CISSP · Question #640
What is the purpose of code signing?
The correct answer is B. The vendor certifies the software being loaded is free of malicious code and that it was originated. Code signing is a process where a vendor uses a digital signature to certify the authenticity and integrity of software, assuring users it originated from them and has not been tampered with.
Question
Options
- AThe signer verifies that the software being loaded is the software originated by the signer.
- BThe vendor certifies the software being loaded is free of malicious code and that it was originated
- CThe signer verifies that the software being loaded is free of malicious code.
- DBoth vendor and the signer certify the software being loaded is free of malicious code and it was
How the community answered
(35 responses)- A6% (2)
- B91% (32)
- D3% (1)
Why each option
Code signing is a process where a vendor uses a digital signature to certify the authenticity and integrity of software, assuring users it originated from them and has not been tampered with.
This answer is partially correct in that signing verifies origin, but it omits the vendor's certification of integrity and the assurance that the code is free of malicious modification, making it incomplete.
Code signing allows the vendor (as the code signer) to attach a digital signature to software, certifying both its origin (it was created by that vendor) and its integrity (it has not been maliciously altered since signing). The certificate-based signature provides assurance of authenticity and, by extension, that the code is as the vendor intended - free of unauthorized modifications or malicious injections.
Code signing does not technically guarantee software is free of malicious code on its own; it verifies the identity of the signer and integrity of the code, not a security audit of the code's content - and it also omits origin verification.
Code signing is performed by the vendor/signer as a single entity using their private key; it is not a dual-certification process involving both a separate vendor and a separate signer, making this technically inaccurate.
Concept tested: Purpose and function of code signing
Source: https://learn.microsoft.com/en-us/windows/win32/seccrypto/cryptography-tools#code-signing
Topics
Community Discussion
No community discussion yet for this question.