Code Signing Best Practices
Want to keep your software and code safe?
Enter your contact information below below to receive your FREE Best Practices PDF:
2023 has barely started and we’ve already witnessed several big names data breaches. From T-Mobile’s latest incident that affected 37 million accounts to PayPal’s 35,000 hacked accounts, it really seems that cybercriminals aren’t resting on their laurels this year.
How can you protect yourself and your organization in such a dangerous environment where every action could be potentially harmful? How do you know that the email you’ve just received from your boss is really from him? And how can you prove to your customers that the software they’ve just downloaded from your website is authentic and harmless?
The answer? You can check these things through digital signatures. Discover in this article:
Ready to learn something new? Let’s go!
A digital signature (i.e., a public key signature) is an enhanced and secure digital identifier. It’s part of the electronic signature family (more on that in a moment), but it’s more secure than a digital version of a handwritten signature. That’s because it uses cryptography to confirm the origin, authenticity, and integrity of a digital asset (e.g., a document, an email, or a piece of software) to show that the signer created it.
How? During one of my trips to Japan, I bought a hand-made ceramic tea bowl from a talented craftsman in a small village in the Japanese highlands. I remember turning the bowl over and noticing a mark on its foot ring, followed by what looked like a signature.
When I asked him what it was, he told me it was how Japanese artists were used to authenticating and signing their works. By applying his personal name seal (i.e., hanko) and his handwritten signature somewhere on the item, he was confirming that he really made it (origin and authenticity) and that it hadn’t been modified by somebody else (integrity).
Digital signatures are more complex, but they work more or less the same way. Instead of using a manual seal and a handwritten signature, they rely on:
Once a message or file is digitally signed, the recipient can be sure that:
These three tenants — authentication, integrity, and non-repudiation — are the three vital uses of a digital signature. We’ll further explore these three security elements in our next article (stay tuned for that).
Now, before moving on to find out in detail how a digital signature work, there’s still something we need to point out. A moment ago, we said that a digital signature is a form of electronic signature. But what if I also tell you that all digital signatures are electronic signatures, but not all electronic signatures are digital ones? Confused? Let’s clarify this.
Many people use the terms “digital signature” and “electronic signature” interchangeably. They think that, as digital signatures are a form of electronic signature, there is no difference between the two. Wrong. It would be like calling all birds chickens. We all know that chickens are birds, but not all birds are chickens, right?
Applying this logic to the topic at hand, how does a digital signature differ from an electronic signature? Let’s check out the comparison table below:
|Features||Digital Signature||Electronic Signature|
|Purpose||Proves the authenticity and integrity of a document, just like a notarized signature.||Confirms the intent of signing a document.|
|Identity Validation||Performed by a trusted certificate authority (CA) through the release of a digital certificate.||No identity validation.|
|Level of Security||Highly secure thanks to the use of hashing and encryption.||Vulnerable to tampering and man-in-the-middle attacks. No encryption used.|
|Visual appearance||Looks like a digital fingerprint.||Looks like an electronic copy of a handwritten signature.|
|Uses||Secure documents, codes, emails, and files.||Documents verification.|
In summary, even if there are some overlaps (e.g., they’re both utilized to authenticate a digital document by a signature), a digital signature is used to secure documents and other digital assets like software or emails. On the other hand, the electronic signature is used to sign a digital document like a contract, just as you’d sign it with a pen.
Got it? So, from now onward, no more calling all birds chickens!
As we already know, digital signatures use PKI. A public key and a private key (key pair) are generated through a mathematical process using a public key cryptographic algorithm (e.g., Rivest-Shamir-Adleman – RSA algorithm). The digital signature is created using hashing and encryption cryptographic functions. Of course, you also have the option of adding a timestamp, which provides a verifiable way to show when the document was first signed.
Here’s the important note: The resulting encrypted hash value is your digital signature. The digital signature is then appended to the data. Et voila’ — the data is signed and ready to be verified by the recipient using the certificate’s public key and by generating a hash value to see if it matches the one provided.
Let’s take a closer look at these processes.
Let’s see a practical example of how to create a digital signature. Let’s say you’ve just created a Microsoft Office document and you want to send it to your boss. To make sure the document reaches your boss without any tampering by a malicious party, you decide to digitally sign it. How?
So, what happens when your boss receives the file?
Isn’t this a clever way to create trust and protect your organization, users, and customers from unwanted malware infections and data breaches? If you want to protect your users and/or customers and help them spot fraudulent emails or malicious files and software, then be sure to use digital signatures to assert your verified digital identity.
Want to know more about the relationship between PKI and digital signatures? Check what the Cybersecurity and Infrastructure Agency (CISA) has to say about it!
Now that you know how this whole mumbo-jumbo works, why don’t we have a look at how, and where digital signatures are used?
Anyone using a computer has surely already encountered (and used) digital signatures, often without even knowing it. Let’s explore a few situations where digital signatures protect you from malware and from the bad guys lurking out there.
Have you ever heard of business email compromise (BEC)? It’s a type of scam targeting big and small organizations. Attackers impersonate a CEO or a company executive to trick employees to share sensitive information or transfer huge amounts of money to their accounts.
How do they do that? Often through emails. How popular is it? The latest Expel report shows that in 2022, BEC was their customers’ top threat, representing 50% of the incidents. The FBI’s Internet Crime Complaint Center (IC3) shares that BEC-related complaints had reported losses of nearly $2.4 billion in 2021.
If you want to protect your organization from it, then add a digital signature to your emails and attachments. Your recipients will always be sure that what they receive from you is really coming from you and hasn’t been modified.
How do you do that? You just have to add an email signing certificate to your email client (e.g., Thunderbird or Outlook). Once done, enable the digital signing feature (the process may vary slightly depending on the client used). From now onward, every time you send a digitally signed email, a verification logo will appear on the email, confirming that the email has been signed and sent by you.
Did you know that in January 2023, 94% of the traffic of all Google websites used the hypertext transfer protocol secure (HTTPS) by default? Why? Because it’s much more secure than the insecure HTTP protocol as it also uses a digital signature and it encrypts your website traffic. Our website codesigningstore.com uses HTTPS, too, as you can see from the tiny padlock that displays in your browser’s web address bar.
How does it work? When you open an HTTPS-enabled website, the web server sends a secure socket layer/transport layer security (SSL/TLS) certificate to your browser. The certificate includes information about the website’s domain and the digital signature of the CA that issued the certificate. Once again, your browser verifies the digital signature during the SSL/TLS handshake process to create a secure and encrypted connection.
The advantage? Every single piece of information sent through that connection will be encrypted thus, safe from prying eyes. Want to ensure that when your customers use their credit cards to pay online for your services or products, their card details won’t be stolen by cybercriminals while in transit? Add a digital signature to your website to make the data as secure as possible.
Are you a developer and want to boost your downloads by ensuring that you get rid of the “Unknown publisher” warning message that could scare off your existing and potential customers?
Using a digital signature will help you here, too, and you even have two options to choose from:
Prove Your Software Is Trustworthy
Signing your code shows users that your software and updates can be trusted.
Download our free code signing best practices eBook to learn how to help keep your supply chain secure and your company, customers & end-users safe.
My best friend worked in the account payable department of a big company. I remember an interesting story he told me. One day, one of their customers called him to inquire about an invoice. He had just received a follow-up email from the company my friend was working for regarding a payment that was due the following week.
The second email included a new invoice with the same amount. However, the customer was requested to pay it into a different bank account due to some issues with the old one. As the customer got suspicious — and rightly so — he got in touch with my friend’s department to verify the email’s legitimacy. To keep the story short, it came out that both the second email and its invoice were fraudulent. That customer dodged a bullet and so did my friend’s company. Can you imagine what would have happened if he hadn’t double-checked with the company and just paid the invoice as requested?
A few days after the incident, my friend told me that the organization bought a document signing certificate and started adding a digital signature to all files. No exceptions allowed. This way, customers could always verify the authenticity of the invoices and documents received from the company instead of risking giving their money to scammers.
What we’ve seen so far are just a few examples of how digital signatures are used in the digital world. But there are more, depending on the industry and different needs. Here are a few examples:
And the list could go on and on, but it’s clear now that digital signatures are pretty popular and are quickly becoming a key part of our daily life. This still didn’t win you over? Let me give you some more hints about the benefits digital signatures will bring to you as an organization or as a developer.
We live in a world where paper documents are largely being replaced by electronic files. Digital signatures enable you to show customers and users that your documents or codes are authentic and haven’t been modified by a malicious third party. But what are the other advantages introduced by the usage of digital signatures?
So, now that you know what a digital signature is, how it works, and why it’s important, why don’t you start supercharging the security of your organization? Because until all of your code, emails, and files are digitally signed, nothing and nobody is safe. Not you, your customers, or your organization.
According to a report from Netskope, 44% of all malware downloads originated from the cloud in Q2 2022. In the same period, 92% of organizations surveyed by Cisco were using more than two public cloud providers.
Digital signatures are key to securing the information exchanged over the internet. From data to emails and software, digital signatures can effectively protect you as an individual and your organization from attackers and a lot of hassles.
Are you a developer? Next time you release a new code, don’t forget to add your digital signature to it to help:
Are you a user? Make it a habit to check your emails, software, and the SSL/TLS certificates digital signatures of websites you visit to avoid becoming a victim of scams or malware.
And remember, no matter what you do, digital signatures are an excellent way to ensure the following about your software, scripts, emails, and files:
Want to know more about these three features? This is what we’re going to focus on in our next article. Don’t miss it!