[Owasp-leaders] Any OWASP Guidelines around Code Signing?

Vaibhav Gupta vaibhav.gupta at owasp.org
Tue Nov 17 18:15:45 UTC 2015


Hello Johanna, Ajoy, and Gary,

Thanks for your suggestions!

I agree that we can discuss it on this thread and try to incorporate in a
cheat sheet. It would be great if practitioners can suggest some best
practices around it.

Let's gather what all should we answer in this cheat sheet:

1. What should be the signing process? (Yes/No)
2. Which hash algorithm to use? (Yes/No)
3. Should signature verification rely on OS APIs only
(like WinVerifyTrust() API)? (Yes/No)
3. What should be the min/max expiry? (Yes/No)
4. Should we use time-stamping? (Yes/No)
5. Any blacklist/whitelist algorithms to use in case of a binary (e.g.
updater) fetching another signed binary?(Yes/No)

@Everyone: Call for inputs :-)

Thanks
Vaibhav

twitter.com/VaibhavGupta_1

On Tue, Nov 17, 2015 at 3:29 PM, Gary Robinson <gary.robinson at owasp.org>
wrote:

> The Code Review Guide will mention code signing in passing at the minute,
> but I agree it would be good to have this type of information included.  I
> don't sign code in my day job, so wouldn't be authoritative on the subject.
>
> If anyone can suggest some best practices on this, or has a resource on
> best practices, let me know.  Or do Microsoft/Apple effectively constrain
> how code can be signed to one or two methods?
>
> Would it also make a good cheat sheet?
>
> Gary
>
> On Tue, Nov 17, 2015 at 2:39 AM, ajoy kumar <ajoysota at hotmail.com> wrote:
>
>>
>> You may find information that is more comprehensive at NIST FIPS 186-4
>> document http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf.
>>
>> Regards,
>>
>> Ajoy
>>
>>
>> *ISC 2 Board Elections – Your support requested*
>>
>> *https://www.linkedin.com/pulse/article/isc2-board-election-your-support-requested-ajoy-kumar/edit*
>> <https://www.linkedin.com/pulse/article/isc2-board-election-your-support-requested-ajoy-kumar/edit>
>>
>>
>>
>>
>> ------------------------------
>> Date: Mon, 16 Nov 2015 17:19:52 -0400
>> From: johanna.curiel at owasp.org
>> To: vaibhav.gupta at owasp.org
>> CC: owasp-leaders at lists.owasp.org
>> Subject: Re: [Owasp-leaders] Any OWASP Guidelines around Code Signing?
>>
>>
>> Hi Vaibhav
>>
>> I do not recall any project that touches this in detail
>>
>> The only project that mentions digital signing of libraries and quite
>> superficial is the code review guidelines , maybe here and there some
>> documentation but I don't think in the level of deepness you are looking for
>>
>> regards
>>
>> Johanna
>>
>> On Mon, Nov 16, 2015 at 1:32 PM, Vaibhav Gupta <vaibhav.gupta at owasp.org>
>> wrote:
>>
>> Hello OWASPians,
>>
>> Is there any release/draft version of OWASP guidelines around code
>> signing/digital signing of executables?
>>
>> Something like: What should be the signing process? Which hash algorithm
>> to use? What should be the min/max expiry? Should we use time-stamping? Any
>> blacklist algorithms? etc. ?
>>
>> If we do not have any guideline in place, any suggestion around this
>> would be appreciated.
>>
>> Thanks
>> Vaibhav
>>
>> twitter.com/VaibhavGupta_1
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>> _______________________________________________ OWASP-Leaders mailing
>> list OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151117/4fd41f6f/attachment.html>


More information about the OWASP-Leaders mailing list