Contact Us

Cell+91 905 1878 713
Emailinfo@avowlabs.com

Guaranteed Service & Support

read more

Partner Services

Reduce Cost
Technology
Consultancy
Project Rescue

Code Signing

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed by use of a cryptographic hash.

Code signing can provide several valuable features. The most common use of code signing is to provide security when deploying; in some programming languages, it can also be used to help prevent namespace conflicts. Almost every code signing implementation will provide some sort of digital signature mechanism to verify the identity of the author or build system, and a checksum to verify that the object has not been modified. It can also be used to provide versioning information about an object or to store other meta data about an object.

Security

Many code signing implementations will provide a way to sign the code using private and public key systems, similar to the process employed by SSL or SSH. For example, in the case of .NET, the developer uses a key to sign their libraries or executables each time they build. This key will be unique to a developer or group or sometimes per application or object. The developer can either generate this key on their own or obtain one from a trusted certificate authority (CA).

It is particularly valuable in distributed environments, where the source of a given piece of code may not be immediately evident - for example Java applets, ActiveX controls and other active web and browser scripting code. Another major usage is to safely provide updates and patches to existing software. Most Linux distributions, as well as both Apple Mac OS X and Microsoft Windows update services use code signing to ensure that it is not possible to maliciously distribute code via the patch system. It allows them to not have to worry about distribution security, such as mirror sites which may not be under the authors' complete control, or any other intermediate piece of the deployment.

Trust Identification using a Certificate Authority (CA)

The public key used for code signing should be traceable back to a trusted root authority, preferably using a secure public key infrastructure (PKI). This does not ensure that the code itself can be trusted, only that it comes from the stated source (or more explicitly, from a particular private key). A certificate authority provides a root trust level which is able to assign trust to others by proxy. If a user is set to trust one of these certificate authorities and receives an executable signed with a key generated by that CA, they can choose to trust the executable by proxy. In many frameworks and operating systems, a number of existing publicly trusted authorities will be pre-installed (such as VeriSign, TC TrustCenter, COMODO, GoDaddy and GlobalSign). When inside a large group of users, such as a large company, it is commonplace to employ a private internal certificate authority suitable for providing the same features of public certificate authority but for deploying signed objects internally.

Our Services

We have partnered with Thawte to offer code signing services, our services are prompt and reliable, we offer code signing services for Visual Studio .NET applications and Java applications only.