Code signing

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to validate authenticity and integrity.[1] Code signing was invented in 1995 by Michael Doyle, as part of the Eolas WebWish browser plug-in, which enabled the use of public-key cryptography to sign downloadable Web app program code using a secret key, so the plug-in code interpreter could then use the corresponding public key to authenticate the code before allowing it access to the code interpreter's APIs. [2]

Code signing can provide several valuable features. The most common use of code signing is to provide security when deploying; in some programming languages, it can also be used to help prevent namespace conflicts. Almost every code signing implementation will provide some sort of digital signature mechanism to verify the identity of the author or build system, and a checksum to verify that the object has not been modified. It can also be used to provide versioning information about an object or to store other metadata about an object.[3]

The efficacy of code signing as an authentication mechanism for software depends on the security of underpinning signing keys. As with other public key infrastructure (PKI) technologies, the integrity of the system relies on publishers securing their private keys against unauthorized access. Keys stored in software on general-purpose computers are susceptible to compromise. Therefore, it is more secure, and best practice, to store keys in secure, tamper-proof, cryptographic hardware devices known as hardware security modules or HSMs.[4]

  1. ^ "Introduction to Code Signing (Windows)". learn.microsoft.com. August 15, 2017. Archived from the original on February 6, 2024. Retrieved March 13, 2024.
  2. ^ "WebWish: Our Wish is Your Command".
  3. ^ Hendric, William (2015). "A Complete overview of Trusted Certificates - CABForum" (PDF). Archived (PDF) from the original on 2019-04-22. Retrieved 2015-02-26.
  4. ^ "Securing your Private Keys as Best Practice for Code Signing Certificates" (PDF).