Collaborate Disseminate
How does a timestamp prevent use of a leaked expired certificate to sign a malignant executable?
If it is supposedly fine to share or leak expired certificates then why is it safe to allow use of such certificate to sign code if the signat… Continue reading Why can an expired certificate be used to sign a JAR file?
How does a timestamp prevent use of a leaked expired certificate to sign a malignant executable?
If it is supposedly fine to share or leak expired certificates then why is it safe to allow use of such certificate to sign code if the signat… Continue reading Why can an expired certificate be used to sign a JAR file?
If you have a client-side script (e.g client.py) communicating with a server-side script (e.g server.py). Using SSL certificates the identity of the server is automatically verified.
But how do you verify that the code of server.py isn’t t… Continue reading Validate server-side code using hash?
I have a Windows executable file that has been code signed with a certificate from a Certificate Authority. The CA is listed in the official Microsoft Trusted Root Program list of participants. The level of my cert is Open Source, which is… Continue reading Do code signing certificates build reputation only for Microsoft, and is reputation maintained across releases?
How can an end-user manually/locally update the code signature for an extension?
A Google Chrome extension broke 1 year ago due to Google Chrome’s new code signature. Users received errors like "can’t verify the identity of your web b… Continue reading How can I update an browser extension to use Google’s new code signature?
In this security tutorial:
https://youtu.be/dykc9YC9Z6U?t=257
the author claims that "sihost is a network component of the malware…" (at 4:23). Yet, prior to his claim, at 3:09 he shows that that particular sihost is signed as … Continue reading Can malware module be signed as Microsoft Corporation module?
If I have a Java thin client app that connects to a server, and I want to protect my client from a malicious use, so I want to implement a sort of signature.
Now the struggle is, if I want to sign the client files, I need to have the keys … Continue reading How to provide signature for a thin client app?
The cybercriminals who breached Taiwanese multinational MSI last month have apparently leaked the company’s private code signing keys on their dark web site. The breach MSI (Micro-Star International) is a corporation that develops and sells compu… Continue reading MSI’s firmware, Intel Boot Guard private keys leaked
I am applying for a new code signing certificate and I specified to the CA I need a certificate that will be time stamped such that any assembly signed during the valid date range will still execute even beyond that date range. They sent … Continue reading What does the OID value in my CSR mean?
I have been tasked with designing a solution for signing source code. I have not found much on whether or not there is a standard for storing the signed code and it’s hash and code signing cert.
As I understand it, signing source code invo… Continue reading How to Store Signed Source Code + Encrypted HASH +Code Signing Cert