Digital signatures policies
Digital signatures policies are a group of software quality policies used by the Spectra Assure platform to help you improve the overall software package security.
These policies are used during software package analysis to check your code and inform you if any of the built-in validation rules are violated. Specifically, digital signatures policies focus on preventing tampering and certificate misuse in software packages to help you protect the integrity of your software. They alert you if your software encounters any issues stemming from countersigning, cross-signing, or even integrity validation, if its certificate metadata is incomplete, or if its certificate is revoked, expired, blacklisted, or considered otherwise suspicious. Advanced users of Spectra Assure can adjust how each policy violation is treated and add their own exceptions to policy configuration files.
In the Spectra Assure SAFE report, these policy violations can be found in the Digital Signatures issue category and cause risk in the SAFE Assessment Tampering category.
Developers, release managers, and software publishers will benefit the most from the guidance provided by these policies. When Spectra Assure products detect an issue with digital signatures in a software package, the affected files are highlighted in the analysis report. Development teams can then apply the remediation advice for each particular policy to resolve detected issues.
Security challenges and practicesโ
All software needs to be signed to prove that the information in your software came from a reliable source and has not been modified in any way. These electronic stamps of authenticity are called digital signatures, while code signing is the process of attaching the signatures to your software to keep it secure during deployment.
Digital certificates are used for making digital signatures. More precisely, they're sets of encrypted sensitive information issued by a Certificate Authority (CA) also used for confirming the legitimacy of the organization that owns the software package. Certificate contents are encrypted using public keys to ensure the software you're installing is trustworthy. In software supply chain security, they are used for whitelisting and blacklisting files, or, in other words, for file classification, which also requires maintaining a database of trusted and untrusted parties.
Rapid software development practices in the modern software development lifecycle increase the need for valid and trustworthy certificates. Revoked or expired certificates increase the likelihood of exploitation and make your organization more susceptible to malicious attacks. This is precisely why it's important to keep your digital certificates securely stored and be on the lookout for any potential threats to catch them before your software is widely distributed.
However, such safety measures can often be bypassed. There are many ways in which malicious actors can abuse digital certificates, including certificate forgery, certificate impersonation, private key compromise, and the use of revoked or expired digital certificates.
- Certificate forgery - Digital signatures can look valid, but after completing a validation process, it becomes visible that a certificate has been forged. This can happen, for example, if you're using a self-signed certificate or any other certificate not issued by a trusted CA, or if a malicious actor obtained your private key.
- Certificate impersonation - Malicious actors can pose as trusted organizations to lead users to believe they're running safe software with seemingly legitimate certificates. To make them look more realistic, these malicious actors resort to copying the information found in authentic certificates.
- Private key compromise - If not kept safe, private keys associated with digital certificates can also be stolen or compromised, which grants malicious actors access to potentially sensitive information. Compromised keys can also be used to digitally sign malware using the identity of a trusted organization.
- Use of revoked or expired digital certificates - Certificates that are still in use after revocation or expiration can no longer be regarded as valid or trusted because they can be exploited to allow for malicious software signing. CAs can also issue weak or improper certificates that are, therefore, more susceptible to misuse.
This presents a large issue for organizations that distribute software packages with their own digital signature. It brings authenticity and integrity of your software into question since it's presented as safe, but can cause harm to user systems or potentially steal their sensitive information. If the software with your digital signature turns out to be misused, this can also tarnish the reputation of your organization and users can lose confidence in your software.
Policies in this categoryโ
Digital signatures policies cover the following:
- Countersigning and cross-signing issues
- Integrity validation issues
- Revoked, expired, blacklisted, and otherwise suspicious certificates
- Incomplete certificate metadata
Show/hide all policies
- SQ20101 - Detected digital signatures that have been countersigned for time-stamping an excessive number of times.
- SQ20102 - Detected digital signatures that have not been countersigned for time-stamping.
- SQ20103 - Detected reproducibly compiled applications that have not been countersigned for time-stamping.
- SQ20104 - Detected digital signatures that used an expired certificate during signing.
- SQ20105 - Detected digital signatures with an expired signing certificate.
- SQ20106 - Detected expired digital signatures that have not been countersigned for time-stamping.
- SQ20107 - Detected digital signatures that contain a revoked certificate.
- SQ20108 - Detected digital signatures that were made with a revoked certificate.
- SQ20109 - Detected digital signatures that contain a certificate revoked due to the private key compromise.
- SQ20110 - Detected digital signatures that contain a blacklisted certificate.
- SQ20111 - Detected digital signatures made with a certificate issued by an unknown certificate authority.
- SQ20112 - Detected digital signatures made with a certificate issued by the signing party.
- SQ20113 - Detected digital signatures that contain a certificate trying to impersonate a trusted publisher.
- SQ20114 - Detected malformed or damaged digital signatures.
- SQ20115 - Detected digital signatures that are failing integrity validation check.
- SQ20116 - Detected digital signatures that only partially validate the integrity of signed content.
- SQ20117 - Detected digital signatures with object IDs whose content is excluded from integrity validation.
- SQ20118 - Detected digital signatures that rely on a weak cryptography algorithm for integrity validation.
- SQ20119 - Detected digital signatures that rely on a weak digest algorithm for integrity validation.
- SQ20120 - Detected digital signatures that use Elliptic Curve Cryptography parameters that could be easily spoofed.
- SQ20121 - Detected digital signatures that have not been performed with an extended validation certificate.
- SQ20122 - Detected digital signatures used for code signing that do not have code signing listed for their intended use.
- SQ20123 - Detected digital signatures missing extensions required for code integrity validation while trying to enforce it.
- SQ20124 - Detected digital signatures that contain a certificate with a short and predictable serial number.
- SQ20126 - Detected digital signatures that contain a certificate that is missing some of the common fields in its issuer property.
- SQ20126 - Detected digital signatures that contain a certificate that is missing some of the common fields in its subject property.
- SQ20127 - Detected digital signatures that contain a certificate that does not belong to any certificate chains.
- SQ20128 - Detected digital signatures that do not contain a reference to a certificate revocation server.
- SQ20129 - Detected digital signatures that chain to the deprecated cross-signature authorities.
- SQ20130 - Detected expired certificates within the list of digital signatures that were cross-signed.
- SQ20131 - Detected digital signatures that used an expired certificate during cross-signing.
Recommended for youโ
Digital Certificates โ Models for Trust and Targets for Misuse (ReversingLabs blog series)
Fine Tuning Your Risk Baseline With Code Signing Certificates (ReversingLabs video series)
Detecting Certificate-Signed Malware (ReversingLabs blog post)