Code signing is based on the use of a digital signature, which is in turn is based on a digital certificate issued by a trusted third party (a certification authority) that has verified the identity of the software or content publisher. For example, When a Certificate Authority issue code signing digital IDs to software developers. When a developer enrolls for a digital ID, he is required to submit documentation of proof of identity. A public/private key pair is generated when the certificate is requested. The private key stays on the requester’s computer and is never sent to the CA. It should not be shared with anyone. The public key is submitted to the CA with the certificate request. After the certificate is issued, the developer uses the private key associated with that public key to sign his code. When users download the signed code, they get a copy of the certificate verifying the identity of the author/publisher. The Web browser verifies the digital signature, and the user knows that the code did indeed come from that particular developer.
Here is what happens when a developer signs the code:
The code is put through a one-way hash function. This creates a “digest” of fixed length. The developer’s private key is used to encrypt this digest. The digest is combined with the certificate and hash algorithm to create a signature block. The signature block is inserted into the portable executable file.
What happens at the other end (on the computer that downloads the signed code)?
Here’s the process: The certificate is examined and the developer’s public key is obtained from the CA. The digest is then decrypted with the public key. The same hash algorithm that was used to create the digest is run on the code again, to create a second digest. The second digest is compared to the original. If the two digests match, you know that the public key is the one that matches the private key used to sign the code, and you know that the code hasn’t been changed since it was signed.
