Geek Answers Handbook

Code signing: when and why?

If you are looking for code signing on the Internet, you will receive many requests regarding where to go to get a code signed with a digital certificate, but no articles or documentation about when you should sign your code or why it may be necessary, therefore I ask the following questions:

  • What are the cases when a developer or development team wants / should have their code signed?
  • What types of codes can / should be signed? Javascript? Java? C ++? Are there different types of codes for each language / platform?
  • Is the code signed as a source or compiled binary?

Thanks in advance.

+4
source share
3 answers

I believe that theoretically any code in any language can be signed, either as a source, but most often a compiled binary.

The main use case that comes to my mind is mobile applications (Android for this instance). Before publishing, you must sign the code. You must also store the keystore file, so if you make any updates to the application and want to download it, you sign it with the same key. This is due to the fact that Android checks some things when updating the application, the main one being that the code signing is the same for the old and new, which, as long as the keystore file and its password are kept secret enough, proves that it came from the same source. If someone somehow changed the code, the signature verification failed.

In a nutshell, the signature code allows the end user / machine to know where the code came from. And in case of modernization it is difficult / impossible to change the code and upload it to other users.

The apple comes off with a signature code for iOS, and I don’t fully understand all the details, but you need to get certificates (yes more than 1) from Apple and sign up with them. If you want to place the application on a testing device, you will need another certificate to sign and install it on the device, in other words, you should get it in the App Store (subject to Apple approval), where they probably sign it using some private the key is for iOS devices to find out that Apple has approved it.

+2
source

every time you need to make sure that the code belongs to a trusted source and no one modifies it (the signature usually comes with a checksum). this is very common. software libraries, software distribution, software updates. when you need to patent a code, you must sign it and get a reliable timestamp. when you create a bank and get access to it via the Internet, you send your web pages to users via SSL = you encrypt and sign them. and probably many others.

0
source

What are the cases when a developer or development team wants / should have their code signed?

Digital signatures mean different things on different platforms. If you are writing Windows desktop software, the biggest advantage of signing your executable files is to get rid of this nasty "Unknown Publisher" warning that Windows shows users with Windows XP Service Pack 2 (SP2). On other platforms (Some Mobile, Java, Flash, Office VBA Macros, etc.) Requires code to increase access rights.

You can make the Windows program your own verification of your own digital signature to make sure it is valid, which means that the EXE has not changed at all since it was signed. Most use this as another layer of protection against malware and piracy.

Check it out too: http://blog.ksoftware.net/2011/07/what-is-authenticode/

What types of codes can / should be signed? Javascript? Java? C ++? Are there different types of codes for each language / platform?

In theory, you can sign any document digitally, but most of the time when people talk about code signing, they talk about MS Authenticode (attaching digital signatures to any PE format file (EXE, DLL, COM, etc.), or signing executable files for OSX / iOS.

There are different types of signatures on different platforms, but most of them will use the same certificate.

Is the code signed as a source or compiled binary?

Most contexts use a binary file.

0
source

More articles:


All Articles