IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [code-signing]

Code Signing is the process of putting a signature on executables and patches to prove it is genuine, and to prevent attackers from injecting malicious code into end-user's systems.

Code signing comes up frequently in the following areas:

  • OS updates (especially Over-The-Air updates for mobile devices)
  • Firmware updates / secure boot
  • Installing apps from a public app store / downloaded from the internet

but can also come up in other contexts.

166 questions
0
votes
1 answer

Spoof publisher info on Windows applications

Let me start by acknowledging that I have absolutely no experience with Windows development and this is purely for academic purposes. I apologize for incorrect terminology and welcome corrections or good resources. When we run a program from an…
DaArFI
  • 1
0
votes
0 answers

Switching CSC certificate issuer and SmartScreen

We have most of our SSL certificates hosted at GoDaddy but have Standard Code signing certificate from GlobalSign, we would like to switch to GoDaddy CSC since our CSC from GlobalSign is expiring in 3 months. How would this affect MS SmartScreen,…
formatc
  • 101
  • 1
0
votes
2 answers

How can we verify an installer's validity by checking its signature?

I'm working on some software that can be self-hosted, and it includes a component that can be downloaded and installed on end user machines (Windows only). The download comes from the self-hosted server, not from a central location, and that cannot…
vaindil
  • 263
  • 1
  • 2
  • 8
0
votes
1 answer

File authentifications via PGP versus via unique file hashes

Many files that are available for download (eg in github) come along with "asc" signature files attached, or with a sha256 file hash. Can someone please explain difference of PGP signatures vs file hashes? My questions: Is the purpose of both files…
johnsmiththelird
  • 483
  • 7
  • 16
0
votes
1 answer

Cryptographically signing content / download

Let's say that I have an executable running on a client machine, and, it requires to download some updates on a regular basis. The solution uses TLS to communicate with the download server. I would like to include authenticating these updates before…
Darragh
  • 1,102
  • 9
  • 15
0
votes
0 answers

Check CRLs of signed JARs

I have a signed JAR. How could I check if the corresponding code-signing certificate was revoked? Technically there seem to be the following options: The Java TrustStore holds CRLs/revoked certificates. The JarSigner checks CRLs automatically or…
D.O.
  • 600
  • 3
  • 9
0
votes
1 answer

Cross-signing certificates for Windows Driver Signing

For testing purposes I want to test cross-signing certificates for Windows driver signing. I understand the general concept: Two root CAs, one root CA cross-signs the other root CA's public key. However, I couldn't find any information on how to…
D.O.
  • 600
  • 3
  • 9
0
votes
2 answers

Signing the same solution (list of files) by multiple CA

We (platform owner) have a requirement to sign a 3rd party (partner) software solution which will be hosted on our platform. The 3rd party solution is signed by the partner with some well known CA. The platform owner would like to sign it again with…
Vamsi
  • 1
  • 1
0
votes
2 answers

How to verify a private key has not been compromised?

I have a machine with a process that signs code for users running 24/7 (encrypting the key is not possible), which will be protected as well as possible. Is there a way to set things up such that I can detect if the private key has been…
user8897013
  • 123
  • 4
0
votes
2 answers

Software Signing Standards

Is there a software signing certificates standard, officially or by popularity? As I understand the SSL/TLS/https certificates rules are specified by the RFCs. Mixed use of servers and clients from different vendors will just interoperate without a…
minghua
  • 165
  • 10
0
votes
2 answers

Deploy verifiable webapp source code

Recently there have been quite some discussions about the security approach of ProtonMail. Since it do crypto stuff at client-side, loading the javascript code in the user's browser, as far as i know, even if that code is published somewhere in the…
hwktest
  • 3
  • 1
0
votes
1 answer

why is it necessary to have both code signing and time stamping certificates?

I have read about the option to create certificates for signing codes and time stamping. why do we need both of them? I understand that it helps me when I need to increase the validity of my code, but why not using only one of them with bigger…
adi
  • 101
  • 8
0
votes
1 answer

Dual Code Signing: Should SHA-1 signature have a SHA-1 or SHA-2 timestamp?

I am signing executables for our software both with a SHA-1 and a SHA-256 signature. In addition I timestamp both of these signatures. Here I am wondering: I can timestamp the SHA-1 signature with a SHA-256 timestamp, but does that make sense? I…
Jens
  • 297
  • 2
  • 11
0
votes
2 answers

Will digital signature prevent tempering, or at least harden the cracking, of my Windows applications?

I intend to buy my first digital signature intended for signing EXE files. In particular Certum Standard Code Signing caught my eye. It is SHA-2 based with up to 4096 RSA. Is it worth my money if I need to prevent cracking of the application. Well I…
LinuxSecurityFreak
  • 1,562
  • 2
  • 18
  • 32
0
votes
1 answer

Potential consequences of signing software that's not mine

I want to teach my son to not click unsigned software. Unfortunately there some software that's highly useful (e.g. Search Everything, but it could be any other software) that's not digitally signed. Since I own a code signing certificate, I could…
Thomas Weller
  • 3,246
  • 3
  • 21
  • 39
1 2 3
11
12