Code signing concept & implementation using installware software
Code Sign In
What is Code Signing?
Code signing is the method of using a certificate-based digital
signature to sign executables and scripts in order to verify the author’s
identity and ensure that the code has not been changed or corrupted since it
was signed by the author. This helps users and other software to determine
whether the software can be trusted.
Purpose of Code Signing
Because
of the potential damage that an executable or script can cause to a computer
system, it is important that users be able to trust code published on the
Internet. Here are two important ways that Code Signing increases trust:
· Authentication. Verifying who the author of the software is.
· Integrity.
Verifying that the software hasn’t been tampered with since it was signed.
·
What is a Code Signing Certificate?
A
code signing certificate allows you to sign code using a private and public key
system similar to the method used by SSL and SSH. A public/private key pair is
generated when the certificate is requested. The private key stays on the
applicant’s machine and is never sent to the certificate provider. The public
key is submitted to the provider with the certificate request and the provider
issues a certificate.
The code signing certificate acts as a digital signature.
The code signing certificate acts as a digital signature.
How does Code Signing Work?
In
order to sign a piece of code, an author goes through the following process:
· Has his identity verified and
receives a code signing certificate
· Generates a one-way hash of the
software and uses the private key to encrypt this hash
· Bundling the hash and certificate
with the executable
· When a user receives the
application, he verifies it by:
o Decrypting the hash using the public
key in the certificate
o Creating a new hash of the
downloaded application
o Comparing the new hash with the hash
that was signed by the certificate
If the two hashes match, the user knows that the application has not been modified since it was signed. Most of these steps are handled by the operating system automatically.
For example, when you run a signed application on Windows, you will see the following dialog:
If you right-click the executable and view the properties of it, the Digital Signatures tab will let you view the details of the certificate:
Implementation:
Implementation:
Code
sign in can be implemented to an executable file using Installware.
To start Code Signing, on the Design tab, in the Tools group, click Code Sign. Use the code sign tool to manually sign code your executable and libraries using Authenticode technology.
- Check to make sure you have already built your setup, and have obtained the necessary code signing certificates from code signing authorities. An Internet connection is required if you wish to time-stamp your signature.
- Fill in the necessary fields for your product, and choose your setup and certificate files.
- Click Sign to code sign your setup.
- Click Test to verify your code signed setup has been signed and is working properly. A testing dialog appears with your authenticity certificate.
- Create the .msi again using the new signed executable file.
Comments
Post a Comment