Perform code signing

From OWASP
Jump to: navigation, search


Overview

Purpose:

  • Provide the stakeholder with a way to validate the origin and integrity of the software.

Role:

  • Integrator

Frequency:

  • Once per release build


Obtain code signing credentials

A prerequisite for code signing are credentials that establish your identity to a trusted third party. Most PKI (public key infrastructure) vendors (also known as certification authorities, or CAs), offer Software publishing Certificates (i.e., code signing credentials), including Verisign. Process for obtaining credentials differs, depending on the CA.

Identify signing targets

Signatures are generally performed on a unit that contains all parts of an application, such as a single archive file (JAR, WAR, or CAB). Generally, the unit is an installable package. Any other granularity requires multiple signature checks per application install, which is inconvenient for the end user.

Sign identified targets

Running the code signing tools usually will automatically add a signature to the packaging unit, which can then be distributed directly.

Categories