[Owasp-leaders] Any OWASP Guidelines around Code Signing?

Kevin W. Wall kevin.w.wall at gmail.com
Wed Nov 18 03:58:47 UTC 2015


Two important things regarding code signing is that:
1) You need to make it easy to retrieve the public key used for
verifying the signed code.
2) Arrange it so that the validation is performed automatically rather
than requiring that
    the signature is verified manually.

I'm confident that manual verification seldom works, even amongst developers.
I've seen scores of developers download some 3rd party code from the
Internet and then never even bother to verify it against a SHA1
checksum. If they don't
bother to do that, then they surely are not going to bother to download a public
key, import the public key into a keystore, and then run jarsigner so they can
correctly validate a signed jar.  On the other hand, many Linux
package managers that
verify signed packages all happen to that automatically once you've imported the
public key corresponding to the private signing key.

-kevin


On Tue, Nov 17, 2015 at 1:15 PM, Vaibhav Gupta <vaibhav.gupta at owasp.org> wrote:
> Hello Johanna, Ajoy, and Gary,
>
> Thanks for your suggestions!
>
> I agree that we can discuss it on this thread and try to incorporate in a
> cheat sheet. It would be great if practitioners can suggest some best
> practices around it.
>
> Let's gather what all should we answer in this cheat sheet:
>
> 1. What should be the signing process? (Yes/No)
> 2. Which hash algorithm to use? (Yes/No)
> 3. Should signature verification rely on OS APIs only (like WinVerifyTrust()
> API)? (Yes/No)
> 3. What should be the min/max expiry? (Yes/No)
> 4. Should we use time-stamping? (Yes/No)
> 5. Any blacklist/whitelist algorithms to use in case of a binary (e.g.
> updater) fetching another signed binary?(Yes/No)
>
> @Everyone: Call for inputs :-)
>
> Thanks
> Vaibhav
>
> twitter.com/VaibhavGupta_1
>
> On Tue, Nov 17, 2015 at 3:29 PM, Gary Robinson <gary.robinson at owasp.org>
> wrote:
>>
>> The Code Review Guide will mention code signing in passing at the minute,
>> but I agree it would be good to have this type of information included.  I
>> don't sign code in my day job, so wouldn't be authoritative on the subject.
>>
>> If anyone can suggest some best practices on this, or has a resource on
>> best practices, let me know.  Or do Microsoft/Apple effectively constrain
>> how code can be signed to one or two methods?
>>
>> Would it also make a good cheat sheet?
>>
>> Gary
>>
>> On Tue, Nov 17, 2015 at 2:39 AM, ajoy kumar <ajoysota at hotmail.com> wrote:
>>>
>>>
>>> You may find information that is more comprehensive at NIST FIPS 186-4
>>> document http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf.
>>>
>>>
>>> Regards,
>>>
>>>
>>> Ajoy
>>>
>>>
>>>
>>>
>>> ISC 2 Board Elections – Your support requested
>>>
>>> https://www.linkedin.com/pulse/article/isc2-board-election-your-support-requested-ajoy-kumar/edit
>>>
>>>
>>>
>>>
>>>
>>> ________________________________
>>> Date: Mon, 16 Nov 2015 17:19:52 -0400
>>> From: johanna.curiel at owasp.org
>>> To: vaibhav.gupta at owasp.org
>>> CC: owasp-leaders at lists.owasp.org
>>> Subject: Re: [Owasp-leaders] Any OWASP Guidelines around Code Signing?
>>>
>>>
>>> Hi Vaibhav
>>>
>>> I do not recall any project that touches this in detail
>>>
>>> The only project that mentions digital signing of libraries and quite
>>> superficial is the code review guidelines , maybe here and there some
>>> documentation but I don't think in the level of deepness you are looking for
>>>
>>> regards
>>>
>>> Johanna
>>>
>>> On Mon, Nov 16, 2015 at 1:32 PM, Vaibhav Gupta <vaibhav.gupta at owasp.org>
>>> wrote:
>>>
>>> Hello OWASPians,
>>>
>>> Is there any release/draft version of OWASP guidelines around code
>>> signing/digital signing of executables?
>>>
>>> Something like: What should be the signing process? Which hash algorithm
>>> to use? What should be the min/max expiry? Should we use time-stamping? Any
>>> blacklist algorithms? etc. ?
>>>
>>> If we do not have any guideline in place, any suggestion around this
>>> would be appreciated.
>>>
>>> Thanks
>>> Vaibhav
>>>
>>> twitter.com/VaibhavGupta_1
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>> _______________________________________________ OWASP-Leaders mailing
>>> list OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>



-- 
Blog: http://off-the-wall-security.blogspot.com/
NSA: All your crypto bit are belong to us.


More information about the OWASP-Leaders mailing list