The organization responsible for developing or building the software typically manages the keys used to sign the code, ensuring both data integrity and source authentication.
If A is not there, then I would vote for C. But A is here, then obviously the code belongs to the company, but not individuals. We have all signed a document clarifying this point with us as employees, right?
OSG, pag. 1029. Code Signing
Code signing provides developers with a way to confirm the authenticity of their code to end users. Developers use a cryptographic function to digitally sign their code with their own private key, and then browsers can use the developer’s public key to verify that signature and ensure that the code is legitimate and was not modified by unauthorized individuals.
From the OCG v9 - The developer signing the code does so using a private key,
whereas the corresponding public key is included in a digital certificate that is distributed
with the application. Users who download the application receive a copy of the certificate
bundled with it and their system extracts the public key and uses it in the signature verification process.
Yes, it is written "the developer", but I think it means "the developer company", not the individual. If the key is incuded in the digital certificate - the certificate is obviouusly issued for the company.
When you guys install a driver. Is it signed by Joe Whoever or is it signed by the company? You want uniformity in things like this, and any dev shouldn't be able to just sign anything the company puts out.
Answer A)
The developer is the entity responsible for writing, building, and/or submitting the code that will be signed. This entity maintains a secure development environment, including the source code repository, and will submit code to the signer after it has completed the organization’s software development and testing processes.
The signer is the entity responsible for managing the keys used to sign software. This role may be performed by the same organization that developed or built the software, or by an independent party able to vouch for the source of the code.
https://csrc.nist.gov/files/pubs/shared/itlb/itlbul2018-05.pdf
I think C. reasons below:
in software development, the 'source code' is signed by the developer: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits
in software distribution, the organisation would sign their 'software'. e.g. Nvidia would 'release sign' their drivers for the public download: https://learn.microsoft.com/en-us/windows-hardware/drivers/install/release-signing
n software development, the entity that normally signs the code to protect the code integrity is option C: The developer.
Code signing is a process in which a digital signature is applied to software code to verify its authenticity and integrity. The digital signature is created using a private key owned by the developer. By signing the code, the developer provides assurance that the code has not been tampered with and originates from a trusted source.
Usually code signing is done at organizational level rather than by individuals. E.g., when you download and install software, you rather trust code that is signed by a well-known and trusted organization than an individual developer. I go with A.
think like a manager... the developer signing the code may switch his job...thus it is the Organization's responsibility to sign the code.
A is correct
Code signing is a security measure that involves digitally signing the code with a cryptographic signature that verifies the identity of the code author and ensures that the code has not been tampered with or altered since it was signed. This helps to protect users from running malicious or unauthorized code.
In most cases, the developer signs the code using a private key, which is kept secure and only accessible to authorized personnel. The organization developing the code (Option A) may also be involved in managing the signing process and ensuring that the code meets the organization's security and quality standards. However, the actual act of signing the code is typically performed by the developer.
Of these Developer is the most accurate and used to be true but now it is really the Build or DevOps process that signs, and then it can go to media or deployed to environments as a signed artifact.
Uhg, I know for this exam it is A even though in real world the organization doesn't if know if their code is signed or not. But legally owner is signing, even if subcompany writes and compiles.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
martin451
1 month, 2 weeks agodeeden
3 months, 3 weeks agoJenkins3mol
6 months, 3 weeks agojohn_boogieman
8 months agohomeysl
8 months, 1 week agoVasyamba1
8 months, 2 weeks agoHackermayne
10 months, 2 weeks agoYesPlease
11 months, 2 weeks agothanhlb
1 year agoljkesmeer
1 year, 1 month agowilliom
1 year, 1 month agoBach1968
1 year, 4 months agoccKane
1 year, 2 months agoMRK019
1 year, 5 months agoKelvinYau
1 year, 5 months agoA1nthem
1 year, 7 months agoACunningPlan
1 year, 8 months agoACunningPlan
1 year, 7 months agojackdryan
1 year, 7 months agoAzurefox79
1 year, 8 months ago