Cooper, D.
, Regenscheid, A.
and Souppaya, M.
(2018),
Security Considerations for Code Signing, OTHER, National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.CSWP.01262018, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=925081
(Accessed October 8, 2025)
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Security Considerations for Code Signing
Published
Author(s)
, ,
Abstract
A wide range of software products (also known as code)--including firmware, operating systems, mobile applications, and application container images--must be distributed and updated in a secure and automatic way to prevent forgery and tampering. Digitally signing code provides both data integrity to prove that the code was not modified, and source authentication to identify who signed the code. This paper describes features and architectural relationships of typical code signing solutions that are widely deployed today. It defines code signing use cases and identifies some security problems that can arise when applying code signing solutions to those use cases. Finally, it provides recommendations for avoiding those problems and resources for more information.Citation
OTHER -
NIST Pub Series
Pub Type
NIST Pubs
Download Paper
Keywords
application container, code signing, digital signature, firmware, mobile application, operating system, software update
Citation
Issues
If you have any questions about this publication or are having problems accessing it, please contact [email protected].
Created January 25, 2018, Updated October 14, 2021