Code signing mechanism is based on the mature mechanism of PKI technology, to help developers and end users to establish a safe and trusted software release and using environment, to protect the intellectual property rights and the prestige, confirm the identity of the software developers, software has not been modified since the signature and the alteration, accurate to distinguish the legal application and malicious software, Ensure the security of developer code and consumer software content.
However, in the practical application of code signature, there are many security management problems and security risks, which can easily cause great financial losses and brand damage. (such as: improper use, lax storage, resulting in key disclosure; Poor management and so on caused the certificate leakage……)
Does this news make you anxious?
■ Stuxnet, a virus that became famous in June 2010, stole digital signatures from well-known IT companies and disguised them.
■ In April 2013, AMI Aptio UEFI BIOS source code was leaked in Taiwan FTP server, including AMI SPECIAL UEFI BIOS signature test key
■ In September 2015, D-Link accidentally leaked a private code-signing key that could be used by hackers to sign malware, making it easier to carry out attacks.
■ In 2015, a South Korean mobile software developer had its signature certificate stolen, which was used by hackers to sign a violent server message block (SMB) scanner.
■ In November 2018, Tencent Intelligence Security Royal See Threat Intelligence Center found that a mining Trojan with a legitimate digital signature is quietly popular in Windows and Android systems, infected computers and mobile phones will run the Monroe coin mining program.
■ In May 2019, Samsung’s sensitive SmartThings source code was leaked along with certificates and keys, including private certificates for iOS and Android apps.
In order to easily deal with the security management risks of code signature caused by lax custody, such as key disclosure, difficult recovery of signature permission, and inconvenient use of EV code signature across departments and regions, this time to solve the problem for everyone is the “protagonist” :
VSign
Sign desktop and mobile applications across regions and platforms
Asian integrity after years of research, constantly optimize the product function, grinding product details, independent research and development of “VSign” code signing solutions perfect realize cross-platform cross-regional swimming in seconds, telekinesis, and many people to sign, can help enterprises more leisurely face unpredictable change trend and potential security risks, and ultimately achieve the goal of business growth.
All security requirements are met
Consumer applications: Not being able to control all the keys at all times leaves businesses and consumers vulnerable to attack.
Internal applications: The complexity and difficulty of code signing security processes and controls in internal development poses significant risks.
Third party markets: Sharing keys among many developers removes them from the visibility and control of the organization.
Select VSign= security and efficiency up to 90%
☞ Cloud encryption machine: in the hardware security module, safe and reliable management and storage of keys;
☞ Unified identity authentication: Supports unified identity authentication for multiple operations in LDAP and OAuth enterprises.
☞ Privatized deployment: provide a complete set of signature system privatized deployment, more secure and controllable;
☞ Remote certificate mapping: The remote certificate is mapped to the local PC for use by other signing clients.
☞ Seamless signature experience: The desktop client and cloud system are perfectly combined to provide secure, fast, and convenient signature services.
☞ Cross-platform signature service: supports a variety of file formats, including Windows, Mac/iOS (activated on demand), and Android (activated on demand);
☞ Batch signature: Users can sign files in large batches by setting signature rules.
☞ Signature audit: Complete signature audit function and responsibility tracing mechanism the signature process is fully visible;
☞ Built-in multi-brand timestamp service: Provides multi-brand timestamp services, including DigiCert, TrustAsia, Symantec, etc., in particular, RFC3161 and MS Authenticode;