Booklet for developers and security professionals on how to implement code obfuscation, .NET strong name signing, and Authenticode code signing in order to protect applications deployment. The guide contains detailed description of different code signing implementation options from basic software to sophisticated hardware solution.

Topics include: reasons to implement code obfuscation and signing, obfuscation and strong name signing dependencies, description of Authenticode signing process, singing certificates and certificate authorities, signing certificate private key storage: hardware vs. software, three ways to implement code signing, and more (Article: ~4,460 words).

Table of Contents includes:

1. Introduction

Several Reasons to Implement Code Obfuscation and Signing

Additional Benefits of Strong Name Signing

Additional Benefits of Authenticode Signing

2. Code Obfuscation and Strong Name Signing

Code Obfuscation Tools

Obfuscation Project and Strong Name Signing

Obfuscation and Strong Name Signing from Command Line

3. Authenticode Code Signing

Code Signing

Digital Signatures

How Code Signing Works

Authenticode

Code Signing Certificate

X.509 Standard

Obtaining Code Signing Certificate

Signing Certificate Pricing

Code Signing Certificate Storage: Hardware vs. Software

Time Stamping

Certificate Validity (Expiration Date)

4. Implementing Authenticode Signing

Code Signing Process à la Microsoft

Code Signing Implementation Options: Advantages, Disadvantages, Costs

Option 1: "Full Hardware"

Option 2: "Basic Software"

Option 3: "Combined Software/Hardware"

5. Tips on Implementing "Combined Software/Hardware" Option

Requirements to Signing Application

6. Tips on Implementing "Basic Software" Option

Installing Code Signing Certificate on Signing Server

SignTool

Installing SignTool

Using SignTool

5. Testing

Testing Obfuscation

Testing Strong Name Signatures

Testing Authenticode Signatures

6. Resources

Tools and Products

Authenticode Certificates Offered by Public Certificate Authorities

Online Authenticode Timestamping Services

Standards

Articles

Books

About the Author

Slava Gomzin, CISSP, ECSP, Security+ has more than 15 years of professional experience in software development and application security. He is Security Architect at Retalix USA.