How to digitally sign a program
The users perceive an application or a driver that do not have a digital signature as a potential malware, because the users constantly encounter problems when they run the software.
Third-party antivirus software and information protection tools in the operating system will do their best to prevent the start of such software. If this is not what you aim at, make sure that your application or driver has a digital signature.
What is a digital signature in a program?
Signing a program is the process of adding a special code (digital signature) to the executable files and drivers during development.
With digital signature, users can be sure that the program:
|1||Was indeed signed by the author.|
|2||Has not been changed after signing.|
Digital signature of a program can also contain information about the version and other metadata. It is essentially a digital version of a handwritten signature and a stamp.
End users benefit from signed programs because they know exactly who published the software and that the software has not been modified. Developers benefit from signing the software because their programs are trustworthy and more difficult to falsify.
Usually the hash of the executable file is signed rather than the file itself. This allows reducing the size of the digital signature.
It is possible to verify the authorship and the absence of modifications after signing because:
|It is only possible to create a signature with the private key available to the owner of the signature only.|
|If the program is modified in any way its hash changes as well, so that the signature becomes invalid. The corresponding message is displayed in this case.|
What is it for?
Digital signature is used in most cryptographic protocols, in software distribution, financial transactions and other operations where it is important to detect forgery.
The most common application of software code signature is to provide system security when installing software. For example, the files of the OS updates contain the developer’s signatures so that the receiving system can verify the integrity of the files and make sure that they were indeed created by this developer, even if the updates are delivered through the third parties (are downloaded from a vendor’s website or are installed from discs).
How to get a digital signature for a program?
Digital signatures are created with a public-key signature algorithm (for example, RSA). In fact, a public-key algorithm uses two different keys: the public one and the private one. Only the owner of the private key knows it, while the public key is available to everyone. The digital signature technology uses the private key to generate the signature, and the corresponding public key to verify it.
To obtain a digital signature, the developer should contact a dedicated certificate authority (CA). The certificate authority issues the keys (both private and public ones) and a certificate (in essence, a signature).
The developer calculates the hash of his/her code with the help of the private key and special software or website, appends the hash and the certificate to the code and compiles it. The result is the signed program.
A certificate is an electronic document that confirms that the digital signature belong to the person in question. The certificate contains the following information.
|Start date and expiration date;|
|Information about the owner;|
|Unique certificate validation key (a public key);|
|The name of the signature, or the standards the signature complies with;|
|The name of the certificate authority.|
With the public key, any user can validate the digital signature, i.e. check whether the signature corresponds to the program and the user’s public key. Signature validation is performed with the help of special software or on dedicated websites. During validation, the following parameters are checked.
|that the key is not in the list of revoked keys;|
|that the key has been issued by a certain certificate authority.|
In addition to issuing keys and certificates, a certificate authority revokes expired or compromised certificates and keeps the corresponding databases.
The developer can also embed his/her own digital signature into the code. In this case, the end user should get the public key directly from the developer, so as to verify the software during the first run.
Apart from the software implementation, digital signature allows for a hardware implementation (for example, with the help of smart cards, USB tokens, etc.).
However, the mere presence of a digital signature in a program does not guarantee that the program is harmless. A digital signature indicates that the program has been received from the stated source and has not been modified after signing. It is for the user to decide whether he/she should trust the source.
Licensing allows the developer to turn a program into a product ready for sale. As with the digital signature, the developer can try to create custom tools or use the available systems. Usually these systems enable the developer to start the sales quickly by distributing the installation kit and the serial numbers. Besides, the systems provide protection from copying, hacking and modification.