Posted on

Why Time Stamps for Code Signing Certificates Matters

Why timestamping matters

If you haven't timestamped the signature while using code signing certificate for your software the signature will remain valid till the certificate is not expired. In other words, the signature remains valid, if the data has not tampered, none of the certificate is revoked in the chain, the root certificate is trusted, and the signing certificate is within the validity period. And, once the certificate expires, revoked or becomes invalid, the signature will be considered as invalid and trust warning will be displayed.

To eliminate such issues, timestamping is used. Timestamping in Code Signing Certificates helps in showing when the software file was signed. It's quite similar to signing your document in the presence of a notary. Here, Timestamping works as a notary witness to the identification of the signatory as well as the signing time.

Posted on

The Problem With Code Signing Private Key Sprawl

Code Signing Private Keys Are Everywhere

People hide keys under their welcome mats, under the potted plant next to the front door, above the door jam, or maybe under that fake-looking rock next to the front walk. But why would they hide their front door key in such obvious places? If I were a burglar, these are the first places that I would check (well, I would first check to see if the front door was even locked).

But some people are smarter than this. Instead of putting the spare key in an obvious hiding place, they make a few copies and hand them out to the dog sitter, the next-door neighbor, their boyfriend/girlfriend, or the handyman fixing the washing machine. Before they know it, they’ve lost track of who they have given keys to and their house is vulnerable once again.

Posted on

Code Signing Credentials Are Machine Identities and Need to Be Protected

The world is experiencing a digital transformation that is eclipsing all previous technological advancements. As more IT workloads move to the cloud, and as more IT services are containerized, they all need to be authenticated using cryptographic keys and digital certificates, or machine identities. Given the pace and scale of this new world of machines, protecting those machine identities is becoming increasingly critical to security. Although these changes affect every business, many organizations use outdated methods to protect the exponentially rising number of machine identities they now require. Those approaches simply can’t keep up.

How does this impact the security of code? There are many types of machine identities — TLS, SSH, mobile and more — that are used on many types of machines. When you look at it in this light, code is the ultimate "machine" that requires an authorized identity so that we can trust it. That is precisely why machine identities are so critical to the code signing process.