Jump to content

Code signing

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Thx1200 (talk | contribs) at 18:24, 21 May 2007 (External links: - Fixed broken link to Microsoft's Code Signing page.). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed by use of a checksum.

Overview

Code signing can provide several valuable features. The most common use of code signing is to provide security when deploying, however in some languages, it can also be used to help prevent namespace conflicts. Almost every code signing implementation will provide some sort of digital signature mechanism to verify the identity of the author or build system and a checksum to verify that the object has not been modified. It can also be used to provide versioning information about an object or to store other meta data about an object.

Providing security

Many code signing implementations will provide a way to sign the code using private and public key system similar to the process employed by SSL or SSH. For example in the case of .NET, the developer uses a key which they use to sign their libraries or executables each time they build. This key will be unique to a developer or group or sometimes per application or object. The developer can either generate this key on their own or they obtain one from a trusted certificate authority.

It is particularly valuable in distributed environments, where the source of a given piece of code may not be immediately evident – for example Java applets, ActiveX controls and other active web and browser scripting code. Another major usage is to safely provide updates and patches to existing software. Most Linux distributions, as well as both Mac OS X and Microsoft Windows update services use code signing to ensure that it is not possible to maliciously distribute code via the patch system. It allows them not have to worry about distribution security, such as mirror sites which may not be under the authors complete control, or any other intermediate piece of the deployment.

Trusted identification using a CA

The public key used for code signing should be traceable back to a trusted root authority, preferably using a secure public key infrastructure (PKI); although this does not ensure that the code itself can be trusted, only that it comes from the stated source (or more explicitly, from a particular private key). A certificate authority provides a root trust level, which is able to assign to trust to others by proxy. If a user is set to trust one of these certificate authorizes and receives an executable from that signed with a key generated by them, they can choose to trust the application by proxy. In many frameworks and operating systems, a number of existing publicly trusted authorities will be pre-installed (such as possibly VeriSign, or Thawte). When inside a large group of users, such as a large company, it's common place to employ a private internal certificate authority, which is suitable for providing the same features of public certificate authority but for deploying signed objects internally.

Alternative to CAs

The other model is where the developer can choose to provide a their own self-generated key. In this scenario, the user would normally have to obtain the public key in some fashion directly from the developer to verify the object is from them for the first time. Many code signing systems will store the public key inside the signature. Some software frameworks and OSs that check the code's signature before executing, and will allow you to choose to trust that developer from that point on after the first run. An application developer can provide a similar system by including the public keys with the installer. The key can then be used to ensure that any subsequent objects that need to run, such as upgrades, plugins, or another application, are all verified as coming from that same developer.

Problems

Like any security measure, code signing can be defeated. Users can be tricked into running unsigned code, or even into running code that refuses to validate, and the system only remains secure as long as the private key remains private.

Implementations

IBM's Lotus Notes has had PKI signing of code from Release 1, and both client and server software have execution control lists to control what levels of access to data, environment and file system are permitted for given users. Individual design elements, including active items such as scripts, actions and agents, are always signed using the editor's ID file, which includes both the editor's and the domain's public keys. Core templates such as the mail template are signed with a dedicated ID held by the Lotus template development team.

Signed JavaScript is also popular; signed scripts are allowed to perform additional actions such as cross-domain referencing.

Microsoft implements a form of code signing (based on Authenticode) provided for Microsoft tested drivers. Since drivers run in the kernel, they can destabilize the system or open the system to security holes. Microsoft for this reason, tests drivers submitted to its WHQL program. After the driver has passed, Microsoft signs that version of the driver as being safe. Installing drivers that are not validated with Microsoft is possible after accepting to allow the installation in a prompt warning the user that the code is unsigned.

Stub icon

This software article is a stub. You can help Wikipedia by expanding it.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Code_signing&oldid=132490159"