IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [code-signing]

Code Signing is the process of putting a signature on executables and patches to prove it is genuine, and to prevent attackers from injecting malicious code into end-user's systems.

Code signing comes up frequently in the following areas:

  • OS updates (especially Over-The-Air updates for mobile devices)
  • Firmware updates / secure boot
  • Installing apps from a public app store / downloaded from the internet

but can also come up in other contexts.

166 questions
45
votes
2 answers

Who owns the gpg key 4AEE18F83AFDEB23 and how did it sign a commit in my GitHub repo?

This commit in my GiHub repo is signed by a key I don't recognize: https://github.com/jonathancross/jc-docs/pull/2/commits/124672699991af75dd2454831670758f08bc74ab What is going on here?
Jonathan Cross
  • 1,548
  • 1
  • 12
  • 25
32
votes
2 answers

Smart-Screen filter still complains, despite I signed the executable, why?

First and foremost, this is my very first experience with Code Signing. I bought Standard Code Signing from Certum for 3 years. I intend to publish applications in Czech republic mostly. But to the point, on Windows 10, when I download the signed…
LinuxSecurityFreak
  • 1,562
  • 2
  • 18
  • 32
23
votes
9 answers

Deprecation of SHA1 code signing certificates on Windows

EDIT (7/7/2016) - see addition at the end of post I have been keenly following the issues with regards to Microsoft deprecating the use of SHA1 code-signing certificates for Windows executables…
Kevin
  • 331
  • 1
  • 2
  • 7
20
votes
3 answers

Transferring Microsoft SmartScreen reputation to renewed certificate

I know that even a software signed with a new code signing certificate triggers Microsoft Defender SmartScreen warning: Windows Defender SmartScreen prevented an unrecognized app from starting The warning goes away only after the certificate…
Martin Prikryl
  • 493
  • 5
  • 21
17
votes
4 answers

Is signing a file better than issuing a checksum, and does it render a separate checksum useless?

Alternatively, the question could be asked: Does issuing a checksum for a file we sign anyways just duplicate work? Use case: Firmware sent to an IoT device. We sign it, and form a separate checksum for it. My understanding is that this is…
kmfsousa
  • 181
  • 1
  • 6
15
votes
2 answers

How do large companies protect their private (code-signing) keys?

Some time ago I read the canonical answer of our ursine overlord concerning CAs and their private (root) keys. More recently I stumbled across the question on the question on how to manage code signing keys for iOS and android. Basically as a…
SEJPM
  • 9,500
  • 5
  • 35
  • 66
14
votes
2 answers

How to become Intermediate Certificate Authority?

I work at government organization. We would like to become Intermediate CA so that we can provide SSL certificates to our branch organizations. We must be able to do code signing, green address bar etc,. I heard that we can be intermediate CA…
babuuz
  • 141
  • 1
  • 1
  • 3
11
votes
1 answer

Should I sign someone else's code?

I'm working on a product that includes 3rd party drivers for some of the product's hardware. Some of the drivers are not signed, others are only signed with sha1 certificates. Given that getting new, sha2 signed (or dual signed) drivers from all the…
Grhm
  • 213
  • 1
  • 7
11
votes
2 answers

Centralized key management for IOS and Android Code Signing

What is the best way for an enterprise to manage code signing certificates? The default seems to be that Apple and Android keys get stored by each developer on their machines. I see systems like Amazon Key Management Service and Microsoft Key…
user1724280
  • 111
  • 2
11
votes
1 answer

Did D-Link's certificate revocation really only invalidate 1 day (of a six months long exposure)?

I'm trying to wrap my head around the OCSP revocationTime for D-Link's certificate. I recently answered another question and ended up drafting a timeline. That timeline is basically this: Jul 5 00:00:00 2012 GMT. Validity: Not Before Feb 27 …
StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
11
votes
1 answer

Has the leaked D-Link Windows signing key been revoked?

Recently news broke as to D-Link mistakenly publishing a private code-signing key as part of an open source framework: The D-Link key was leaked in late February, and expired on September 3, it appears. That means during that six-month period,…
Frames Catherine White
  • 289
  • 2
  • 11
10
votes
2 answers

AV detection of signed malware

With the massive Sony leaks (including their private keys/certificate), i was wondering: How do major AVs deal with signed binaries? ie: Does it influence their detecting ability of the signed malware? If so, how? For example: Do they check CRLs…
zX8iqV
  • 413
  • 2
  • 12
10
votes
2 answers

Does linux support signed binaries?

I am looking for something similar to what iOS supports. Does it exist in linux? With a secure boot (based in hardware chain of trust), doesn't it make sense to have signed binaries for security? Actually, if I have an opportunity to do signed…
user220201
  • 893
  • 9
  • 22
10
votes
2 answers

Why does Microsoft use a digital signature catalog instead of a signature in the executable?

I own a code signing certificate, so I can add digital signatures on files that contain executable code. Microsoft seems to use a "new" way and provides most digital signatures not in the file itself but in a signature catalog…
Thomas Weller
  • 3,246
  • 3
  • 21
  • 39
9
votes
1 answer

Signing a browser extension

I want to make a browser extension available to users. Can I sign my extension so that users can verify it is authentic, without needing to trust the web site where they got the extension from nor the security of their network connection? Which…
D.W.
  • 98,420
  • 30
  • 267
  • 572
1
2 3
11 12