Code signing concept & implementation using installware software

Code Sign In

What is Code Signing?
Code signing is the method of using a certificate-based digital signature to sign executables and scripts in order to verify the author’s identity and ensure that the code has not been changed or corrupted since it was signed by the author. This helps users and other software to determine whether the software can be trusted.

Purpose of Code Signing
Because of the potential damage that an executable or script can cause to a computer system, it is important that users be able to trust code published on the Internet. Here are two important ways that Code Signing increases trust:
·       Authentication. Verifying who the author of the software is.
·       Integrity. Verifying that the software hasn’t been tampered with since it was signed.
·        
What is a Code Signing Certificate?
A code signing certificate allows you to sign code using a private and public key system similar to the method used by SSL and SSH. A public/private key pair is generated when the certificate is requested. The private key stays on the applicant’s machine and is never sent to the certificate provider. The public key is submitted to the provider with the certificate request and the provider issues a certificate.
The code signing certificate acts as a digital signature. 

How does Code Signing Work?
In order to sign a piece of code, an author goes through the following process:
·       Applies for a code signing certificate from a code signing certificate authority
·       Has his identity verified and receives a code signing certificate
·       Generates a one-way hash of the software and uses the private key to encrypt this hash
·       Bundling the hash and certificate with the executable
·       When a user receives the application, he verifies it by:
o   Decrypting the hash using the public key in the certificate
o   Creating a new hash of the downloaded application
o   Comparing the new hash with the hash that was signed by the certificate



If the two hashes match, the user knows that the application has not been modified since it was signed. Most of these steps are handled by the operating system automatically.


For example, when you run a signed application on Windows, you will see the following dialog:
If you right-click the executable and view the properties of it, the Digital Signatures tab will let you view the details of the certificate:

Implementation:
Code sign in can be implemented to an executable file using Installware.


To start Code Signing, on the Design tab, in the Tools group, click Code Sign. Use the code sign tool to manually sign code your executable and libraries using Authenticode technology.

  1. Check to make sure you have already built your setup, and have obtained the necessary code signing certificates from code signing authorities. An Internet connection is required if you wish to time-stamp your signature.
  2. Fill in the necessary fields for your product, and choose your setup and certificate files.
  3. Click Sign to code sign your setup.
  4. Click Test to verify your code signed setup has been signed and is working properly. A testing dialog appears with your authenticity certificate.
  5. Create the .msi again using the new signed executable file.

Comments

Popular posts from this blog

Interaction with UI from windows service

.Net Basic terminology

Basics of .Net