Collaborate Disseminate
I am interested if it could be possible to validate source code integrity for web apps somehow.
For example:
Developer builds app and sign source code with his private key. Both signature and public key is included in web app.
User fetch… Continue reading Validating web app source code integrity
I am new to code signing and would like to do it using Visual Studio 2022. I got a MS article showing how to do Code Signing here and was trying to use it. For me, the "Sign the ClickOnce manifests" option is somehow disabled.
Wh… Continue reading How to do code signing with Visual Studio 2022
I am new to code signing and would like to do it using Visual Studio 2022. I got a MS article showing how to do Code Signing here and was trying to use it. For me, the "Sign the ClickOnce manifests" option is somehow disabled.
Wh… Continue reading How to do code signing with Visual Studio 2022
I have not been able to find a single page that actually explains how npm’s
ECDSA signing system works.
The closest I could find is the official documentation, but as far as I can
tell from that documentation, this system is completely use… Continue reading How does npm’s ECDSA signing system improve security?
I am trying to reason about how native apps can avoid the problems web apps have in dealing with the "Browser Cryptography Chicken and Egg" problem, which has been discussed numerous times on this site, perhaps most notably here:… Continue reading How to deal with targeted attacks from publisher when verifying the integrity of native applications and validating their source code?
I don’t know much about how yubikeys work, but I’m trying to sign a commit with one of them and I don’t even know how to debug the problem. I got:
gpg –list-keys
/home/lz/.gnupg/pubring.kbx
—————————
pub ed25519 2018-1… Continue reading Can’t sign commit with yubikey, GPG missing something
I’m currently in the process of writing a program that:
Reads a binary file (a C++ program) and creates a SHA256 hash of the data (like a checksum)
Use this calculated hash and a self signed CA certificate to create a CMS signature using … Continue reading Interaction of a Code Signature and a Timestamp token from a TSA
I have had some binary executable files (.exe) for Windows signed, I have checked the signature of the signed files, but I would also like to check that the file that I sent for signing is indeed identical to the signed file that I got bac… Continue reading How do I compare a signed .exe file with the unsigned version of the same .exe file?
Alternatively, the question could be asked: Does issuing a checksum for a file we sign anyways just duplicate work?
Use case: Firmware sent to an IoT device. We sign it, and form a separate checksum for it.
My understanding is that this is… Continue reading Is signing a file better than issuing a checksum, and does it render a separate checksum useless?
How do GPG smart card devices (such as a Yubikey) handle large GPG operations? Such as signing binary programs.
My first 2 pet theories are:
There’s some way to chunk up GPG operations or use some magic to stream data into and out of the … Continue reading How do GPG smart card devices handle large GPG operations?