Application Code Signing
Application Code Signing allows users to sign files either locally or through the cloud, ensuring their authenticity and integrity. For local signing, users can utilize the private key and certificate from an uploaded PKCS12 file, a USB token, or a smartcard. For cloud-based signing, the private key and certificate are securely stored within a Jellyfish Hardware Security Module (HSM). The digital signature generated through code signing acts as authentication, enabling others to verify the file’s integrity and confirm that it has not been tampered with or modified by malicious actors.
Interface options
The Jellyfish Application Code Signing page simplifies the process of code-signing executables and other files. Jellyfish supports two signature types—Embedded and Detached—and offers four digest algorithm formats: SHA-1 (deprecated), SHA-256, SHA-384, and SHA-512.
The Embedded signature type is supported for Windows PE (Portable Executable) files, such as .exe or .dll files, allowing users to embed a digital signature directly within the file. The file is signed using the Windows code signing standard and can be verified by any Windows computer. Jellyfish also supports embedding a signed timestamp using the DigiCert timestamping service, ensuring that the code signature can be validated even after the original code-signing certificate has expired.
For code-signing files other than Windows executables, you can generate a Detached signature instead of an embedded one. This method is suitable for Linux executables or any other files. Instead of embedding the signature directly into the original file, a separate signature file is created. You can then validate the code signature by comparing the signature file against the original file and the code-signing certificate.
Among the four digest algorithm formats, SHA-1 is the most widely supported across all operating systems and is mainly used for compatibility purposes, but it is not recommended due to security vulnerabilities. SHA-256, SHA-384, or SHA-512 provide stronger levels of security and are recommended instead.
Code Signing Process
To safeguard data integrity, the private key used to sign the file is never transmitted across the network and always remains local to the user’s browser or within the Jellyfish HSM.
When code-signing with a DigiCert timestamp, a cryptographic hash of the executable file is sent to DigiCert. The executable file itself never leaves your computer/browser and is not sent to Jellyfish or to DigiCert.
You can access Code Signing in Jellyfish by opening the “Tools” tab at the bottom of the sidebar, navigating to the “Certificate Tools” section, and clicking on “Code Signing.”
Code Signing Automation
The Jellyfish code-signing API can be utilized to automate the code-signing process within CI/CD pipelines. It can be easily integrated into GitHub or GitLab to automatically code-sign release artifacts directly as part of the build process. Cogito Group uses this code-signing API internally for all Jellyfish releases, ensuring that customers can easily validate that their files have not been tampered with.
