IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [code-signing]

Code Signing is the process of putting a signature on executables and patches to prove it is genuine, and to prevent attackers from injecting malicious code into end-user's systems.

Code signing comes up frequently in the following areas:

  • OS updates (especially Over-The-Air updates for mobile devices)
  • Firmware updates / secure boot
  • Installing apps from a public app store / downloaded from the internet

but can also come up in other contexts.

166 questions
5
votes
2 answers

Code signing with MD5 on Windows 8

I discovered that a signed installer package that is reported as correctly signed on Windows 7 and earlier, is reported as "corrupt" in IE10 on Windows 8. Further investigation showed that the signature was made with MD5. While it is entirely…
Rasmus Faber
  • 397
  • 2
  • 11
5
votes
2 answers

How can I verify signed commits made by other people?

As identified in this related question, github signs commits made from their application with their GPG key 4AEE18F83AFDEB23. Online, I can see commits tagged as 'verified'. But when I attempt to verify them on my local, I am unable to: $ git log…
Brendan Roy
  • 153
  • 4
5
votes
3 answers

Why is a .jar signature still valid if a file has been added to the jar?

I was reading the man page for the jarsigner tool that ships with the JDK. This line surprised me: A verification is still considered successful if none of the files that were in the JAR file when the signature was generated have been changed since…
T.D. Smith
  • 153
  • 1
  • 6
5
votes
3 answers

Signtool validation fails when signing and validating are done in different machines

I am signing an exe from a machine using a cer file. Then when I validate the EXE using the signtool.exe from the same machine, it succeeds. But when I try to validate it using the same .cer installed in another machine it fails with the following…
AnOldSoul
  • 151
  • 1
  • 4
5
votes
1 answer

Can open source software be digitally signed?

I've read that installing Linux on UEFI PCs requires additional steps to disable the requirement for digitally signed bootloaders. But I thought that open source software can be digitally signed by using the private key to sign the source code and…
genealogyxie
  • 431
  • 3
  • 13
4
votes
3 answers

Will it improve security if I place both SHA1 and SHA256 signatures inside codesigned binary on Windows?

My application targets platforms starting with Windows 7 32bit. Many of them aren't up to date (i.e. may be missing many recommended updates from Microsoft). Given the constraints I must use SHA1 signature inside my userspace and kernel binaries.…
Kentzo
  • 152
  • 8
4
votes
1 answer

Cross-certification between worlds like X.509 and PGP?

Sometimes it can be advantageous to use existing trust relationships in one certification world - X.509 or PGP - to create trust in the other world. At the lowest level I can always take an X.509 cert - say, a self-signed SSL or code signing…
DarthGizka
  • 371
  • 3
  • 9
4
votes
2 answers

What to do if you ever lose a smart card?

I want to use an OpenPGP smart card for signing releases, but I'm not sure what to do if I ever lose the card or it breaks. My idea is to generate the key using GnuPG on an isolated computer, encrypt it and backup that file. Then transfer the key…
Steven R.
  • 417
  • 1
  • 3
  • 7
4
votes
1 answer

Does Authenticode still work offline and with a "fake" certificate

Here's our story: We're developing some software (written in C#/.NET) and we're already signing the assemblies with strong names, I do this in Visual Studio with a pfx file that is protected by a password. As an added security step I would like to…
Davio
  • 143
  • 1
  • 4
4
votes
2 answers

Why should I go to SHA512withRSA signature for my Android apps?

I have an Android 11 device and many of my apps and system apps use MD5withRSA or SHA1withRSA as signature algorithm by default. Why should I take my apps SHA256withRSA or SHA512withRSA? Are there any advantages, if so what are they? Are there also…
julia.fds387
  • 41
  • 1
4
votes
1 answer

How to validate client side safety in a Zero Knowlegde model

What is sometimes called Zero Knowledge, sometimes end to end encryption occurs when a server only processes ciphered data (at least for sensitive data) with a result where a compromise of this server does not threat the confidentiality of the…
Sibwara
  • 1,316
  • 7
  • 19
4
votes
1 answer

Certificate and key abuse

I made a mistake several years ago by uploading OpenSSL certificate key (.pem and .pk8) into a blog post. The key was used to sign Android apk using SignApk.jar tool. Someone took it and used the key to sign malware apps and the bad story was i put…
Lorensius W. L. T
  • 143
  • 4
4
votes
1 answer

Strategies for signing sections of a text file to prevent tampering

I'm looking for suggestions from the community on the best way to approach this problem of securing a text file while still making it fairly shareable: I have a collection of chef recipes in git, defining labs e.g. a jenkins CI setup, which people…
velniukas
  • 43
  • 4
4
votes
1 answer

Server side code signing

I'm currently implementing a couple of security improvements to a crypto currency trading website that handles all data client-side and uses a static file approach. One of the things I've been asked to do was to add a mechanism to allow users to…
J. Doe
  • 41
  • 2
4
votes
2 answers

Can android application be repacked with original developer's signature?

I am researching on Android application repackaging. I know the original developer self-signs the APK. Is it possible for a hacker to fake the signature and make it appear as the original signature when repackaging?
Live Seven
  • 41
  • 1
  • 2
1 2
3
11 12