Code Signing

Written by Kevin Tavolaro
Bookmark and Share

Code signing is an aspect of electronic document signing, and serves to further authenticate data in the online community. Just as an artist affixes his signature to a painting, or a director's name appears above the credits of a film, code signing asserts the authorship of digital codes. This signature affirms the identity of the code's distributors, and assures users of the code's integrity. Code signing also helps to validate the code has not been altered by a third party.

Prior to the widespread use of the Internet, digital codes were only distributed as tangible software. This software, produced and packaged with all the necessary documentation, could then be purchased by the consumer directly from a trusted vendor or from the producer itself. In this online age, software is often distributed by digital means, such as web servers, email, direct downloads, or data exchange. Because of the faceless nature of Internet transactions, code-signing has become an integral part digital security.

How Code Signing Works

Code signing attaches a digital signature directly to the digital code. This signature contains information about the authorship and content of the code, as well as any restrictions that may apply to it. This information helps to insure that the executable code is the same as it has been since it was created, reducing the threat of a user downloading malicious code, unaware of any threat. The signature confirms the author of the code as well, and validates this information with the public key.

The public key attached to the signed code corresponds to another public key, such as the public key of the author. When a user attempts to download the code, the signature sends an encrypted message to the author's public key, which confirms the integrity of the code once it is decrypted by the private key. Through these measures, users can be assured that the code they are downloading is legitimate.


Bookmark and Share