So who signs code anyway?

On February 15, 2008, in Security, by

The number of times I see software that I’m installing that does not have a “verification signature” is pretty much all the time in my line of business application vendor space.  But sometimes it’s from other places as well.

I saw this today and it brought a bit of a smile.

That is what you see when you unzip a Microsoft hotfix.  Not signed. 

Michael Howard blogs about the SAFECODE project and in the PDF it states:

Integrity Verification Some products offer customers methods such as signed code for verifying that the software they have acquired is indeed from their trusted vendor. Using public key technology to sign code is an example of enabling integrity verification. Some software companies also build in integrity checks on an on-going basis to assure that the components in the solution are indeed bona-fide components.

My vendors don’t always do code integrity verification.  It’s a noble goal, but we’re not there yet.  Still one to strive for though.


Comments are closed.