Code signing is a cryptographic process that binds a digital signature to a software artifact using a private key tied to a verified identity. It proves who signed the software and confirms it has not been modified since signing. It does not verify what was signed, where it came from, or whether the build process was compromised – which is why code signing alone is no longer sufficient to secure modern software supply chains.
What Is Code Signing?
Code signing is the process of applying a cryptographic signature to software using a private key associated with a trusted identity. When a user or system installs the software, the signature is validated against a certificate chain rooted in a trusted authority.
A valid signature confirms two things:
- The software was signed by the holder of the corresponding private key
- The software has not been modified since it was signed
This is a meaningful assurance, but a narrow one. Signing confirms identity and post-signature integrity. It does not evaluate source code, build environment, or pipeline security.
Why Code Signing Alone Is Not Enough
Code signing alone is not enough because it validates the signer, not the software. If malicious code is introduced before signing, the resulting signature is still technically valid and the compromised software passes every downstream check.
This is commonly referred to as the signed malware problem. It has become one of the defining challenges in software supply chain security because modern attackers rarely target the signing step itself — they target the environment around it.
What Was the SolarWinds Code Signing Incident?
The SolarWinds incident is the most widely cited example of signed malware. Attackers gained access to the SolarWinds build environment and inserted malicious code into the Orion product before it was signed.
More than 18,000 organizations installed the compromised update through legitimate distribution channels. Every signature validation passed because the signature was, in fact, legitimate.
The signature proved who signed the software. It did not prove what was signed.
Where Do Modern Supply Chain Attacks Occur?
Modern supply chain attacks occur across five primary stages of the software development pipeline:
- Developer workstation — stolen credentials, malicious IDE extensions, compromised endpoints
- Source repository — unauthorized commits, tampered branches, dependency confusion
- Build server — injected build steps, compromised runners, modified artifacts
- Signing keys — exposed credentials, misused signing services
- Distribution — tampered artifacts after signing, compromised mirrors
In most major supply chain incidents, the signing step was never breached. The compromise occurred earlier in the pipeline, and the signature simply certified the result.
What Regulations Require More Than Just Code Signing?
Several frameworks now require more than a valid signature, including NIST SSDF, U.S. Executive Order 14028, the EU Cyber Resilience Act, and CA/B Forum baseline requirements.
Each framework addresses a different dimension of the problem:
- NIST Secure Software Development Framework (SSDF) defines secure build, source integrity, and artifact verification practices
- U.S. Executive Order 14028 mandates SBOM generation and build provenance for federal software suppliers
- EU Cyber Resilience Act introduces penalties of up to €15 million or 2.5 percent of global revenue for noncompliant software
- CA/B Forum has shortened code signing certificate validity periods, increasing operational demands on signing infrastructure
The direction is consistent. A signature alone is no longer sufficient evidence that software can be trusted.
What Does Modern Code Signing Require?
Modern code signing requires a broader set of supply chain controls beyond the signing step itself. At a minimum, that includes:
- Source-to-binary verification that confirms the signed artifact matches the intended source
- Reproducible builds that allow independent validation of build outputs
- SBOM generation tied to each signed artifact
- Comprehensive audit trails covering what was signed, by whom, and under what policy
- Hardware-backed key protection with non-exportable keys stored in FIPS-validated HSMs
These capabilities transform code signing from a single-step operation into a verifiable component of a secure software supply chain.
From Signing to Supply Chain Assurance
Code signing remains necessary. It is no longer sufficient on its own.
The organizations best positioned to meet current threats and regulatory expectations are those that treat signing as one control within a broader supply chain security architecture, not as the endpoint of their release process.
The question is no longer whether software is signed. It is whether the entire path from source code to signed artifact can be verified, audited, and trusted.
Secure the full signing pipeline, not just the signature.
GaraTrust brings source-to-binary verification, HSM-backed key protection, SBOM generation, and full audit trails into a single platform. Signing becomes one step in a verifiable supply chain, not a blind trust decision.