Security with Double Image Code Signed Certificate

Publications of Double Image code and install packages are signed with SHA-256 with RSA Encryption.

At the time Double Image is built into a software installation package, it is required to go through a code signing process, whereby a Certificate Authority (CA) issued code sign certificate is used to code sign the executable and other code files. When the install package is run and Double Image is installed on a users machine (only permitted by an Administrator user), then the installer code sign certificate is presented to the admin user before the install occurs, which permits the admin user to examine the certificate. If a certificate was not valid, then the operating system will alert the admin user.

Double Image code sign certificate can be viewed

  • when the software is installed
  • when the software is run
  • in the 'Signature' tab when viewing the properties of the Double Image executable or related Double Image installed code files.

Certificate Signatures vs Thumbprints

It needs to be clarified that certificate signatures used for certificate validation are not the same as thumbprints, where thumbprints are used only for reference.

A certificate security transition occurred in 2015 where the SHA-1 algorithm moved to the newer hashing algorithm SHA-2.  If a code sign certificate was ordered from an issuing Certificate Authority (CA) by the developer or web site administrator in 2016 or later, then the certificate will use a SHA-2 signature algorithm (not SHA-1 which has been barred). The SHA-1 algorithm is no longer acceptable for cryptographic signatures.

When a computer user installs software and uses that software's set of files the system checks the signature to make sure it is legitimate, and not a forgery. (The thumbprint is not checked for security). Web browsers also check their root certificates against web site (domain) certificates for the same reason.

Signature algorithm

The Double Image 'Signature algorithm' used is 'sha256RSA' (SHA-2) which is compliant with current industry security standards.

Signature hash algorithm

The Double Image 'Signature hash algorithm' is used is 'sha256' (SHA-2) which is compliant with current industry security standards.

The SHA-2 hashing algorithm is not the same as the 'Thumbprint algorithm'. The SHA-2 hashing algorithm is used for its certificate signatures. The Signatures are encrypted and used to assure the user that the related web page or software object code and files are valid and secure. Every certificate has a signature that proves that it has been verified by a Certificate Authority (CA) and is authentic. Signatures are used for security, while thumbprints are not. Thumbprints are used only for reference.

 

Thumbprint

A certificate's Thumbprint is a unique identifier that no other certificate has. A mathematical hashing algorithm has created this random string of numbers and letters and is used to run against the certificate’s data. Since the 'Thumbprint' is unique it can be used to compare multiple certificates to determine if they are the same or different. While the 'Thumbprint algorithm' may be 'sha1' (SHA-1) in a SHA-2 certificate the 'Thumbprint' is not related to the certificate’s security.

The Double Image code sign certificate is 100% SHA-2 compliant with industry standards as of 2016 and later. (see 'Signature algorithm' and 'Signature hash algorithm', above).



The Thumbprint and Signature (described above) are not related. The 'Thumbprint' is not actually a part of the certificate since it is calculated and displayed for reference. If Windows is being used the 'Thumbprint algorithm' is listed as 'sha1' (SHA-1) because this is the hashing algorithm that Windows used. In the executable file's Certificate properties it shows the unique 'Thumbprint'.

Dual code signing using SHA-1 and SHA-2 Certificates

Double Image installation packages and the compiled code files are dual signed.

The certificates can be accepted by Windows systems like XP that may only handle a SHA-1. The operating system defines which certificate to rely on, and starting with Windows Vista, the SHA-2 certificate will be relied on while on a XP system SHA-1 may be acceptable, as of this writing.

 

To ensure that the certificate being used is SHA-2 compliant, look at the “Signature algorithm” field in the 'Details' tab.

Article Details

Article ID:
5
Rating :