Skip to main content

SQ20117

Detected digital signatures with object IDs whose content is excluded from integrity validation.

priorityCI/CD statusseverityeffortRL levelRL assessment
passhighhighNonetampering: warning
Reason: partially signed components

About the issueโ€‹

Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures are made using digital certificates, which can either be purchased from certificate authorities or be self-issued. Certificates consist of various object fields, some of which are enumerated by unique object identifiers called OIDs. Certificate specification allows for extensions through a set of reserved OIDs that can have arbitrary binary data as their value. That content is purposefully excluded from signature validation so that it can be changed after a signature has been made. However, presence of such data makes it impossible to determine if the file integrity has been compromised.

How to resolve the issueโ€‹

  • Take a closer look at these kinds of files, because malware commonly tries to go unnoticed by hiding within these validation gaps.
  • Some software vendors use this approach in a non-malicious context to insert unique package information for tracking purposes after packaging. Using non-verifiable OIDs is considered an insecure practice, and you should deprecate it in your processes.

Incidence statisticsโ€‹

ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.

For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.

The percentages are calculated from the total amount of packages analyzed:

  • RubyGems: 174K
  • Nuget: 189K
  • PyPi: 403K
  • NPM: 2.1M