SQ20122
Detected digital signatures used for code signing that do not have code signing listed for their intended use.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | fail | high | medium | 2 | None |
About the issueโ
Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures are made using digital certificates, which can either be purchased from certificate authorities or be self-issued. Certificates consist of various object fields, some of which describe the allowed certificate uses. Digital certificates can only be used for code signing if that property is found in its list of extended key usage policies. It is possible to mistakenly use an SSL certificate as a code signing certificate during software publishing.
How to resolve the issueโ
- Review the certificate information passed to the code signing application.
- If the problem persists, re-sign the software component with a newly acquired certificate, then publish the software package again.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.
For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.
The percentages are calculated from the total amount of packages analyzed:
- RubyGems: 174K
- Nuget: 189K
- PyPi: 403K
- NPM: 2.1M
Recommended readingโ
- Code signing certificate (External resource - IEEE Computer Society)
- Code signing (External resource - Wikipedia)