SQ20133
Detected digital signatures that were made with a certificate before its validity period began.
| priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
|---|---|---|---|---|---|
 | fail | high | medium | 2 | tampering: fail Reason: signature compliance mistakes |
About the issueโ
Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures are made using digital certificates, which can either be self-issued or purchased from certificate authorities. Certificates have a validity period during which they can be used to create signatures. Before the validity period has started, the certificate is considered invalid and should not be used for signing. This issue indicates that a certificate was used before it was intended to create a digital signature. Failing to comply with the established code signing best practices may result in application errors and availability outages.
How to resolve the issueโ
- Check the validity period of the signing certificate and re-sign the software component.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- RubyGems: 183K
- Nuget: 644K
- PyPi: 628K
- NPM: 3.72M
Recommended readingโ
- Digital certificates (External resource - Microsoft)
- Security Considerations for Code Signing (External resource: PDF document - NIST)