Digital Signatures and Central Code SigningWhenever software is being distributed over the Internet (or other insecure network), or it is stored on untrusted media, it is crucial to use a reliable signing tool to digitally sign all executable files such as applications, libraries and drivers.
- Windows executable files, libraries, drivers and updates.
- Firmware for hardware devices.
- Mobile apps (Android, iOS)
- OS X apps, XCode.
- Java applications (Applets, WebStart, Oracle Java).
- Plugins and addons in man applications (Mozilla, Firefox, Thunderbird XPI, NetBeans modules etc).
- Software from repositories for Linux and Apple OS X.
Three good reasons to use Central Signing
Protection of Signing KeysThe primary reason to use a secure, centralized code signing solution, is to keep code signing keys protected. For this purpose, keys are kept securely in a Hardware Security Module (HSM), mitigating the risk of any key being stolen or used illegitimately.
Centralized controlMany organizations have code signing keys and certificates spread out in different departments and with different developers across the organization. Keeping track of where the signature capabilities reside, and who is allowed to sign code on the organization's behalf, quickly becomes difficult or even unmanageable.
Policy and Audit complianceAn organization needs to be able to see exactly when, and for what, a particular code signing key (and its certificate) has been used, and there are usually strict policies surrounding how code signing should be done.
Using SignServer for code signingSignServer is PrimeKey's code signing solution that helps you to keep secure control of your code signing keys, and also provides a centrally managed and audited single service for all your code signing needs.
Windows' Authenticode for executable filesMicrosoft has specified a format for digital signatures in software binaries called Authenticode. Using Authenticode, the signature is embedded within some type of portable executable (PE) file, typically with file endings like .exe, .dll, .sys and .ocx.
If the file had not been signed, a different warning would be displayed, asking the user to confirm that the software should be run, even if the publisher is not known:
More technical details are available in an Authenticode whitepaper published by Microsoft.
Authenticode in SignServerSince SignServer Enterprise 3.6.3, there is an Authenticode signer for PE files.
For testing purposes, and also for test environments in general, you could issue the certificate yourself. Just remember to have the extended key usage “Code Signing” set and that you have to install the CA certificate in your test environment.
You need to install the CA certificate in your test environment and remember to have the extended key usage set to “Code Signing”.
In Windows, the signature attached to a specific file can be manually inspected:
- Right click on the file and choose Properties.
- Click on the Digital Signatures tab.
- Select the signature in the Signatures list and click Details.