SQ20113
Detected digital signatures that contain a certificate trying to impersonate a trusted publisher.
priority | CI/CD status | severity | effort | RL level | RL assessment |
---|---|---|---|---|---|
fail | high | medium | 1 | tampering: fail Reason: impersonated signatures found |
About the issueโ
Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures are made using digital certificates, which can either be purchased from certificate authorities or be self-issued. However, self-issued certificates can't be easily trusted. Without independent identity validation provided by a reputable certificate authority, any information contained by the digital signature can at best be considered questionable. Identity information within self-issued certificates can easily be impersonated by a third party. We detected that the digital signature refers to a trusted software publisher identity. Since the certificate used to make this digital signature is self-issued, it can't be considered trustworthy. Most software packages that report identity impersonation attempts have malicious intent.
How to resolve the issueโ
- Acquire a new certificate and re-sign the software component, then publish the software package again.
Recommended readingโ
- You are you, but so am I - certificate impersonation (ReversingLabs blog)
- A new kind of certificate fraud: Executive impersonation (ReversingLabs blog)