is already installed on most browsers. It allows everyone to unlock the private key and identify who the distributor is when they go to download a program or file. The private key is only used by the distributor to encrypt the data so people know if the data has been corrupted before reaching them. If it has been tampered with, the person attempting to download the program or file will receive a warning that the code signing certificate cannot be authenticated.
Public Key Encryption
Encryption is any time encode a message to protect it from unwanted viewers. Usually this is done by passing it through a mathematical function (called a “key”) to change values, and decoding the message depends on having the key that returns the values back to their original state, allowing the message to be read.
In public key encryption (or asymmetric encryption), the key that encodes the message and the one that decodes it are different (hence asymmetrical). It’s called public key, because one key is made widely available (the “public key”) while the other is kept private (the “private key”) to ensure the security of the message. This kind of encryption relies on private keys being kept safe and away from those who would intercept or adulterate messages.
Whether the public key is used to encode or decode the message depends on the nature of the transmission. If you want everyone reading it, but you don’t want anyone tampering with the message, you encode with the private and decode with the public key. If you want everyone to be able to send a message, but don’t want them intercepted by the wrong person, you encode with the public, but decode with the private key.
Hash functions are a method of cryptography that isn’t designed to be reversible. Rather than encoding with a key and using a key to decode, hash functions are meant to be one-way, using a mathematical function which changes the values in a way that can’t be undone. The most common analogy is that of mixing paint. For example, you can mix blue (the original values) with yellow (the hash function) to get green (the new values), and you’ll get green every time you mix them, but there’s no way to separate the two colors and recover the blue.
Hash functions are used whenever you need a set value, and don’t need to read the information a second time. Login passwords are the most common example: websites often hash them for storage, so that if there’s ever a breach, all the hacker has stolen is a bunch of gibberish values. Meanwhile, when you log into the website, it hashes your password again and compares it to the stored hash value. If what you entered matches what they have on file, they let you in. They don’t need to read the password, they just need the value.
Code Signing Certificates
Now back to code signing. When a developer is ready to “sign” their work to prove its authorship and such, they take all the code they wrote, and they hash it. The value that spits out is then encoded using a private key (usually obtained from a trustworthy Certificate Authority), along with a message proving who encoded it (proving the authorship). It’s then added to the software to be shipped out. This constitutes a code signing certificate.
When a user downloads the software, they use the public key to first verify the identity of the developer by reading the message in the certificate. Once the authorship is verified, the public key is used to decode the hash. Then, the software is hashed again, and the new value is compared to the decoded one. If the user’s hash value and the developer’s hash value match, then the software hasn’t been corrupted or tampered with during transmission. The user is then alerted that the software is as the developer last left it, and (if the developer is to be trusted) it’s safe to install.
Although there are certificates to ensure your safety when downloading software, you should also be aware that anyone can create a signing key and make it appear as though they have a valid certificate authority. If anyone can create a certificate authority, how do you know which CA’s are actually trustworthy? Great question. This is where root certificates come in.
You can think of code signing certificates sort of like a family tree. In order to verify where they have come from, you can trace them back to see what signing certificate is at the root of the tree—your root certificate. The root certificate determines if the other code signing certificates are trustworthy because you can trace the “chain of trust” back to the original signing authority. This root authority could be a company like Microsoft or Apple.
If your software cannot find a trustworthy root certificate, then the system will advise you not to trust the code signing certificate you are attempting to download. Sometimes even a trusted authority may not be recognized because it has not been installed on a browser. In these instances, you will need to manually install the root certificate on your server so the server recognizes the root certificate as trustworthy and valid.
Code signing has a couple different functions that can help users know if they can trust software downloads and other interactions on the internet. The main purpose of code signing is to authenticate the author of the software, download, or file. For example, a download file sent from Microsoft appears much more trustworthy than a file from Joe Schmoe and you’re more likely to download it on your computer.
Code signing also allows you to see if there is a valid security certificate. Think of the certificate as sort of like having a wax seal on your download. If the seal is broken, you know the material has been tampered with or compromised. If it is intact, you know the message inside is from the original sender, and the integrity of the original content has not be altered.
When you download software onto your computer, you are sure to have at least some updates in the future. When these updates are code signed with the same key used to encrypt your initial downloads, you can trust that future updates are coming from the same source and are therefore safe to download as well.
What Are the Types of Digital Certificates?
Different systems require different types of authentication. What works on a desktop is likely unsuitable for mobile systems and vice versa. Here are a few examples of the different certificates for both desktop and mobile software.
If you’re looking to encrypt and secure your data, you should first know what kind of software or system you are starting with and work from there.
The obvious answer when it comes to wondering what the use of a digital certificate is, is that it is meant to secure and encrypt data so third parties can’t get ahold of sensitive information. With a digital certificate, users can authenticate the software publisher. These digital certificates also inspire user trust in publishers because they are issued by certificate authorities. Digital certificates are also extremely useful for software publishers because they allow the publisher to track their software and track how many copies are downloaded.
Another common question for those looking to get their own digital code signing certificate is how long a certificate is valid. Although the exact time frame varies depending on the issuer, digital certificates are typically only valid for a year or two. This is for a couple of reasons:
One important thing to remember when updating any security certificates is that if you delete any expired certificates you will no longer be able to read encrypted messages that corresponded to that key. Make sure you save any information you need as unencrypted copies so you still have access after an update. Alternatively, if you believe your certificate security has been compromised, you can request to have your certificate revoked early and get a new one.
Code signing is used any place a developer wants a user to be sure of the source of a piece of software. This includes:
Be aware that, because of the distributed nature of Linux development, code signing is often not used for Linux-based software, meaning that software will come unsigned, and your computer will (if it gives any notice) will tell you it’s from an “unknown developer,” or something along those lines. Here are a few other applications and software that utilize code signing to increase their security.
Essentially, any executable file or software can use code signing to verify authenticity and provide additional security for users.
Before you jump in and add code signing certificates to trusted sites, you’ll want to make sure you can trust the resource it’s coming from. As we’ve mentioned before, looking at the root certificate will let you know if you are attempting to download software from a trusted source, or whether it has been corrupted or altered.
If the certificate has expired and you need to install the updated one, Microsoft recommends simply clicking through the “continue to this website (not recommended)” button, clicking, “Certificate Error,” then “View Certificates,” then “Install Certificate.” When the warning message pops up again you simply need to click “Yes” and you’re good to go.
This does carry risks of course, and you would never want to follow this process for any site you were unfamiliar with. To avoid this issue with your own websites, you should always go through a certificate authority to verify the security of your website.
Code signing does a couple of very important things. It ensures the identity of the developer (the authorship), meaning a random hacker can’t pass off some malware as being a software patch from Microsoft or Apple. It also double-checks the software to ensure that it hasn’t degraded, become corrupted, or been tampered with. Comparing the user-generated hash against the developer-generated value ensures that the code looks the same now as it did when the certificate was signed.
If a developer is using a private key it acquired from a certificate authority (CA), then code signing also extends the trust of the CA to the developer, meaning a relatively unknown software company can still be reasonably trusted by the public.
The biggest downsides to code signing come when the system isn’t used properly. First, certificates are only good if the private key (the one used to encode the certificate) are kept safe. If unscrupulous individuals gain access to the private key, they can potentially encode their own messages and software as if they were the developer, and the public key will verify the identity, with leaves the user with no way of guaranteeing it was really from the developer. To this end, these keys are usually stored in Hardware Security Modules (HSM).
Second, any hacker or developer with malicious intent can obtain a private key from a CA, if they really want to. What deters most of them is that they have to register with the CA to obtain one, which makes the crime easier to pin on them if they distribute malicious code. Potentially, though, a developer with a valid certificate could distribute harmful code to the public.
Lastly, code signing is really only as good as a user’s judgment. If a user is willing to accept and install software of unverified integrity or identity, code signing is useless. Like the warning label on a bottle of bleach, it’s only effective if the user heeds the cautions listed there.
Hopefully, you now understand how code signing works as well as the answer to the questions, “what is code signing?” and “what is a code signing certificate?” With this information tucked securely under your belt, you can see why code signing certificates are not only useful for software developers, but also for anyone who sends secure information online.
All-in-all, though, when used properly, code signing is an effective security measure that protects users from malicious software and code.
For more information on code signing and how to keep your systems safe from hackers, check out our risk assessment tool or contact Venafi today.