Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Security Considerations for Code Signing



David A. Cooper, Andrew R. Regenscheid, Murugiah P. Souppaya


A wide range of software products (also known as code)--including firmware, operating systems, mobile applications, and application container images--must be distributed and updated in a secure and automatic way to prevent forgery and tampering. Digitally signing code provides both data integrity to prove that the code was not modified, and source authentication to identify who signed the code. This paper describes features and architectural relationships of typical code signing solutions that are widely deployed today. It defines code signing use cases and identifies some security problems that can arise when applying code signing solutions to those use cases. Finally, it provides recommendations for avoiding those problems and resources for more information.


application container, code signing, digital signature, firmware, mobile application, operating system, software update
Created January 26, 2018, Updated January 27, 2020