What? Another blog about code signing? Due to a recent string of related hacking events, we thought it best to return to this topic and clear up some details that may have been unclear. So, really, how important is code signing? Ask anyone from the US’ Boston or New England area and they’ll tell you, “Dude, it’s wicked important.” Let’s start with the basics.
Code signing is the process of applying a digital signature to software/applications and is the virtual equivalent to packaging a retail product for store distribution, like Cap’n Crunch cereal, for example. When in your local supermarket searching for breakfast treats, you come across the bright red packaging with your old friend, the Cap’n in his regal blue uniform, right on the front of the box, complete with the Quaker Oats company corporate logo. You know it’s legit.
Same goes with code signing. Proper code signing is done with a Code Signing Certificate, assuring the user downloading the signed software that it comes from an identified software vendor and the code has not been tampered with since being published.
UNSIGNED CODE
CODE SIGNED WITH A CODE SIGNING CERTIFICATE
Reiterating the earlier Cap’n Crunch example, customers who buy packaged food from a retail store receive a pre-packaged, sealed or wrapped box or container and can clearly determine who made the food and whether or not the package has been tampered with or opened. Therefore, the customer can easily make a decision whether or not to trust the food contents, usually. Customers, who download software from the internet, need similar assurance. Code Signing provides this assurance and acts as a “virtual shrink-wrap” when distributing software via the internet.
In an earlier blog topic around the importance of code signing, GlobalSign’s own Linus Hallberg stated that:
You might already understand the importance of Code Signing, but that probably doesn’t make the process any less painstaking.
As Linus points out, the “pain” can be mitigated when your code is signed with an EV Code Signing Certificate and will not cause SmartScreen warnings, as it features instant reputation with SmartScreen. Read Linus’ earlier blog for his helpful tips.
Counterfeit Code Signing is On the Rise
It was bound to happen. Always on the lookout for something else to exploit for pleasure, profit and mayhem, hackers have turned to yet another area, code signing in applications and the like, where IT departments must be vigilant.
ZD Net recently reported that,
Security researchers have found that hackers are using code-signing certificates more to make it easier to bypass security appliances and infect their victims.
It appears that now hackers try to get legitimate certificates from certificate authorities using stolen corporate information in order to sign malicious code, whereas it was previously seen that certificates were stolen from companies and developers and “repurposed” by hackers to enable their code to be signed with a valid code signing certificate.
It turns out that, if the certificate authority issuing the Code Signing Certificate has tight account security measures to guard against hackers gaining account access control, combined with an extensive vetting protocol to ensure the identity of the acquirer is legitimate, then counterfeit is greatly reduced. For instance, at GlobalSign, the vetting process for EV Code Signing verifies the identity of an organization within a specific jurisdiction of incorporation. It also clearly identifies the purchaser, administrator and the organization's principle place of business through a rigorous and stringent set of well-defined validation processes. The process also contractually binds the organization to a subscriber agreement. This agreement benefits relying parties and strengthens the security of the Internet as a whole.
The CA Security Council (CASC) released a set of minimum requirements for Certificate Authorities to adhere to when issuing code signing certificates. One of the main ideas behind creating the requirements was to help users stay informed when it comes to the purpose of signed code, as well as to make informed decisions when relying on certificates. Overall, the guidelines are expected to improve the trustworthiness of software platforms, while limiting the spread of malware.
Microsoft, leading by example, adopted the new guidelines upon its release, and required all CAs that issue Code Signing Certificates for Windows platforms to adopt the minimum requirements as of February, 2017.
Beyond the Basics
Yes, it’s incredibly important to make sure you obtain a Code Signing Certificate from an approved and reputable certificate authority with a stringent vetting protocol. Once obtained, authenticated and trusted code signing can begin. Here are some other details to keep in mind.
- When signing code with a Code Signing Certificate, the digital certificate is marked for the specific use of digitally signed code.
- When a digital signature is applied, a timestamp can also be recorded. This timestamping feature acts to ensure the signed code remains valid even after the digital certificate expires. Unless you’re adding additional code or making changes to the code, a new signature does not need to be applied (even if the digital certificate used to initially sign the code expires).
Code Signing Helps Prove:
- Content source - code signing identifies that the software or application is coming from a specific source (a developer or signer). When software is downloaded from the internet, browsers will exhibit a warning message stating the possible dangers of downloading data, or display an “unknown publisher” warning. Code signing removes the “unknown publisher” security warnings and identifies the publisher’s name (i.e. organization name or individual developers name).
- Content integrity - code signing also ensures that a piece of code has not been altered and determines whether code is trustworthy for a specific purpose. If the application/ software code is tampered with or altered after digitally signing, the signature will appear invalid and untrusted. Signing code is beneficial for users downloading applications and beneficial for developers. Users are assured who they are downloading software from and can decide whether or not to trust the source. Developers can mark their “brand” and protect their software from unwanted changes.
Here are some other differences and protections to be aware of between the types of code signing certificates:
GlobalSign is considered to be one of the world’s leading certificate authorities with PKI services and solutions for any use case, and any size business and organization. For more information on code signing, read our ebook: Introduction Guide to Code Signing – and as always, we invite you to have a conversation with us.
Additional Resources:
