SQ20110
Detected digital signatures that contain a blacklisted certificate.
priority | CI/CD status | severity | effort | RL level | RL assessment |
---|---|---|---|---|---|
fail | high | medium | 1 | tampering: fail Reason: blacklisted certificates found |
About the issueโ
Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures are made using digital certificates, which can either be purchased from certificate authorities or be self-issued. Information security companies actively monitor how digital certificates get used. Incidents where the signer's identity is misused to place an authenticity record on a malicious file (subverting user trust) could lead to certificate blacklisting. When this happens, the presence of such a certificate is enough to mark the content it was applied to as malicious. Therefore, the users are less likely to trust such files.
How to resolve the issueโ
- Acquire a new certificate and re-sign the software component, then publish the software package again.
Recommended readingโ
- Building secure certificate whitelists (ReversingLabs blog)