You put your software online to make it easy for your customers to get to the latest version anytime, anytime and anywhere – all in good intent. But how do your customers trust the code they are getting from the internet. Do they feel safe installing it on their devices? How do they know it is actually coming from you? What if somebody else is disguising themselves as you and issuing something that is adulterated with some malware?
Code signing will help your customers determine if your company is, indeed, the official source that published the code. It assures them that the software has not been modified by a 3rd party after you had placed your signature on the code.
Code signing overview
In simple terms, code signing is a form of guarantee that the program code or software package that your users just downloaded is free of any corruption or tampering that may have happened after you (the publisher) had signed it. This is just a basic definition – in the later sections, we will look into how it works and why you should be using it.
Let us take an example. When you visit your bank’s website and log in to access your bank details, you want to be 100% sure that you are providing your credentials to the intended entity and not a MITM (Man in the Middle) hacker with malicious intentions. Similarly, to prevent your devices from getting infected by malicious software, you want to ensure all software packages and updates you get from the internet are coming from the authentic sources. You must already be using HTTPS to secure the traffic between your web server and user browser by encrypting the data being exchanged – the same PKI (public key infrastructure) is utilized here. In this case, though, it is known as code signing.
Code signing benefits
Code singing places your digital signature on the programs, software updates or executables you publish, so it becomes possible to verify their integrity and authenticity before the customer installs or executes the delivered code.
Just like a wax seal, the recipient can depend on the signature to guarantee that it is coming from the original author -if the seal is intact, the contents have not been tampered with. Fundamentally, code signing allows your users to establish that the code has not been altered by any bad guys and they can safely install and execute it on their devices.
Code singing internals
Before you can sign your work, you have to generate a pair of public/private keys. Local tools like “openssl” can be used to do this locally. You then provide the public key and your company’s identity information to a reliable CA (Certificate Authority). The CA will verify the authenticity of your company’s identity and issue the certificate to you. This code signing certificate is signed by the CA using its private key and includes your company’s identity and your public key.
When your work is ready, and you want to “sign” it as the author, you first hash all your code. You then encode the hashed output using your private key and the code signing certificate. The result of this process is attached to the software you want to ship.
The CA’s public key is already installed on most browsers and also in the operating systems trust repositories. After downloading the software, the users depend on the CA’s public key to establish the embedded code signing certificate’s authenticity to first check if it is coming from a trusted CA. Then the hashed code is decrypted using the public key extracted from the certificate.
The hash then utilized to sign the code and the hash found on downloaded code should be matched, it affirms that the code was not damaged or tampered with since it was signed. The user is alerted about the authenticity and if the user trusts you, they can safely proceed towards installation and execution.
Code signing advantages
Code signing accomplishes some important things.
- It verifies the identity of the author, which means that a bogus attacker cannot distribute some malware by packaging it as software patch from Apple or Microsoft.
- It verifies that the software has not been degraded, got corrupted or somehow tampered with during the handover. Comparison of the hash generated by the user against the one generated by the author establishes that the code is same as when it was during the original signing.
- If the authors acquired their code signing certificate from a trustworthy CA, then using it to sign their software also extends the CA’s trust to the publisher – which means that even relatively smaller software companies stand to gain reasonable trust in the public.
For effective code signing, make sure you establish a strict code signing process, using as much as automation as possible to avoid human error. Enforce your code signing process across the entire organization and all your developers. Ensure security of your code signing process and do all you can to protect your private key from misuse and theft. That’s it, your users can now trust the code you publish –and install/execute it confidently.