A method of ensuring that an executable program has come from a valid software publisher and has not been altered by anyone in between. Also known as "object signing," an EXE, CAB, driver or other executable file is digitally signed and transmitted along with a digital certificate from a certification authority (CA) such as VeriSign (www.verisign.com) or Thawte (www.thawte.com).
Verifying the Signed Certificate
After the code-signed executable is downloaded from a Web site, its certificate is extracted by the user's browser. From an internal list of certificate authorities (CAs) and their public keys, the browser uses the appropriate public key to verify the signature in the certificate. Once verified, it means that the software publisher is who it claims to be, and the public key in the certificate belongs to that publisher.
Verifying the Signed Executable
Next, the publisher's public key is used to verify the signature created from the executable's binary content. The public key decrypts the signature back into the digest, which is compared to the newly computed digest at the client side. If they match, the executable is verified to have come from the publisher without being tampered with. For more on certificate verification, see digital certificate and digital signature.
Object and Code Signing
Although both terms are used interchangeably, object signing refers to any files delivered in this manner, while code signing refers specifically to executables, which is the major concern these days when downloading so many active elements from the Internet. Authenticode is Microsoft's code signing system, and Object Signing is Netscape's system.
The Code Signing Process
The combination of the signed digital certificate and the signed executable file ensures that the executable has come from a valid publisher and has not been tampered with.
Verifying the Signed Certificate
After the code-signed executable is downloaded from a Web site, its certificate is extracted by the user's browser. From an internal list of certificate authorities (CAs) and their public keys, the browser uses the appropriate public key to verify the signature in the certificate. Once verified, it means that the software publisher is who it claims to be, and the public key in the certificate belongs to that publisher.
Verifying the Signed Executable
Next, the publisher's public key is used to verify the signature created from the executable's binary content. The public key decrypts the signature back into the digest, which is compared to the newly computed digest at the client side. If they match, the executable is verified to have come from the publisher without being tampered with. For more on certificate verification, see digital certificate and digital signature.
Object and Code Signing
Although both terms are used interchangeably, object signing refers to any files delivered in this manner, while code signing refers specifically to executables, which is the major concern these days when downloading so many active elements from the Internet. Authenticode is Microsoft's code signing system, and Object Signing is Netscape's system.
The Code Signing Process
The combination of the signed digital certificate and the signed executable file ensures that the executable has come from a valid publisher and has not been tampered with.
 | Reproduced with permission from Computer Desktop Encyclopedia. Copyright (c) 1981-2009 The Computer Language Company Inc. All rights reserved. |
Additional Resources
- What the DoD now says about open source
- I could just see a commander in the field ....having to wait for procurement to get a simple map through bids while his troops are getting shot up even though it is publicly available (oh wait, isn't that how the Chinese embassy got accidentally bombed?)Always use the best tool for...
- Discussion threads 2009-10-28
- DROID aims to make Apple iAnnoyed
- As Wuher the scowling bartender said in Star Wars, AT&T Wireless and Apple doesn't "serve their kind in here", but the DROIDs are coming, like it or not. Verizon recently launched its DROID Does web and TV campaign which is a preview of...
- Blog posts 2009-10-18
- Crypto Obfuscator For .NET 2009 (Windows)
- Crypto Obfuscator For .Net provides advanced code protection, obfuscation and optimization for your .Net assemblies. Crypto Obfuscator combines powerful obfuscation, encryption and optimization techniques to provide the very best protection and performance to your .Net code against reverse-engineering. Additionally its metadata reduction, assembly & resource compression and dependency embedding functionality...
- Software downloads 2009-09-10
- VintaSoftTwain ActiveX Control 5.1 (Windows)
- VintaSoftTwain ActiveX Control will help you to control scanners, digital or web cameras, or any other TWAIN devices. You can fully control the image acquisition process, use the automatic document feeder, clean up images using noise removal, auto border crop, blank page detection, save acquired images to disk, SQL server,...
- Software downloads 2009-09-04
- Search engine lets you earn 'swag' on behalf of reforestation program
- I am sure you have heard about or maybe even used some of the Web search engine sites that will donate something somewhere if you use their lesser-known technology instead of uber-search engines like Google, Yahoo or Bing. One example is GoodSearch, which will give money to your specified registered...
- Blog posts 2009-08-30
- Open source file-system vendor signs patent deal with Microsoft
- All these patent deals that linux vendors are signing with Microsoft, there must be something that Microsoft has going for it. Poor TomTom, wasn't smart enough to do this and keep themselves out of trouble.RE: Open source file-system vendor signs patent deal with MicrosoftAnother one bites the dust! ...
- Discussion threads 2009-08-26
- Microsoft to start charging small businesses for domain-name renewals
- I would immediately transfer...all domains to godaddy. However, MS is charging a fair price. RE: Microsoft to start charging small businesses for domain-name renewalsDomain renewal charges probably are due to last quarter's financial results.--rjStill a Good DealIt's too bad that Microsoft has started charging for the service. I agree,...
- Discussion threads 2009-08-07
- China's Green Dam and the cyberwar implications
- Guest editorial by Oliver Day Chinese military leaders have always been aware of the military advantage the US has over the People's Liberation Army. Reading through their published assessments of Sino-US war possibilities confirm our belief that we would dominate them in the...
- Blog posts 2009-07-23
- The future of mobile malware - digitally signed by Symbian?
- Earlier this month, a mobile malware known as Transmitter.C, Sexy View, Sexy Space or SYMBOS_YXES.B, slipped through Symbian's mobile code signing procedure, allowing it to act as a legitimate application with access to device critical functions such as access to the mobile network, and numerous other functions of the handset....
- Blog posts 2009-07-23
- Will the 'real' Windows 7 testers please stand up?
- Will the 'real' Windows 7 testers please stand up?Can you tell me how long I'll have to wait for the pudding? :-) I agree with you on waiting for the finial version to arrive. I tried both the 32 & 64 bit RC versions on a 3 yr AMD...
- Discussion threads 2009-07-22
- Another company signs Linux patent-protection deal with Microsoft
- Another company signs Linux patent-protection deal with MicrosoftIt's only news if ....... Google signs one.^o^RE: Another company signs Linux patent-protection deal with MicrosoftWe can conclude from this that linux does in fact violate Microsoft's patents. Its no suprise since linux is known for stealing and copying others work. In...
- Discussion threads 2009-07-16
- Snake oil at its slickest: A social media spam story
- I'll tell you a little secret: I love spam. No, not that icky meat-like stuff in a can. The email kind. I'm not silly enough to click on most of it but I love reading the headlines and intros. The ridiculousness of it all makes me laugh most of the...
- Blog posts 2009-07-09
- Firefox 3.5 RC1 delayed a bit again
- Turns out that Firefox 3.5 RC1 will be delayed again to iron out the remaining bugs. During the team's weekly meeting, one development leader said there are 10 final blockers but no big new ones cropping up so it should be a relatively short delay. ...
- Blog posts 2009-06-02
- Microsoft exec outlines Windows 7 security [video]
- Mobile-device security, two factor log-ins, and AppLocker, a code-signing feature for applications, are just a few of the security advancements Microsoft is rolling out with its Windows 7 operating system. Scott Charney, corporate vice president of Microsoft's Trustworthy Computing division, explains at the RSA Conference in San Francisco how it...
- Blog posts 2009-04-22
- Microsoft exec outlines Windows 7 security
- Mobile-device security, two factor log-ins, and AppLocker, a code-signing feature for applications, are just a few of the security advancements Microsoft is rolling out with its Windows 7 operating system. Scott Charney, corporate vice president of Microsoft's Trustworthy Computing division, explains at the RSA Conference in San Francisco how it...
- Videos 2009-04-21
- Ariba, DocuSign partner to offer e-signatures on business docs
- For the past five months, I've been trying to sell a house in the Washington DC area. Sure, there are so many other things I could say about that in a blog post - but that's for a different blog and a different time. In that time,...
- Blog posts 2009-04-02
- The Essentials Series: Code-Signing Certificates
- Code Signing certificates can make your enterprise more secure, make your software more accepted, and even stop malware in its tracks. Learn about the many ways in which code-signing certificates are being used.
- White papers 2009-04-02
- VeriSign Code Signing Digital Certificates for Adobe AIR
- Learn how to digitally sign your applications on AdobeR AIRTM with a VeriSignR Code Signing Digital Certificate, which verifies the authenticity of the publisher and the integrity of the product.
- White papers 2009-04-02
- How to Digitally Sign Downloadable Code for Secure Content Transfer
- Learn how VeriSign Code Signing Certificates allow you to digitally sign your content for unprecedented secure delivery over the Internet and safely transport it from your site.
- White papers 2009-04-02
- Is end of the golden age of Netbooks already near?
- Is end of the golden age of Netbooks already near?Much ado about nothingSimply early market growing pains - no big deal. Other CPU vendors will enter the market, the ideal form factors will flush out and the universe will go on. The consumers' willingness to pay will determine whether the...
- Discussion threads 2009-03-23
Neighboring Terms
Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
- New Online Dashboard for IT Leaders
-
Read about top issues IT decision-makers face every day, plus get cost-effective solutions to real-life IT problems.
- Learn more >>
- Reduce risk. Reduce complexity. Increase reliability.
-
A simplified IT environment isn't just less complex. It's also more reliable. Standardize on a single Linux platform with SUSE Linux Enterprise from Novell, and get the world's most interoperable Linux
- Learn more >>
- Save time with automated shipping solutions
-
The Business Essentials Guide provides you useful tools and templates to help grow your business and save you time with automated shipping solutions.
- Visit the UPS Business Essentials Guide
- Microsoft Dynamics CRM Online - Free Six-Month Trial for Eligible Organizations
-
Microsoft Dynamics CRM Online provides fast online access, simple contact management and better sales performance for a low monthly cost - the best value on the market today.
- Learn more about the free, six-month trial offer>>
SmartPlanet
- Thought-provoking progressive ideas on diverse topics that intersect with technology, business, and life, and matter to the world at large. Visit SmartPlanet
- More from IBM
-
- Can your business work smarter? Learn more about Lotus Symphony
- Learn how to work smarter and optimize cost using the IBM Smart SOA approach Download the eBook
- Smarter ways to make smarter products Read the brief from IBM
