Code Signing is applying a digital signature to the code of the software products — firmware, operating systems, mobile applications, etc. — to certify authenticity and data integrity.
Why the need for signed codes?
An attacker can easily inject malware into software and clouds, without you knowing it’s there. And to make things worse, a third of millennials actually think they are ‘too boring’ to get hacked by cyber criminals, according to Kaspersky.
The existence of digital certificates is a blessing; with it, the recipient can easily check if a software patch or update legitimately came from the software developer vendor.
How Does Code Signing Work?
Based on an article by Oracle, code signing has two key concepts that you should fully understand:
- Public-Private Keys, or Asymmetric Encryption–the private key is needed to encrypt (to protect your data from other entities) and the trusted entity needed the public key to decrypt. These keys always exist in pairs. While public keys are made widely available, we should keep the private keys in a very safe place.
- Hashing–Unlike asymmetric encryption, the hash is one-way. The hash function is used for data integrity and password systems. Hashing is a perfect approach in proofing your IT system, since if a data breach happens, all cyber hackers can see are some ‘nonsense’ data — the hash — and not the actual ones.
With the knowledge of the two cryptography methods, we can simplify the code signing process in the following steps:
- Get and secure the hash after data input;
- Generate private and public keys.
Most of the time, the public keys are first handed to a certification authority (CA) for code signing certificate signing requests. Once the CA has confirmed the software developer’s identity and granted the certificate, the software is then ready for use.
After software distribution, the job of the recipient now is to check if the software has these digital signatures upon downloading the software or its updates. Operating systems have these verifier components embedded in them to check digital signatures. For example, Windows comes with a certification store that collates all the Trusted Root CAs.
Signs Your Company is Having Code Signing Problems
Your clients get an installation warning every time they run the product.
A warning pop-up menu just means your software application and executables are being rejected by verifiers (i.e., your operating system). Not being identified as a legitimate software developer vendor is an immense problem. Not only does it present distrust to the user, but they also recognized your software as a threat to the operating system.
The CA Security Council (CASC) does not recognize your CA.
The CASC comprises Certificate Authorities who are committed to maintaining high internet security standards. Each of their members must abide by CA/Browser Forum Baseline Requirements and Network Security guidelines. Make sure you get your code signing certificates from reputable CAs.
Your company products have barely amplified positive market acceptance in a long while.
Before upping customer service, you must gain the consumer’s trust. According to a study from Kristianstad University, initial trust is more difficult to build in the digital age, compared to traditional commerce. Having a code signing certificate is your leverage in building your app reputation.
You don’t know where you keep your code signing certificates.
Code signing certificates are as important as your warranty cards, and even your marriage certificates! It’s easier to get a hold of who will be responsible and accountable when your software encounters problems in the future. Keep them in a safe space in which only your trusted IT personnel can get in.
Things to Consider When Implementing It
Code signing is a great business cyber security practice, but how do you guarantee you’re utilizing its benefits? Here are things you should consider when implementing it:
The private key is a holy grail; keep it hidden.
Treat it as dear as how Mr. Krabs protect his Krabby Patty recipe. If your private key gets into the wrong hands, then consider your business done.
Keep an inventory of new and previous code signing certificates.
Sometimes, it’s just a certification expiry problem. In 2017, the credit reporting agency Equifax dealt with humongous data loss due to an expired digital certificate. The breach in the Equifax network went unnoticed for days — 76 days, to be exact. The lax in their cybersecurity efforts caused them a lot. In fact, Equifax paid up to $425 million to the Federal Trade Commission (FTC) for settlement in 2019.
Ensure minimum access to private keys.
Your company must only give authorization to a few people. Also, you must keep an audit of the who, what, when during the code signing process.
Use strong cryptography.
National Institute of Standards and Technology (NIST), under the Department of Commerce, highly suggests using a well-designed and tested cryptographic library with NIST-approved algorithms to prevent code signing threats.
Before code signing, make sure your application gets scanned for viruses.
Since code signing only verifies the identity of the developer and the software changes, you must ensure its safety and quality first.
Where to Get Code Signing Certificates
IT businesses should recognize code signing as a vital process before the distribution of their software. Users can easily make trust decisions that there are no software vulnerabilities when code signing certificates are present. Code signing certificates can be issued by any CAs, but to make it user-friendly, better to opt for a CA whose root certificate is recognized by different platforms. A CA’s policies and protocols are easily accessible to software developers, so better do your research on what suits your company best.
