As a software developer, you are signing the code using a certificate to protect it from being tampered with and authenticate your identity to users. Which of the following is the best implementation?
A. Hash the code and encrypt the result using your private key
B. Digest the code using your public key as the digital signature
C. Encrypt the fingerprint of the code using your public key
D. Encrypt the code and its fingerprint using your private key

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Hash the code and encrypt the result using your private key.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

A digital signature ensures non-repudiation, which also includes data integrity and authenticity. Technically, a digital signature is nothing more than the hash of an object signed by a subject’s private key.

Hash (value), digest, and fingerprint are synonyms. To digest the code is in fact to hash the code, which doesn’t need a public key.

Encrypting the fingerprint of the code using your private key or hashing the code and encrypt the result using your private key are the rewording of generating a digital signature.

Only the fingerprint of the code needs to be encrypted by your private key. You don’t need to encrypt the code when signing it.

Reference

• The Top 5 Most Popular SSL Certificate Authorities Reviewed
• What is Code Signing?
• FIPS PUB 186-4
• ClickOnce and Authenticode
• Code access security for ClickOnce applications
• Configuring ClickOnce Trusted Publishers

---