Collaborate Disseminate
We recently adopted Sigstore to do signing of our binary artifacts using a keyless approach. The framework allows to use the OIDC token provided by the EKS cluster (https://docs.sigstore.dev/certificate_authority/oidc-in-fulcio/#kubernetes… Continue reading Using keyless signing from sigstore cosign
As a follow-up of Code signing with certificate and binary digest, if I were to add metadata to the signature created i.e. be able to label a Preview Release, a release not to be run in production, or a GA release certified for use in pro… Continue reading Adding code signing metadata
I’m working on a code-signing requirement for a project. I’m planning to obtain the Code signing certificate and a private key from external vendors like DigiCert and use it.
Step 1: Building the digest of the binary
openssl dgst -sha256 -… Continue reading Code signing with certificate and binary digest
I am developing a hardware device that utilizes AWS IoT OTA via FreeRTOS. On this AWS web page, it says
We recommend that you purchase a code-signing certificate from a
company with a good reputation for security. Do not use a self-signe… Continue reading Why does AWS strongly recommend a non-self-signed, code-signing certificate?
We distribute a Windows application. The application is code signed with a certificate from a proper/trusted CA. This provides some guarantee that the application came from us (checked by the OS).
We use CryptQueryObject to get the fields … Continue reading Should my executable check that it has been signed with my certificate
How does a timestamp prevent use of a leaked expired certificate to sign a malignant executable?
If it is supposedly fine to share or leak expired certificates then why is it safe to allow use of such certificate to sign code if the signat… Continue reading Why can an expired certificate be used to sign a JAR file?
How does a timestamp prevent use of a leaked expired certificate to sign a malignant executable?
If it is supposedly fine to share or leak expired certificates then why is it safe to allow use of such certificate to sign code if the signat… Continue reading Why can an expired certificate be used to sign a JAR file?
If you have a client-side script (e.g client.py) communicating with a server-side script (e.g server.py). Using SSL certificates the identity of the server is automatically verified.
But how do you verify that the code of server.py isn’t t… Continue reading Validate server-side code using hash?
I have a Windows executable file that has been code signed with a certificate from a Certificate Authority. The CA is listed in the official Microsoft Trusted Root Program list of participants. The level of my cert is Open Source, which is… Continue reading Do code signing certificates build reputation only for Microsoft, and is reputation maintained across releases?
How can an end-user manually/locally update the code signature for an extension?
A Google Chrome extension broke 1 year ago due to Google Chrome’s new code signature. Users received errors like "can’t verify the identity of your web b… Continue reading How can I update an browser extension to use Google’s new code signature?