A signature under a document typically provides some kind of authorization. At the same time, it also ensures a way to verify that the document was signed by the person who claims to have done so, by comparing the signature with a trusted source.
Code signing of executable files allows similar verifications that can enhance security. All binary executable files delivered by COPA-DATA are digitally signed using a code-signing certificate. This allows a user to:
- verify that the executable file originates from COPA-DATA
- verify that the executable file has not been modified since it was published by COPA-DATA
In the file properties, Windows Explorer allows a user to check the validity of a digital signature in the tab “Digital signature”. Other tools like “Process Explorer” and “sigcheck.exe” by Sysinternals (Microsoft) allow automated verification of digital signatures on executable files. The “signtool”, which is part of the Windows SDK, also allows such checks.
Application whitelisting software can often make use of digitally signed executable files. It may be configured to only allow executing files that are issued by a trusted issuer, based on the digital code signing certificate used by the trusted issuer. An executable that has been tampered with or that is not issued by the trusted issuer, would not execute.
Microsoft has deprecated the use of SHA-1 code signing certificates and no longer supports it as of 01.01.2016. Instead, Microsoft recommends using SHA-2 (SHA-256) Code Signing certificates. Certificate Authorities, the issuers of digital certificates, have followed this notice and no longer provide SHA-1 Code Signing certificates that have a validity extending beyond 01.01.2016.
Microsoft does not fully support SHA-2 Code Signing certificates in all versions of Windows however. General support for SHA-2 Code Signing certificates is not available on older operating systems. In newer versions of Windows without all the latest updates, SHA-2 Code Signing may be available for regular binary executable files but not for kernel level drivers. For some versions, Microsoft does provide updates that supports Code Signing for kernel level drivers. Have a look at Microsoft’s Security Advisory – knowledge base article 3033929 for more information.
This is not the case for Windows XP and Windows Vista. And although these operating systems are no longer supported for current zenon versions, older zenon versions that are still maintained, may need an update of the older zenon version that runs on these operating systems.
Binary executable files issued by COPA-DATA after 12.06.2015 will therefore have a dual signature. One SHA-1 signature and an additional SHA-256 signature. Only the SHA1 signature will be displayed on older operating systems and it will still be possible to verify the file integrity by checking the SHA-1 signature. On newer operating systems, the SHA-256 signature can also be verified.