Play Video
1
The SSL Store™: About Symantec Code Signing Certificate
The SSL Store™: About Symantec Code Signing Certificate
::2013/04/30::
Play Video
2
Code Signing with the DigiCert Certificate Utility for Windows
Code Signing with the DigiCert Certificate Utility for Windows
::2013/05/21::
Play Video
3
Code Signing Certificates
Code Signing Certificates
::2012/08/15::
Play Video
4
Introduction to Symantec Code Signing
Introduction to Symantec Code Signing
::2012/10/17::
Play Video
5
codesigning
codesigning
::2011/09/23::
Play Video
6
Xcode code signing tut xcode 4.5
Xcode code signing tut xcode 4.5
::2012/10/21::
Play Video
7
Xcode Tutorial: Fixing The Code Signing Identity Error
Xcode Tutorial: Fixing The Code Signing Identity Error
::2010/01/26::
Play Video
8
Code Signing Certificate - Prove your software is legitimate
Code Signing Certificate - Prove your software is legitimate
::2013/12/19::
Play Video
9
Symantec Extended Validation (EV) Code Signing
Symantec Extended Validation (EV) Code Signing
::2012/10/17::
Play Video
10
Honor Code Signing
Honor Code Signing
::2012/09/07::
Play Video
11
Up Till 3am...Thanks Apple (´。_。`)XCode Code Signing Error
Up Till 3am...Thanks Apple (´。_。`)XCode Code Signing Error
::2012/03/29::
Play Video
12
2013 Day2P16 LoB: Code Signing (Security Directory)
2013 Day2P16 LoB: Code Signing (Security Directory)
::2014/06/01::
Play Video
13
[Xcode-Tutorial] How to run iOS Apps on an actual device
[Xcode-Tutorial] How to run iOS Apps on an actual device
::2013/01/02::
Play Video
14
O QUE É CODE SIGNING?
O QUE É CODE SIGNING?
::2014/07/28::
Play Video
15
102 Part 9 - How do I setup code signing with BlackBerry WebWorks?
102 Part 9 - How do I setup code signing with BlackBerry WebWorks?
::2014/02/11::
Play Video
16
App Submission L4 - Code Signing
App Submission L4 - Code Signing
::2012/07/14::
Play Video
17
Code Signing Solutions from DigiCert
Code Signing Solutions from DigiCert
::2011/05/19::
Play Video
18
How to disable Code Signing in Xcode 3.2.3
How to disable Code Signing in Xcode 3.2.3
::2010/09/05::
Play Video
19
Honor Code Signing
Honor Code Signing
::2011/09/02::
Play Video
20
Solution Spotlight - Comodo Code Signing Certificates
Solution Spotlight - Comodo Code Signing Certificates
::2009/10/21::
Play Video
21
How do I leverage carrier code signing - Architecture and Analysis
How do I leverage carrier code signing - Architecture and Analysis
::2014/03/31::
Play Video
22
Create Code Signing
Create Code Signing
::2009/05/15::
Play Video
23
John and Carol E. Barrowman Torchwood Exodus Code signing
John and Carol E. Barrowman Torchwood Exodus Code signing
::2012/09/17::
Play Video
24
Code Signing Keys
Code Signing Keys
::2011/12/19::
Play Video
25
Apple Binary Security (Code Signing) hacked
Apple Binary Security (Code Signing) hacked
::2013/10/29::
Play Video
26
HinzeMedia.com Code Signing Certificate - Code & Driver Signing Certificates
HinzeMedia.com Code Signing Certificate - Code & Driver Signing Certificates
::2012/11/14::
Play Video
27
How to bypass code signing for iPhone OS 3.1.2
How to bypass code signing for iPhone OS 3.1.2
::2010/02/17::
Play Video
28
Jake Gyllenhaal promoting Source Code signing autographs in person
Jake Gyllenhaal promoting Source Code signing autographs in person
::2011/04/06::
Play Video
29
John Barrowman Torchwood:Exodus Code Signing 16.9.2012
John Barrowman Torchwood:Exodus Code Signing 16.9.2012
::2013/07/31::
Play Video
30
FCS Camp Honor Code Signing and Skits 2010
FCS Camp Honor Code Signing and Skits 2010
::2010/09/10::
Play Video
31
Get iPAWiND the Best codesigning utility NO Jailbreak!
Get iPAWiND the Best codesigning utility NO Jailbreak!
::2014/05/21::
Play Video
32
Windows Kernel Intel x64 SYSRET Vulnerability + Code Signing Bypass Bonus
Windows Kernel Intel x64 SYSRET Vulnerability + Code Signing Bypass Bonus
::2012/08/25::
Play Video
33
Bypassing Code Signing - My New 2 Apps Release Soon!
Bypassing Code Signing - My New 2 Apps Release Soon!
::2011/01/27::
Play Video
34
Code Signing Certificates
Code Signing Certificates
::2014/08/20::
Play Video
35
Jake Gyllenhaal Michelle Monaghan Duncan Jones promoting SOURCE CODE signing autographs
Jake Gyllenhaal Michelle Monaghan Duncan Jones promoting SOURCE CODE signing autographs
::2011/04/16::
Play Video
36
All About Code Signing Certificate Security
All About Code Signing Certificate Security
::2014/08/22::
Play Video
37
.Jake Gyllenhaal Michelle Monaghan Duncan Jones promoting SOURCE CODE signing autographs
.Jake Gyllenhaal Michelle Monaghan Duncan Jones promoting SOURCE CODE signing autographs
::2011/04/17::
Play Video
38
Weblin 1.5 Codesigning Debs!
Weblin 1.5 Codesigning Debs!
::2012/12/15::
Play Video
39
How do I leverage carrier code signing
How do I leverage carrier code signing
::2010/11/19::
Play Video
40
Fake CodeSigning for Xcode 4.1 for iOS 4.3
Fake CodeSigning for Xcode 4.1 for iOS 4.3
::2011/08/24::
Play Video
41
XCode 4.6 How to Force Code Signing
XCode 4.6 How to Force Code Signing
::2013/02/23::
Play Video
42
Scooter fun at Code signing!
Scooter fun at Code signing!
::2011/05/26::
Play Video
43
Dr. Michael Song - Codesigning Innovative Products
Dr. Michael Song - Codesigning Innovative Products
::2010/07/28::
Play Video
44
how to fake code sign xcode 46
how to fake code sign xcode 46
::2013/05/26::
Play Video
45
Java - jar, jarsigner and keytool - Signing JApplets
Java - jar, jarsigner and keytool - Signing JApplets
::2012/03/12::
Play Video
46
Entrust SSL Certificates & Discovery
Entrust SSL Certificates & Discovery
::2014/06/19::
Play Video
47
HP
HP's Backdoor | TechSNAP 116
::2013/06/27::
Play Video
48
Generate a Transaction Signing and Re-authentication code on your HSBC Online Security Device
Generate a Transaction Signing and Re-authentication code on your HSBC Online Security Device
::2013/03/24::
Play Video
49
Signing JAR File Video Tutorial
Signing JAR File Video Tutorial
::2012/09/25::
Play Video
50
Karl Rove Flees Code Pink, Ditches Own Book-Signing Event in Beverly Hills
Karl Rove Flees Code Pink, Ditches Own Book-Signing Event in Beverly Hills
::2010/03/31::
NEXT >>
RESULTS [51 .. 101]
From Wikipedia, the free encyclopedia
Jump to: navigation, search

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed by use of a cryptographic hash.

Code signing can provide several valuable features. The most common use of code signing is to provide security when deploying; in some programming languages, it can also be used to help prevent namespace conflicts. Almost every code signing implementation will provide some sort of digital signature mechanism to verify the identity of the author or build system, and a checksum to verify that the object has not been modified. It can also be used to provide versioning information about an object or to store other meta data about an object.

Providing security[edit]

Many code signing implementations will provide a way to sign the code using a system involving a pair of keys, one public and one private, similar to the process employed by SSL or SSH. For example, in the case of .NET, the developer uses a private key to sign their libraries or executables each time they build. This key will be unique to a developer or group or sometimes per application or object. The developer can either generate this key on their own or obtain one from a trusted certificate authority (CA).

Code signing is particularly valuable in distributed environments, where the source of a given piece of code may not be immediately evident - for example Java applets, ActiveX controls and other active web and browser scripting code. Another important usage is to safely provide updates and patches to existing software. Windows, Mac OS X, and most Linux distributions provide updates using code signing to ensure that it is not possible for others to maliciously distribute code via the patch system. It allows the receiving operating system to verify that the update is legitimate, even if the update was delivered by third parties or physical media (disks).

Code signing is used on Windows and Mac OS X to authenticate software on first run, ensuring that the software has not been maliciously tampered with by a third-party distributor or download site. This form of code signing is not used on Linux because of that platform's decentralized nature, the package manager being the predominant mode of distribution for all forms of software (not just updates and patches), as well as the open source model allowing direct inspection of the source code if desired.

Trusted identification using a certificate authority (CA)[edit]

The public key used to authenticate the code signature should be traceable back to a trusted root authority CA, preferably using a secure public key infrastructure (PKI). This does not ensure that the code itself can be trusted, only that it comes from the stated source (or more explicitly, from a particular private key).[1] A CA provides a root trust level and is able to assign trust to others by proxy. If a user trusts a CA, then the user can presumably trust the legitimacy of code that is signed with a key generated by that CA or one of its proxies. Many operating systems and frameworks contain built-in trust for one or more existing CAs (such as StartCom, VeriSign/Symantec, DigiCert, TC TrustCenter, Comodo, GoDaddy and GlobalSign). It is also commonplace for large organizations to implement a private CA, internal to the organization, which provides the same features as public CAs, but it is only trusted within the organization.

Alternative to CAs[edit]

The other model is where developers can choose to provide their own self-generated key. In this scenario, the user would normally have to obtain the public key in some fashion directly from the developer to verify the object is from them for the first time. Many code signing systems will store the public key inside the signature. Some software frameworks and OSs that check the code's signature before executing will allow you to choose to trust that developer from that point on after the first run. An application developer can provide a similar system by including the public keys with the installer. The key can then be used to ensure that any subsequent objects that need to run, such as upgrades, plugins, or another application, are all verified as coming from that same developer.

Time-Stamping[edit]

Time-stamping was designed to circumvent the trust warning that will appear in the case of an expired certificate. In effect, time-stamping extends the code trust beyond the validity period of a certificate.[2]

In the event that a certificate has to be revoked due to a compromise, time-stamping can provide a specific date and time that the certificate will revert to.

Problems[edit]

Like any security measure, code signing can be defeated. Users can be tricked into running unsigned code, or even into running code that refuses to validate, and the system only remains secure as long as the private key remains private.[3][4]

It is also important to note that code signing does not protect the end user from any malicious activity or unintentional software bugs by the software author - it merely ensures that the software has not been modified by anyone other than the author.

Implementations[edit]

IBM's Lotus Notes has had PKI signing of code from Release 1, and both client and server software have execution control lists to control what levels of access to data, environment and file system are permitted for given users. Individual design elements, including active items such as scripts, actions and agents, are always signed using the editor's ID file, which includes both the editor's and the domain's public keys. Core templates such as the mail template are signed with a dedicated ID held by the Lotus template development team.

Microsoft implements a form of code signing (based on Authenticode) provided for Microsoft tested drivers. Since drivers run in the kernel, they can destabilize the system or open the system to security holes. For this reason, Microsoft tests drivers submitted to its WHQL program. After the driver has passed, Microsoft signs that version of the driver as being safe. On 32-bit systems only, installing drivers that are not validated with Microsoft is possible after accepting to allow the installation in a prompt warning the user that the code is unsigned. For .NET (managed) code, there is an additional mechanism called Strong Name Signing that uses Public/Private keys and SHA-1 hash as opposed to certificates. However, Microsoft discourages reliance on Strong Name Signing as a replacement for Authenticode.[5]

References[edit]

External links[edit]

Wikipedia content is licensed under the GFDL License
Powered by YouTube
LEGAL
  • Mashpedia © 2014