Category: 

What Is Code Signing?

Article Details
  • Written By: Alex Newth
  • Edited By: Angela B.
  • Last Modified Date: 26 November 2016
  • Copyright Protected:
    2003-2016
    Conjecture Corporation
  • Print this Article
Free Widgets for your Site/Blog
A recent study suggests that former acne sufferers are more likely to retain a youthful appearance as they age.  more...

December 9 ,  1979 :  The eradication of smallpox was certified.  more...

Hackers frequently take software — whether offline or online — rearrange and change the code to make it malicious, and then upload it online so users download the free program and the malicious code it contains. To ensure users do not run into this problem, code signing is used. Code signing is a method by which the original programmer or company that made the program signs the program and, when the program is installed, it is authenticated to ensure the program has had no coding added or changed. This does not require any special software on the user’s side, and the user is able to verify the programmer's identity. While this is intended as a form of security, a hacker who creates a program or finds away around a signing can create artificial and misplaced trust.

Programs are constantly sold both online and offline. When someone buys a program offline from a trusted supplier or retailer, the user has very little reason to worry about hackers injecting malicious code into the program. This is because, unless the software developer intentionally made a dangerous program, there is no way for someone to tamper with the software and make it malicious. When a user downloads a program from the Internet, there is no such guarantee.

Ad

To protect users who buy or download programs online, code signing is implemented. Code signing is separated into two parts: the developer and the end-user. The developer uses a cryptographic hash, a one-way operation that disguises the code of the program, and then combines his or her private key with the hash. This creates a signature that is implanted onto the program.

When the user receives the program, the second portion of the code signing process occurs. The program examines the certificate and a public key that the programmer placed in the program. Using the public key, the program is able to run the same hash on the current programming, and then it checks the original against the current version being installed. If both the installed program and the original sync up, this shows the user that nothing has been altered. This process is done automatically, and the programs needed for this authentication should be pre-installed on the computer’s operating system (OS).

While code signing is a powerful method for ensuring security, it does have flaws. If the user is downloading a program from a hacker, then the authentication will show the original program is intact. This would lead a user to a false sense of security; the program is made to be malicious, so security is not achieved in this sense. Sophisticated hackers also can get around the hash to inject coding, rendering code signing useless.

Ad

You might also Like

Recommended

Discuss this Article

Post your comments

Post Anonymously

Login

username
password
forgot password?

Register

username
password
confirm
email