[Owasp-leaders] Any OWASP Guidelines around Code Signing?

Gary Robinson gary.robinson at owasp.org
Tue Nov 17 09:59:15 UTC 2015


The Code Review Guide will mention code signing in passing at the minute,
but I agree it would be good to have this type of information included.  I
don't sign code in my day job, so wouldn't be authoritative on the subject.

If anyone can suggest some best practices on this, or has a resource on
best practices, let me know.  Or do Microsoft/Apple effectively constrain
how code can be signed to one or two methods?

Would it also make a good cheat sheet?

Gary

On Tue, Nov 17, 2015 at 2:39 AM, ajoy kumar <ajoysota at hotmail.com> wrote:

>
> You may find information that is more comprehensive at NIST FIPS 186-4
> document http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf.
>
> Regards,
>
> Ajoy
>
>
> *ISC 2 Board Elections – Your support requested*
>
> *https://www.linkedin.com/pulse/article/isc2-board-election-your-support-requested-ajoy-kumar/edit*
> <https://www.linkedin.com/pulse/article/isc2-board-election-your-support-requested-ajoy-kumar/edit>
>
>
>
>
> ------------------------------
> Date: Mon, 16 Nov 2015 17:19:52 -0400
> From: johanna.curiel at owasp.org
> To: vaibhav.gupta at owasp.org
> CC: owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] Any OWASP Guidelines around Code Signing?
>
>
> Hi Vaibhav
>
> I do not recall any project that touches this in detail
>
> The only project that mentions digital signing of libraries and quite
> superficial is the code review guidelines , maybe here and there some
> documentation but I don't think in the level of deepness you are looking for
>
> regards
>
> Johanna
>
> On Mon, Nov 16, 2015 at 1:32 PM, Vaibhav Gupta <vaibhav.gupta at owasp.org>
> wrote:
>
> Hello OWASPians,
>
> Is there any release/draft version of OWASP guidelines around code
> signing/digital signing of executables?
>
> Something like: What should be the signing process? Which hash algorithm
> to use? What should be the min/max expiry? Should we use time-stamping? Any
> blacklist algorithms? etc. ?
>
> If we do not have any guideline in place, any suggestion around this would
> be appreciated.
>
> Thanks
> Vaibhav
>
> twitter.com/VaibhavGupta_1
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________ OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151117/36a7dedd/attachment-0001.html>


More information about the OWASP-Leaders mailing list