Skip to main content

Digital signatures policies

Digital signatures policies are a group of software quality policies used by the Spectra Assure platform to help you improve the overall software package security.


These policies are used during software package analysis to check your code and inform you if any of the built-in validation rules are violated. Specifically, digital signatures policies focus on preventing tampering and certificate misuse in software packages to help you protect the integrity of your software. They alert you if your software encounters any issues stemming from countersigning, cross-signing, or even integrity validation, if its certificate metadata is incomplete, or if its certificate is revoked, expired, blacklisted, or considered otherwise suspicious. Advanced users of Spectra Assure can adjust how each policy violation is treated and add their own exceptions to policy configuration files.

In the Spectra Assure SAFE report, these policy violations can be found in the Digital Signatures issue category and cause risk in the SAFE Assessment Tampering category.

Developers, release managers, and software publishers will benefit the most from the guidance provided by these policies. When Spectra Assure products detect an issue with digital signatures in a software package, the affected files are highlighted in the analysis report. Development teams can then apply the remediation advice for each particular policy to resolve detected issues.

Security challenges and practicesโ€‹

All software needs to be signed to prove that the information in your software came from a reliable source and has not been modified in any way. These electronic stamps of authenticity are called digital signatures, while code signing is the process of attaching the signatures to your software to keep it secure during deployment.

Digital certificates are used for making digital signatures. More precisely, they're sets of encrypted sensitive information issued by a Certificate Authority (CA) also used for confirming the legitimacy of the organization that owns the software package. Certificate contents are encrypted using public keys to ensure the software you're installing is trustworthy. In software supply chain security, they are used for whitelisting and blacklisting files, or, in other words, for file classification, which also requires maintaining a database of trusted and untrusted parties.

Rapid software development practices in the modern software development lifecycle increase the need for valid and trustworthy certificates. Revoked or expired certificates increase the likelihood of exploitation and make your organization more susceptible to malicious attacks. This is precisely why it's important to keep your digital certificates securely stored and be on the lookout for any potential threats to catch them before your software is widely distributed.

However, such safety measures can often be bypassed. There are many ways in which malicious actors can abuse digital certificates, including certificate forgery, certificate impersonation, private key compromise, and the use of revoked or expired digital certificates.

  • Certificate forgery - Digital signatures can look valid, but after completing a validation process, it becomes visible that a certificate has been forged. This can happen, for example, if you're using a self-signed certificate or any other certificate not issued by a trusted CA, or if a malicious actor obtained your private key.
  • Certificate impersonation - Malicious actors can pose as trusted organizations to lead users to believe they're running safe software with seemingly legitimate certificates. To make them look more realistic, these malicious actors resort to copying the information found in authentic certificates.
  • Private key compromise - If not kept safe, private keys associated with digital certificates can also be stolen or compromised, which grants malicious actors access to potentially sensitive information. Compromised keys can also be used to digitally sign malware using the identity of a trusted organization.
  • Use of revoked or expired digital certificates - Certificates that are still in use after revocation or expiration can no longer be regarded as valid or trusted because they can be exploited to allow for malicious software signing. CAs can also issue weak or improper certificates that are, therefore, more susceptible to misuse.

This presents a large issue for organizations that distribute software packages with their own digital signature. It brings authenticity and integrity of your software into question since it's presented as safe, but can cause harm to user systems or potentially steal their sensitive information. If the software with your digital signature turns out to be misused, this can also tarnish the reputation of your organization and users can lose confidence in your software.

Policies in this categoryโ€‹

Digital signatures policies cover the following:

  • Countersigning and cross-signing issues
  • Integrity validation issues
  • Revoked, expired, blacklisted, and otherwise suspicious certificates
  • Incomplete certificate metadata
Show/hide all policies