signing certificate

Code signing certificate

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed by use of a cryptographic hash.

Code signing can provide several valuable features. The most common use of code signing is to provide security when deploying; in some programming languages, it can also be used to help prevent namespace conflicts. Almost every code signing implementation will provide some sort of digital signature mechanism to verify the identity of the author or build system, and a checksum to verify that the object has not been modified. It can also be used to provide versioning information about an object or to store other meta data about an object.

Providing security

Many code signing implementations will provide a way to sign the code using a system involving a pair of keys, one public and one private, similar to the process employed by SSL or SSH. For example, in the case of .NET, the developer uses a private key to sign their libraries or executables each time they build. This key will be unique to a developer or group or sometimes per application or object. The developer can either generate this key on their own or obtain one from a trusted certificate authority (CA).

Code signing is particularly valuable in distributed environments, where the source of a given piece of code may not be immediately evident – for example Java applets, ActiveX controls and other active web and browser scripting code. Another important usage is to safely provide updates and patches to existing software. Windows, Mac OS X, and most Linux distributions provide updates using code signing to ensure that it is not possible for others to maliciously distribute code via the patch system. It allows the receiving operating system to verify that the update is legitimate, even if the update was delivered by third parties or physical media (disks).

Code signing is used on Windows and Mac OS X to authenticate software on first run, ensuring that the software has not been maliciously tampered with by a third-party distributor or download site. This form of code signing is not used on Linux because of that platform’s decentralized nature, the package manager being the predominant mode of distribution for all forms of software (not just updates and patches), as well as the open source model allowing direct inspection of the source code if desired.

Trusted identification using a certificate authority (CA)

The public key used to authenticate the code signature should be traceable back to a trusted root authority CA, preferably using a secure public key infrastructure (PKI). This does not ensure that the code itself can be trusted, only that it comes from the stated source (or more explicitly, from a particular private key). A CA provides a root trust level and is able to assign trust to others by proxy. If a user trusts a CA, then the user can presumably trust the legitimacy of code that is signed with a key generated by that CA or one of its proxies. Many operating systems and frameworks contain built-in trust for one or more existing CA’s (such as StartCom, VeriSign/Symantec, DigiCert, TC TrustCenter, Comodo, GoDaddy and GlobalSign). It is also commonplace for large organizations to implement a private CA, internal to the organization, which provides the same features as public CA’s, but it is only trusted within the organization.

Alternative to CA’s

The other model is where developers can choose to provide their own self-generated key. In this scenario, the user would normally have to obtain the public key in some fashion directly from the developer to verify the object is from them for the first time. Many code signing systems will store the public key inside the signature. Some software frameworks and OS’s that check the code’s signature before executing will allow you to choose to trust that developer from that point on after the first run. An application developer can provide a similar system by including the public keys with the installer. The key can then be used to ensure that any subsequent objects that need to run, such as upgrades, plugins, or another application, are all verified as coming from that same developer.

Time-Stamping

Time-stamping was designed to circumvent the trust warning that will appear in the case of an expired certificate. In effect, time-stamping extends the code trust beyond the validity period of a certificate.

In the event that a certificate has to be revoked due to a compromise, time-stamping can provide a specific date and time that the certificate will revert to.

Problems

Like any security measure, code signing can be defeated. Users can be tricked into running unsigned code, or even into running code that refuses to validate, and the system only remains secure as long as the private key remains private.

It is also important to note that code signing does not protect the end user from any malicious activity or unintentional software bugs by the software author – it merely ensures that the software has not been modified by anyone other than the author.

EFTlab’s code signing certificate 2016

>Bag Attributes
localKeyID: 01 00 00 00
subject=/C=AU/ST=Queensland/L=Brisbane/O=EFTlab Pty Ltd/CN=EFTlab Pty Ltd
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Code Signing 2010 CA
—–BEGIN CERTIFICATE—–
MIIFNTCCBB2gAwIBAgIQP7WvVuGg11OYl0Ue7HMjRTANBgkqhkiG9w0BAQsFADCB
tDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMl
VmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAxMCBDQTAeFw0xNDA5MzAw
MDAwMDBaFw0xNjExMjgyMzU5NTlaMGcxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpR
dWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEXMBUGA1UEChQORUZUbGFiIFB0
eSBMdGQxFzAVBgNVBAMUDkVGVGxhYiBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAoXxcpxJ/BCV9llCN/aOgpvnEE6Wm0I/Vlv4peNlPjtVR
2D/U7kINbCni3VRuPBjoh3Xwn4TcplHZY+01OL5LLWsr4Jkf8CmFsIAITx0T9CHf
k6hqtgA4JqA1ZHmHM4n5amWJRhofZeABmRalHmgPCJoICE9xFbFOEC9dftYH5rZx
dCLaqp7cUgeC3H/Q+O4I+UmDbEeUqd5WF62QnI+p9VwjxZhqeojTuh1kLszl6txF
DNfHrPs4lmxDkAz2elNqVLKmYtxdtmc22Oc3XKh/kHcmEEpOXvdJel8sH4cWz0VL
n43BQ/vgSMOpBQvjeVpjyoep+QjzBN3H750fPBYKgQIDAQABo4IBjTCCAYkwCQYD
VR0TBAIwADAOBgNVHQ8BAf8EBAMCB4AwKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDov
L3NmLnN5bWNiLmNvbS9zZi5jcmwwZgYDVR0gBF8wXTBbBgtghkgBhvhFAQcXAzBM
MCMGCCsGAQUFBwIBFhdodHRwczovL2Quc3ltY2IuY29tL2NwczAlBggrBgEFBQcC
AjAZDBdodHRwczovL2Quc3ltY2IuY29tL3JwYTATBgNVHSUEDDAKBggrBgEFBQcD
AzBXBggrBgEFBQcBAQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9zZi5zeW1jZC5j
b20wJgYIKwYBBQUHMAKGGmh0dHA6Ly9zZi5zeW1jYi5jb20vc2YuY3J0MB8GA1Ud
IwQYMBaAFM+Zqep7JvRLyY6P1/AFJu/j0qedMB0GA1UdDgQWBBQzjUf8DGJ7mbM+
4P5x4Kn955/t8jARBglghkgBhvhCAQEEBAMCBBAwFgYKKwYBBAGCNwIBGwQIMAYB
AQABAf8wDQYJKoZIhvcNAQELBQADggEBANW3KClNePMjpBbvkLSB/stRkhMybTql
gOIIgSDPEAjWEaw/kx77S3m1SPrSdlzGOu1U8dB8yrPnT9QiMSAriL82m3yEzpug
T6pjU2kkuNGY79snyNrr+zx7Y/SXXzFMewM/M111SGFf0UIf9RlH/Zw+Nt/Wr7IY
Kt8473bO/W25NhyDOSrL42YIDTOPf92XiaawdWPN9KLUeeoBDnzcC++cbGAufzhg
x2VDp+PLrL+9YrtkSprYspAaSHuAgVF6EGu0tG4zUlfsUE0TOOJBZu30V2FL+0x+
VzbU6Z03916h19v1bq7yaI8bBPEMYL27De1RvTyb+X5gWnrTL2aE4So=
—–END CERTIFICATE—–

EFTlab’s code signing certificate 2018

—–BEGIN CERTIFICATE—–
MIIFZDCCBEygAwIBAgIQYX6DlAXv2SiZzfHpiU46qzANBgkqhkiG9w0BAQUFADCB
tDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMl
VmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAxMCBDQTAeFw0xMzExMDcw
MDAwMDBaFw0xNDExMDcyMzU5NTlaMIGnMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
UXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxFzAVBgNVBAoUDkVGVGxhYiBQ
dHkgTHRkMT4wPAYDVQQLEzVEaWdpdGFsIElEIENsYXNzIDMgLSBNaWNyb3NvZnQg
U29mdHdhcmUgVmFsaWRhdGlvbiB2MjEXMBUGA1UEAxQORUZUbGFiIFB0eSBMdGQw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXwKGmOxvN4S4GD8ZIEtw9
nchc/5Hk5ifNvxEIhmmcSuHr8ts7p28UK4dTifQXBjLnGQITFhj/tQ8EBKWlyYKY
TIUBTzhgYMP8PygWZtcNQ7JWzE8ee0BZ7QU0gd2uJrV5v/2xnOFcIhhoEKmrH0eI
+nKxF4WaGJuZUs0k463+r2MzfeKjnjVGcUL3tt7MKf1r9xrjJNzMvKaQMQ4HdwWu
3wZIRzg9WEzlkCTS7Tp57DwLM52L1JE/1WU9swEI8xzMr0PspGGww0PqGTmrjNTm
efKLSONL357HyBiJnwewqdP1LTrpUA7pWvbBFidSajYmiX7yuWGa9jyfGkrBhvoL
AgMBAAGjggF7MIIBdzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIHgDBABgNVHR8E
OTA3MDWgM6Axhi9odHRwOi8vY3NjMy0yMDEwLWNybC52ZXJpc2lnbi5jb20vQ1ND
My0yMDEwLmNybDBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcDMCowKAYIKwYBBQUH
AgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwEwYDVR0lBAwwCgYIKwYB
BQUHAwMwcQYIKwYBBQUHAQEEZTBjMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52
ZXJpc2lnbi5jb20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jc2MzLTIwMTAtYWlhLnZl
cmlzaWduLmNvbS9DU0MzLTIwMTAuY2VyMB8GA1UdIwQYMBaAFM+Zqep7JvRLyY6P
1/AFJu/j0qedMBEGCWCGSAGG+EIBAQQEAwIEEDAWBgorBgEEAYI3AgEbBAgwBgEB
AAEB/zANBgkqhkiG9w0BAQUFAAOCAQEAIZGoVTvqCDDmRj3nbnYKKjSyG5R088GM
QGP26N/arj0vnBfRsj7ZTOS5mfKeVx417/SNDOZM35cnJiOYVZxNAdSini14m/Ps
XS4UewaoeIujKfrMQRag7oG1pMT1ziPaTlp7oyV8c9H3PL23lrArdxpNkk8v6P4E
lzNt+efTiNwzKUS2wN9EkyPJI2NS/9+oJ6+5we1e/1m1FAarAmh20QbxKR0CbAun
mIZD+MiqoS9VrhQKkunOY5E5hpMuorxhrvKSUab0zikgAhRxl7JV4d3XubaonXf2
RnSivonROx3yuq8NBVeL5NxEb4WWu7twNjkSz8Yg2DGB07OeomKaxA==
—–END CERTIFICATE—–

EFTlab’s code signing certificate 2021

—–BEGIN CERTIFICATE—–
MIIEzzCCA7egAwIBAgIQOPEgyQQoLozbd+g+ava1VzANBgkqhkiG9w0BAQsFADB/
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxMDAuBgNVBAMTJ1N5bWFudGVj
IENsYXNzIDMgU0hBMjU2IENvZGUgU2lnbmluZyBDQTAeFw0xODEyMTAwMDAwMDBa
Fw0yMTEyMjcyMzU5NTlaMGcxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNs
YW5kMREwDwYDVQQHDAhTYW5kZ2F0ZTEXMBUGA1UECgwORUZUTEFCIFBUWSBMVEQx
FzAVBgNVBAMMDkVGVExBQiBQVFkgTFREMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAsCUwb6GbHn2itQY23mOVSNrW0bA0EtYl6VgVyirdSHS1Ajp4yjfX
Al1/1usq3TLjaCW3ecpcMrpOaI2ufYVFMoSGDDG3RfHVbAGTcpWv6MRhpeUj9gG4
H7Bk+GjzMZ39+3px8mysO1kAa6Tw+bsC1xcUw1fz7TNBaCFVAnAg2O9nbP0JXXL3
nuAfx2SROqld/fSNadPyT0lS1bm6kX5sUtAbrdjhniElbHvu3df+2t8gNOamBKHj
y01du4srFs7KbWm1UVQ7gLW5kWruMEPJeLaXGQ5u9FPFN01F4jWV8cAuAnoVFWeH
4nB85mIrVtHwmVFBaUzQ7WmJ7ouF6hD6+wIDAQABo4IBXTCCAVkwCQYDVR0TBAIw
ADAOBgNVHQ8BAf8EBAMCB4AwKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL3N2LnN5
bWNiLmNvbS9zdi5jcmwwYQYDVR0gBFowWDBWBgZngQwBBAEwTDAjBggrBgEFBQcC
ARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMwJQYIKwYBBQUHAgIwGQwXaHR0cHM6
Ly9kLnN5bWNiLmNvbS9ycGEwEwYDVR0lBAwwCgYIKwYBBQUHAwMwVwYIKwYBBQUH
AQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vc3Yuc3ltY2QuY29tMCYGCCsGAQUF
BzAChhpodHRwOi8vc3Yuc3ltY2IuY29tL3N2LmNydDAfBgNVHSMEGDAWgBSWO1Pw
eTOXr32D7y4rzMq3hh5yZjAdBgNVHQ4EFgQUjJaQeDMGGn2pWNSsl7Q1qZtkX6ow
DQYJKoZIhvcNAQELBQADggEBACO2HD+VyvmzGp1rmUKeTrzWRTIvF+03AbX/CMMr
6+pL3gFmLf6ydX8GsHAwbvKpDX/CaAFBQoK1hAzzlLQ1RCgpkpCbTqWEkeG+8gP+
YCKTHW/hcR4wuAVFqqbs7uBefJ9YL05B4nd9wyHruXPeL5stx129a0w0gjPJEavg
+j7gpFVq2e83zmZNVHPKO5xjkAEhEeEGHzy2maM13/NZXUOt8OD2zZnZEgL9GScU
tNK7kiebjHEYG6kpGcq9pO8HPJZVCXi+DeusXRJXuW45kBIae27v1qzZ8JY4BCt3
u15dswsriKxhumNr0SybsTVRbYoii6Tz6J5qpMR/XxJxWUA=
—–END CERTIFICATE—–

Plain CRT file (2016) is available for download from here.

Plain CRT file (2018) is available for download from here.

Plain CRT file (2021) is available for download from here.

Text source: Wikipedia

Bitnami