SQ20105
Detected digital signatures with an expired signing certificate.
| priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
|---|---|---|---|---|---|
| None | pass | low | medium | None | None |
About the issueโ
Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures are made using digital certificates, which can either be purchased from certificate authorities or be self-issued. Certificates have a validity period during which they can be used to create signatures. For application signatures, or digital code signing, it is recommended to countersign the signatures for time-stamping. Countersigned software components have their signature period validity extended past the signing certificate expiration date. Such signatures are considered valid indefinitely. The detected signature is still considered valid, but one or more certificates that were used to make it are now expired. This could indicate the application is relying on outdated components.
How to resolve the issueโ
- Check for available software component updates.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- RubyGems: 183K
- Nuget: 644K
- PyPi: 628K
- NPM: 3.72M
Recommended readingโ
- Digital certificates (External resource - Microsoft)
- Security Considerations for Code Signing (External resource: PDF document - NIST)