- Written by: Glenn D
- Category: General Developer News
Sign your code - and use SHA-2
Code signing your production executable and supplementary dlls, has been treated as optional for many developers for a long time.
This should stop and become mandatory practice to sign everything you ship!
It is a topic I have tried to bring more awareness to, not only to ensure you ship a trustworthy application, but also to combat stricter execution environments.
As a side note, code signing certificates are cheap nowadays. Getting an OV certificate, which would suffice for most developers out there, is as low as $84 for a year at ksoftware. Pricing is noted as this time of writing this article and might change in the future.
- There's really no excuse for not signing today.
EV certificates is also an option, though they serve a different purpose, are more expensive and have a more rigorous validation process.
For those who already are familiar with code signing, you might have noted we've been signing with SHA-1 for a very long time. It's kind of been the norm.
A couple years back, however, security experts demonstrated weaknesses in the SHA-1 hashing algorithm and deemed it unsafe.
This has also resulted in code signing should at least use SHA-256 instead - also known as SHA-2.
Recently, Microsoft published a blog post detailing the cut-off date, which basically means the SHA-1 Trusted Root Certificate will expire and their updates, and everything shipped from them, will be signed with SHA-2 only.
While it might not affect you directly at first, your current code signing certificate might be linked to this root certificate, and the expiration might result in validation issues.
I would encourage you, dear reader and fellow developer, to sign your code you ship and start using SHA-2 and reduce the headache with customer support tickets.
Link to the Microsoft blog post
As always, I hope you learned something.
./Glenn