SSL.com

How to Use Pre-Signing Malware Scan with SSL.com eSigner

What is SSL.com Malware Scan?

Malware Scan is a new service offered by SSL.com to software developers utilizing code signing certificates to assure that code is free of malware before being signed. 

Benefits of Malware Scan

Malware Scan adds an extra layer of defense to code signing certificates. If malware is detected in the code, the signing is immediately prevented from being accomplished and the user is informed so that preventive action can be taken.  Software developers, publishers, and distributors can now incorporate automated malware and code signing into the CI/CD environments. Despite code signing being automated in some form, the protection of private keys and signing certificates is usually done manually,  putting these at risk of being stolen. Once ransomware gangs and other malicious actors are able to hack into the production environment of a software publishing company, they can secretly inject malware in the build process and cause disastrous consequences. This is what Malware Scan prevents. 

SSL.com’s EV Code Signing certificates help protect your code from unauthorized tampering and compromise with the highest level of validation, and are available for as little as $249 per year. You can also use your EV Code Signing certificate at scale in the cloud using eSigner.

ORDER NOW

eSigner Cloud Code Signing

To be able to use the Malware Scan service, SSL.com customers first need to purchase an EV code signing certificate and enroll it to our eSigner cloud code signing service once the cert is issued. eSigner enables software developers to conveniently sign and timestamp their code on the cloud, with no need for USB tokens, HSMs, or other special hardware.  By storing the EV code signing certificate on the cloud, eSigner enables software engineers to securely sign their code without having to worry about losing a USB token, having their code signing certificates stolen by hackers, or accidentally deleting a pfx file.  The main benefits of eSigner-based code signing + Malware Scan are explained below:

How to use Malware Scan

Enabling the Malware Scan service on your SSL.com account is a first step before being able to use the service on eSigner Express, eSigner CodeSignTool, eSigner APi, or eSigner CKA.
    1. Scroll down to the SIGNING CREDENTIALS section and locate the part showing your eSigner certificate credentials. Make sure that the radio buttons that say signing credential enabled and malware blocker enabled are chosen. These will allow you to use the Malware Scan service on each of the eSigner toolkit.
    2. Scroll down to the SIGNING CREDENTIALS section and locate the part showing your eSigner certificate credentials. Make sure that the radio buttons that say signing credential enabled and malware blocker enabled are chosen. These will allow you to use the Malware Scan service on each of the eSigner toolkit.

Using Malware Scan on eSigner Express

  1. Upload your file to eSigner Express.
  2. After uploading, you will be prompted for the two-factor authentication code.
  3. If the file you uploaded contains malicious code, eSigner Express will flash this warning and prevent the signing: hash that needs to sign is a malware object hash
  4. If you disable Malware Scan on your order page, eSigner Express will immediately warn you.

Using Malware Scan on CodeSignTool

  1. Enable Malware Scan on your order page.
  2. Enter the Sign command on CodeSignTool. For more information on CodeSignTool commands, please refer to our article: eSigner CodeSignTool Command Guide.
  3. If the code you are attempting to sign on CodeSignTool is infected with malware, the signing will fail and you will get the warning, Error: hash that needs to sign is a malware object hash

Using Malware Scan on eSigner API

In this demo, Postman was used to call eSigner API.
  1. Enable Malware Scan on your SSL.com order page. Postman’s Scan Settings will then show “malware_scan_enabled”: true.
  2. If the file you uploaded to Postman contains malware, the signing process will halt and you will be promptly warned.

Using Malware Scan on eSigner Cloud Key Adapter (CKA)

  1. Click the malware blocker enabled radio button on your SSL.com order page.
  2. Install eSigner Cloud Key Adapter. 
  3. Install eSigner CodeSignTool.
  4. Scan the code on CodeSignTool using the following command: scan_code [-hV] -input_file_path=<inputFilePath> -password=<PASSWORD> [-program_name=<programName>] -username=<USERNAME>
  5. Use SignTool to sign the code with eSigner CKA using the following command: "SignTool File path" sign /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 certificate thumbprint "inputFilePath"

Parameters:

SSL.com’s EV Code Signing certificates help protect your code from unauthorized tampering and compromise with the highest level of validation, and are available for as little as $249 per year. You can also use your EV Code Signing certificate at scale in the cloud using eSigner.

ORDER NOW

Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page. You can also find answers to many common support questions in our knowledgebase.
Exit mobile version