nerdexam
(ISC)2

CISSP · Question #640

What is the purpose of code signing?

The correct answer is B. The vendor certifies the software being loaded is free of malicious code and that it was originated. Code signing is a process where a vendor uses a digital signature to certify the authenticity and integrity of software, assuring users it originated from them and has not been tampered with.

Submitted by akirajp· Mar 5, 2026Software Development Security

Question

What is the purpose of code signing?

Options

  • AThe signer verifies that the software being loaded is the software originated by the signer.
  • BThe vendor certifies the software being loaded is free of malicious code and that it was originated
  • CThe signer verifies that the software being loaded is free of malicious code.
  • DBoth vendor and the signer certify the software being loaded is free of malicious code and it was

How the community answered

(35 responses)
  • A
    6% (2)
  • B
    91% (32)
  • D
    3% (1)

Why each option

Code signing is a process where a vendor uses a digital signature to certify the authenticity and integrity of software, assuring users it originated from them and has not been tampered with.

AThe signer verifies that the software being loaded is the software originated by the signer.

This answer is partially correct in that signing verifies origin, but it omits the vendor's certification of integrity and the assurance that the code is free of malicious modification, making it incomplete.

BThe vendor certifies the software being loaded is free of malicious code and that it was originatedCorrect

Code signing allows the vendor (as the code signer) to attach a digital signature to software, certifying both its origin (it was created by that vendor) and its integrity (it has not been maliciously altered since signing). The certificate-based signature provides assurance of authenticity and, by extension, that the code is as the vendor intended - free of unauthorized modifications or malicious injections.

CThe signer verifies that the software being loaded is free of malicious code.

Code signing does not technically guarantee software is free of malicious code on its own; it verifies the identity of the signer and integrity of the code, not a security audit of the code's content - and it also omits origin verification.

DBoth vendor and the signer certify the software being loaded is free of malicious code and it was

Code signing is performed by the vendor/signer as a single entity using their private key; it is not a dual-certification process involving both a separate vendor and a separate signer, making this technically inaccurate.

Concept tested: Purpose and function of code signing

Source: https://learn.microsoft.com/en-us/windows/win32/seccrypto/cryptography-tools#code-signing

Topics

#Code signing#Software integrity#Software authenticity#Digital signatures

Community Discussion

No community discussion yet for this question.

Full CISSP Practice