Talk:Code signing

From Wikipedia, the free encyclopedia
Jump to: navigation, search
WikiProject Computer Security / Computing   
WikiProject icon This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
 ???  This article has not yet received a rating on the project's quality scale.
 ???  This article has not yet received a rating on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computing.


  • What exactly is wrong with this article? Why is it being considered for deletion? If anything, what it lacks is content, but I believe it's a legitimate topic for an article. Will add some content.Marcos Juárez 19:13, 20 February 2006 (UTC)

  • I wanted to add a note that average user is likely to trust a large software company, but that creates a problem since a disgruntled employee inside such a company could potentially insert malicious code. In other words, the way it's presented, code signing is likely to appear as a panacea to the average user, but will definitely not be one. Doesn't sound very encyclopedic, though, so I leave it to the rest of you. - feel free to write it in if you can phrase it better. Fry-kun (talk) 10:04, 8 March 2008 (UTC)
  • Someone may want to add under Problems that if the system used to develop the software is infected by a computer virus it may be possible (depending on many factors) for the virus to infect the software prior to its being signed, in which case the code as signed is not safe even though it is signed by a well-intending developer. (talk) 05:49, 17 July 2009 (UTC)
  • This article probably should include a reference to Certificate Revocation Lists (CRLs)
  • There is public confusion about correctly signed code with a certificate that has expired (code was signed before expiration.) People incorrectly interpret this as a breach/violation of the certificate. —Preceding unsigned comment added by (talk) 18:31, 8 December 2010 (UTC)

In-complete question.[edit]

One thing I did not find in this article: is it possible to digitally sign self-modifying program code?

The IBM compatible PC is a modified von Neumann architecture, where stored data can become program instruction, therefore self-modifying code is perfectly legal and is NOT the exclusive domain of malware (viruses).

For example, really expensive commercial software may use self-modifying code together with a hardware dongle device to strongly protect against unathorized duplicate use. Such software vendors may wish to have their programs signed digitally for trustedness, since anti-virus programs have a tendency to heuristically alert on almost any self-modifying code, be it a virus or a false alarm on legitimate program code. One method to prevent such occurances is that many AV software automatically exclude trusted-signed binaries from virus checking. (talk) 17:25, 24 April 2012 (UTC)

code signing on Linux[edit]

Our article says "This form of code signing is not used on Linux", but should say that at least some Linux distros (one I'm sure of is Debian) do support digital-signature-based validation of the packages they install. —Steve Summit (talk) 16:35, 9 June 2016 (UTC)