0

We (platform owner) have a requirement to sign a 3rd party (partner) software solution which will be hosted on our platform. The 3rd party solution is signed by the partner with some well known CA. The platform owner would like to sign it again with a different CA trusted by the platform.

Can a software solution be signed by two different certificates?

ztk
  • 2,267
  • 14
  • 22
Vamsi
  • 1
  • 1
  • 1
    Depends on the signing format/technology used. But you can have multiple (detached) signature files with pgp+cms or signify, you can have multiple signatures in a signed jar, with authenticate or in a .cat file. Not sure about ZIP with x.509 support. – eckes Jul 20 '19 at 03:56

2 Answers2

1

Yes, but it's not entirely straight-forward.

I assume you're talking about Windows code-signing. Any .exe file can have a signature embedded in it:

digital signature on internet explorer

As far as I know, this format only allows a single signature. (though the Microsoft code signing format is very similar to CMS that's used for S/MIME and a few other protocols, so it could in theory carry multiple signatures).

@eckes mentions in comments that you can do detached PGP signatures and present multiple of them. That's ok if you're willing host multiple .sig files next to your software download, and expect users to verify these manually. If you're using standard Microsoft X.509 signatures, then unless I'm missing something, you'll need to provide multiple versions of your binary, each with a signature from a different CA... which seems like it defeats the purpose of proving that it's the same binary.

Mike Ounsworth
  • 59,005
  • 21
  • 158
  • 212
0

Yes, you could.

The cryptographic signature doesn't modify the data being signed, and you're not even signing the data itself. You're signing the hash of the data, so creating a second signature for the same hash would be absolutely unrelated and independent from the first one.

Andrew Morozko
  • 1,759
  • 8
  • 10
  • Pretty sure that the common X.509 certificate format doesn't support this though you can simply make another copy of the certificate signed by the other CA and it will do the same job as the new certificate is still attesting to the authenticity of the same public key and other data. – MttJocy Jul 19 '19 at 11:57
  • @MttJocy X.509 is a certificate format – the signature of the public key + additional data. We're talking about signature of a file(s), X.509 wouldn't be created as a result of this operation. You'll need a public key extracted from X.509 certificate in order to verify the signature and a private key (most likely in PKCS#8 format) to create it. – Andrew Morozko Jul 19 '19 at 12:16
  • Thank you! The signing process generates a cert file so when signing is done twice there would be 2 cert files created, isn't it? Is there a mechanism that platform or 3rd party solution can employ to find out which cert file should be used by platform and which one should be used by 3rd party solution for integrity checking? – Vamsi Jul 19 '19 at 16:55
  • @AndrewMorozko True ultimately it depends on specifics of the use case that are not well described in the question if by tamper prevention simply verifying file integrity works this would be a valid option. The use of a second certificate may still be required in the event that the platform requires an acceptable certificate signed by their CA for communication with the wider API etc though. – MttJocy Jul 22 '19 at 16:30
  • @Vamsi Well if going with the two certificate approach then the certificate provided by the platform would be used when communicating with the platform (think platform API calls etc). The solution providers own certificate would be used for internal communication between components of the solution ie the front end web component communicating with a back end database component over SSL etc would come under this. It's not unheard of to have situations like this when dealing with a platform as they can often have different standards/requirements than the suppliers of third party plugin solutions. – MttJocy Jul 22 '19 at 16:36