code-signing
Safeguard articles tagged "code-signing" — guides, analysis, and best practices for software supply chain and application security.
25 articles
3CX desktop app supply chain compromise
A breakdown of the 3CX supply chain compromise: how Lazarus-linked attackers poisoned a signed desktop build via a nested vendor attack chain.
Sigstore Cosign Keyless Signing Explained for Teams
Keyless signing swaps long-lived private keys for ten-minute certificates tied to an OIDC identity. How Fulcio and Rekor work, and how to roll it out without breaking deploys.
Code Signing Infrastructure Breach Response
A compromised signing key is the quietest crisis in security. A concrete playbook for responding when your code signing infrastructure is implicated.
Securing Software Update Mechanisms
Software updates are a double-edged sword: they deliver patches but also provide a trusted channel attackers can exploit. Securing the update mechanism itself is essential to supply chain integrity.
AnyDesk Production Systems Compromised: Code Signing Certificates Stolen
AnyDesk confirmed a breach of their production systems in late January 2024, forcing revocation of code signing certificates and a mandatory password reset for all users.
Code Signing Certificates and Software Supply Chain Integrity
Code signing is a critical trust anchor in the software supply chain. This guide covers how it works, how it fails, and how to implement it correctly.
GitHub Code Signing Bypass: When the Trust Anchor Fails
A vulnerability in GitHub's commit signature verification allowed attackers to forge signed commits. The flaw undermined the integrity guarantees that code signing is supposed to provide.
Software Update Signing and Verification: Getting It Right
Signed updates are table stakes for software distribution. But the signing and verification process has pitfalls that undermine the entire security model.
Sigstore Reaches GA: Free Software Signing for Everyone
Sigstore's general availability in October 2022 made cryptographic signing accessible to every developer. Here's why this is a watershed moment.
Linux Kernel Supply Chain Security: How the World's Largest Project Protects Itself
The Linux kernel is the most critical open source project on earth. Its supply chain security practices offer lessons for every project, but also reveal challenges that scale creates.
NVIDIA LAPSUS$ Breach: Stolen Code Signing Certificates Used to Sign Malware
When LAPSUS$ breached NVIDIA, they stole code signing certificates that were immediately weaponized to sign malware. The incident demonstrated how trust mechanisms become attack vectors.
Sigstore and Cosign: Software Signing for the Rest of Us
Sigstore makes software signing accessible by eliminating the pain of key management. Here's how Cosign, Fulcio, and Rekor work together to verify software integrity.