Code Signing

Why a code signing certificate ?

Customers want to know that the software the use really comes from the publisher who signed it and that it has not been altered or corrupted. That is why you need a Code Signing Certificate. Software that is made available using Internet technologies can be tampered with (without detection) if it is not secured.

When customers download software from the Internet they can not always tell who published the product. Therefore, the likes of Microsoft and Netscape developed tools for code signing. Code signing allows a software publisher to sign their application digitally. On the strength of this signature, a web browser or operating system decides whether or not to trust the software.

When customers download software signed with a Code Signing Certificate, they can be confident that:

• The software really comes from the publisher who signed it.
• The software has not been altered or corrupted since it was signed.

Software publishers benefit from signed code because it enhances their reputation and makes their products harder to falsify. By signing code, software publishers build a relationship of trust with users. Users will gain confidence in downloading signed software from that developer or web site.

Who needs a code signing certificate ?

Any software publisher who distributes code or content over the Internet, or over corporate extranets, needs a Code Signing Certificate to protect against impersonation or tampering. More over, modern web browsers will not use code that has not been properly signed.

TruePersona™ supplies Code Signing Certificates from Thawte™. These certificates can be used for signing Java applets for the Java 2 plugin, Navigator/JVM 1.1.x and Microsoft Authenticode. They can also be used for signing .cab, .exe, and .dll files, and for signing Office 2000 Macro and Internet Explorer Object files.

The code signing certifcates can be used for a specific purpose or for a range of purposes. It is possible to purchase one Code Signing Certificate and to use it for Microsoft AuthentiCode, Microsoft Office 2000/VBA Macro Signing, Netscape Object Signing, and Marimba Channel Signing, and to sign Java 2 applets.

Who certifies the code ?

A software publisher is issued with a certificate after their details have been verified. The certificate authority certifies the software publishers identity and not the quality or intent of the code. If the certifcate authority becomes aware that the software publisher is abusing their code signing certificate, then it will be revoked.

How do users trust your code ?

Microsoft Authenticode

Microsoft applications such as Internet Explorer, Outlook and Outlook Express have a security feature known as Authenticode. These applications often obtain other pieces of software. Components such as ActiveX or Java are frequently downloaded, often without the end user being aware of it.

When a user visits a web page that uses executable files to provide visual or sound effects, code is often downloaded to the end user's machine. In this instance users risk downloading viruses or code from a disreputable publisher.

If a user of a Microsoft application encounters an unsigned component distributed via the Internet, then a number of things will occur.

If the client application's security settings are set to "High," then any unsigned code will not be loaded.

If the client application's security settings are set on "Medium," the application will display a warning.

However, if a client application encounters a signed applet or other code, the client application will display an informative message.

Through Authenticode, the user is informed:

• of the identity of the publisher;
• of the certificate authority authenticating the software publisher.

The user can choose to trust all subsequent downloads of software from the same software publisher. Alternatively the user can also choose to trust all software published by commercial publishers that have been certified by the certificate authority.

The user can also inspect the certificate and verify its validity.

Office and Visual Basic for Applications

Microsoft Word, Excel, PowerPoint and Outlook applications support signing and verifying digital signatures on Visual Basic for Applications code.

If one of these applications encounters an unsigned VBA macro, the following will occur:

• If the application's security settings are set on "High," the client application will not permit the unsigned code to run.
• If the application's security settings are set on "Medium," the client application will display a warning asking the user whether they want to enable or disable this unsigned code.

By contrast, if an application encounters signed Visual Basic for Applications code in a file, the the user is informed:

• of the true identity of the publisher;
• that there is no problem with the certificate

The user is able to view the code signing certificate and can choose to trust all subsequent Visual Basic for Applications code from the same source.

Time Stamping

Code signing certificates are generated from key pairs. These are based on mathematical relationships, which can theoretically be cracked with a very powerful computer and a lot of time and effort. It is therefore, established good practice security that digital certificates should expire.

This potentially presents a problem. Whilst the code signing certifcate is valid for one year, the code it has been used to sign might be in use for many years. To overcome this it is good practice to time stamp the code.

Time stamping your code will alert a user that the code was signed while your certificate was still valid. When you sign your code, it should be possible to have that signature time stamped by an independent party.

VeriSign® run a time stamping server that can be used to time stamp code signed with a Thawte™ certifcate.