← Lessons

quiz vs the machine

Gold1400

Security

Code Signing And Signature Verification

Proving software came from a trusted author and was not tampered with.

4 min read · core · beat Gold to climb

Trust In What You Run

Code signing attaches a cryptographic signature to software so a consumer can verify two things: that it came from a known author and that it was not altered after signing. The author signs with a private key and publishes the matching public key.

How Verification Works

  • The author computes a hash of the artifact and signs it with their private key.
  • The consumer recomputes the hash and checks the signature with the public key.
  • A mismatch means the artifact was modified or signed by someone else.

Doing It Well

  • Protect the signing key in hardware or a managed service.
  • Verify signatures in the install and deploy pipeline, not just manually.
  • Combine with transparency logs so signatures are publicly auditable.

Key idea

Code signing binds an artifact to an author and proves it is unaltered, so protect the signing key and verify signatures automatically before running code.

Check yourself

Answer to earn rating on the learn ladder.

1. What two things does verifying a code signature prove?

2. Where should signature verification ideally happen?