Talk:Code signing

This article was previously nominated for deletion. The result of the discussion was keep.

This article is rated C-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects:

Computing: Software Low‑importance This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks. Low This article has been rated as Low-importance on the project's importance scale. This article is supported by WikiProject Software (assessed as Low-importance). This article is supported by WikiProject Computer Security (assessed as Mid-importance). Things you can help WikiProject Computer Security with: edit history watch purge Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information... Answer question about Same-origin_policy Review importance and quality of existing articles Identify categories related to Computer Security Tag related articles Identify articles for creation (see also: Article requests) Identify articles for improvement Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc. Find editors who have shown interest in this subject and ask them to take a look here. Cryptography: Computer science Low‑importance This article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks. Low This article has been rated as Low-importance on the importance scale. This article is supported by WikiProject Computer science (assessed as Low-importance).

Untitled

Latest comment: 13 years ago4 comments4 people in discussion

• What exactly is wrong with this article? Why is it being considered for deletion? If anything, what it lacks is content, but I believe it's a legitimate topic for an article. Will add some content.Marcos Juárez 19:13, 20 February 2006 (UTC)Reply

• I wanted to add a note that average user is likely to trust a large software company, but that creates a problem since a disgruntled employee inside such a company could potentially insert malicious code. In other words, the way it's presented, code signing is likely to appear as a panacea to the average user, but will definitely not be one. Doesn't sound very encyclopedic, though, so I leave it to the rest of you. - feel free to write it in if you can phrase it better. Fry-kun (talk) 10:04, 8 March 2008 (UTC)Reply

• Someone may want to add under Problems that if the system used to develop the software is infected by a computer virus it may be possible (depending on many factors) for the virus to infect the software prior to its being signed, in which case the code as signed is not safe even though it is signed by a well-intending developer. 99.244.184.166 (talk) 05:49, 17 July 2009 (UTC)Reply

• This article probably should include a reference to Certificate Revocation Lists (CRLs)

• There is public confusion about correctly signed code with a certificate that has expired (code was signed before expiration.) People incorrectly interpret this as a breach/violation of the certificate. —Preceding unsigned comment added by 12.155.58.181 (talk) 18:31, 8 December 2010 (UTC)Reply

In-complete question.

Latest comment: 12 years ago1 comment1 person in discussion

One thing I did not find in this article: is it possible to digitally sign self-modifying program code?

The IBM compatible PC is a modified von Neumann architecture, where stored data can become program instruction, therefore self-modifying code is perfectly legal and is NOT the exclusive domain of malware (viruses).

For example, really expensive commercial software may use self-modifying code together with a hardware dongle device to strongly protect against unathorized duplicate use. Such software vendors may wish to have their programs signed digitally for trustedness, since anti-virus programs have a tendency to heuristically alert on almost any self-modifying code, be it a virus or a false alarm on legitimate program code. One method to prevent such occurances is that many AV software automatically exclude trusted-signed binaries from virus checking. 82.131.210.163 (talk) 17:25, 24 April 2012 (UTC)Reply

Code Signing on macOS

Code signing on macOS can easily be defeated as the executable section in question can be stripped.

code signing on Linux

Latest comment: 7 years ago1 comment1 person in discussion

Our article says "This form of code signing is not used on Linux", but should say that at least some Linux distros (one I'm sure of is Debian) do support digital-signature-based validation of the packages they install. —Steve Summit (talk) 16:35, 9 June 2016 (UTC)Reply

External links modified (January 2018)

Latest comment: 6 years ago1 comment1 person in discussion

Hello fellow Wikipedians,

I have just modified one external link on Code signing. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

• Added archive https://web.archive.org/web/20140409005555/http://www.cryptnet.net/fdp/crypto/strong_distro.html to http://www.cryptnet.net/fdp/crypto/strong_distro.html

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 13:36, 19 January 2018 (UTC)Reply

How is signing before the expiry enforced?

Latest comment: 1 year ago1 comment1 person in discussion

One question that isn't really addressed in the article is how the signature on a program is verified to have been made before the expiry of said signature. Mjmouse (talk) 14:36, 9 October 2022 (UTC)Reply