avoid-the-digital-and-code-signing-certificates-journey-of-pain

Moshe and Dennis co-founded vChain, the company that created CodeNotary , out of their frustration with digital and code signing certificates.  As most people reading this blog post will surely agree, digital certificates are a constant source of pain and hassle.

Why do we need to sign our code with a digital certificate?

Stress

The process of getting a digital certificate for code signing is better described as:

  • extremely cumbersome and time-intensive. Certificates authorities customer onboarding process is frustrating, annoying and time-consuming
  • impossible for customers to estimate how long the process will take. Certificate authorities dictate the venues for validating who you are. They keep adding more roadblocks after you started the process
  • impossible to get the signing certificate without involving the support team of the certificate authority. Often you can only chat to a bot or an inexperienced person who’s just repeating what’s already on the website and clearly doesn’t’ work
  • at no point in time, you feel treated professionally nor that your satisfaction is important to the authority

Did we mention that you can’t offload the procedure to some 3rd party or simply your office assistant?

During this whole process, you often pause and ask yourself again why you’re actually going thru all this. In those moments, you remember why you started this procedure in the first place. Windows verifies the signing certificate and try to prevent the installation of unsigned software.

Therefore, Windows and code signing certificates should protect you from installing "bad" software. But do they? The bad guys, in fact, can’t get a signing certificate on your name.  Actually, valid certificates sign malicious code too! You won’t find Oracle, Microsoft, Apple or other big names on the certificate, but sound-alike names. So even those who check the signing certificate details (less than one per mil), won’t probably be able to notice the difference.

Our hands-on experience with digital and code signing certificates

  • After we finished our first release of CodeNotary for Linux, MacOS, and Windows, we realized that we had to sign our code to go through Windows
  • We looked on the web for a reliable and affordable Certificate Authority for code signing certificates
  • We found several alternatives with huge price differences and different offerings. Comparing them was difficult, at best
  • We registered with a popular CA for a code signing certificate and bought a one year certificate
  • We received an email that the verification process had started and that it should finish within a few minutes

So far, so good, but…

As you have probably already guessed it, all hell broke loose at this point:

  • An email came in from the CA, asking us to send a proof of address for the validation through the support portal
  • We tried to access the portal and got an NGINX error (!)
  • So we opened a support chat on the CA website. At first, we spoke with their sales department but, as soon as they realized that we were already a paying customer, they switched us to technical support
  • After 10 minutes on hold, the support told us that our account was under validation (as we didn’t already know) and to upload the requested document as soon as the website was back online
  • As the support portal came back online and we uploaded a bank statement
  • Next day, our mailing address was validated. Someone would reach out to us at 512########, which was different from the phone number we entered during the registration
  • We called the support to understand the problem. They found on Google a similarly named company based in Austin (we’re in Houston, TX) and decided to use that phone number instead of the one we provided
  • We asked to change the number: not possible. For that, we needed to register with a 3rd party like DNB.com, which takes up to 30 days to get validated
  • We couldn’t wait 30 days so we asked for an alternative solution. They suggested confirmation of the phone number by a lawyer or a CPA
  • We choose the CPA option, paid another $200 for the letter and sent it to the CA
  • Support came back: they needed to call the CPA to confirm that he signed the letter

Is the singing certificate pain over?

This saga for issuing a signing certificate is "to be continued" as we are now waiting for the CA to confirm our phone number. We can check back in about a week. So, in no less than a week we will know when we will be able to sign and release our product to the market.

What is the good news?

So, code signing is not only unable to ensure software trust but also a cause of delay in your time-to-market. Luckily the signing certificate for which we are enduring such a battle will sign CodeNotary. CodeNotary allows software vendors and publishers to sign their code in 1 simple step.

 

Start My Free Trial

 

If you liked this blog, you should see the second one in the three-part series that covers the signing of a Microsoft Windows Go executable with a code signing certificate. Read part 2 here

CNIL
Metrics and Logs

(formerly, Opvizor Performance Analyzer)

VMware vSphere & Cloud
PERFORMANCE MONITORING, LOG ANALYSIS, LICENSE COMPLIANCE!

Monitor and Analyze Performance and Log files:
Performance monitoring for your systems and applications with log analysis (tamperproof using immudb) and license compliance (RedHat, Oracle, SAP and more) in one virtual appliance!

Subscribe to Our Newsletter

Get the latest product updates, company news, and special offers delivered right to your inbox.

Subscribe to our newsletter

Use Case - Tamper-resistant Clinical Trials

Goal:

Blockchain PoCs were unsuccessful due to complexity and lack of developers.

Still the goal of data immutability as well as client verification is a crucial. Furthermore, the system needs to be easy to use and operate (allowing backup, maintenance windows aso.).

Implementation:

immudb is running in different datacenters across the globe. All clinical trial information is stored in immudb either as transactions or the pdf documents as a whole.

Having that single source of truth with versioned, timestamped, and cryptographically verifiable records, enables a whole new way of transparency and trust.

Use Case - Finance

Goal:

Store the source data, the decision and the rule base for financial support from governments timestamped, verifiable.

A very important functionality is the ability to compare the historic decision (based on the past rulebase) with the rulebase at a different date. Fully cryptographic verifiable Time Travel queries are required to be able to achieve that comparison.

Implementation:

While the source data, rulebase and the documented decision are stored in verifiable Blobs in immudb, the transaction is stored using the relational layer of immudb.

That allows the use of immudb’s time travel capabilities to retrieve verified historic data and recalculate with the most recent rulebase.

Use Case - eCommerce and NFT marketplace

Goal:

No matter if it’s an eCommerce platform or NFT marketplace, the goals are similar:

  • High amount of transactions (potentially millions a second)
  • Ability to read and write multiple records within one transaction
  • prevent overwrite or updates on transactions
  • comply with regulations (PCI, GDPR, …)


Implementation:

immudb is typically scaled out using Hyperscaler (i. e. AWS, Google Cloud, Microsoft Azure) distributed across the Globe. Auditors are also distributed to track the verification proof over time. Additionally, the shop or marketplace applications store immudb cryptographic state information. That high level of integrity and tamper-evidence while maintaining a very high transaction speed is key for companies to chose immudb.

Use Case - IoT Sensor Data

Goal:

IoT sensor data received by devices collecting environment data needs to be stored locally in a cryptographically verifiable manner until the data is transferred to a central datacenter. The data integrity needs to be verifiable at any given point in time and while in transit.

Implementation:

immudb runs embedded on the IoT device itself and is consistently audited by external probes. The data transfer to audit is minimal and works even with minimum bandwidth and unreliable connections.

Whenever the IoT devices are connected to a high bandwidth, the data transfer happens to a data center (large immudb deployment) and the source and destination date integrity is fully verified.

Use Case - DevOps Evidence

Goal:

CI/CD and application build logs need to be stored auditable and tamper-evident.
A very high Performance is required as the system should not slow down any build process.
Scalability is key as billions of artifacts are expected within the next years.
Next to a possibility of integrity validation, data needs to be retrievable by pipeline job id or digital asset checksum.

Implementation:

As part of the CI/CD audit functionality, data is stored within immudb using the Key/Value functionality. Key is either the CI/CD job id (i. e. Jenkins or GitLab) or the checksum of the resulting build or container image.

White Paper — Registration

We will also send you the research paper
via email.

CodeNotary — Webinar

White Paper — Registration

Please let us know where we can send the whitepaper on CodeNotary Trusted Software Supply Chain. 

Become a partner

Start Your Trial

Please enter contact information to receive an email with the virtual appliance download instructions.

Start Free Trial

Please enter contact information to receive an email with the free trial details.