Code signing is important for proving the integrity and authenticity of software but can GPG secure the Software Industry?
Several software publishers, especially in the open source community, have adopted GPG as the only alternative to digital certificates for signing application binaries. (See the recent decision by Notepad++ to give up on digital certificates in favour of GPG.)
The main advantages of GPG are its accessibility (you don’t need a CA to verify who you are in order to get a signing key) and the fact that it’s free.
Is GPG the solution to secure the software industry? Unfortunately, the answer is no. Here’s why:
As I mentioned before, you need to triangulate information, which takes time and it’s still not 100% secure.
In the end, GPG does not really improve questionable situations any better than digital certificates do. The only advantage of GPG compared to digital certificates is that it’s free, but that’s only when you’re calculating the direct costs. If you count in the indirect costs of installing malicious code signed with GPG thinking it was secure, then the price goes up significantly.
Honestly, what are we to expect given that GPG, as well as digital certificates, were not made to sign code? Digital certificates were actually developed by Netscape to verify a domain and encrypt the information exchanged between clients and websites. Similarly, GPG was born to encrypt and sign email communication. Unfortunately for the rest of us, the industry just decided to put a square peg technology into a problematic round hole.
To secure the software industry, a solution is needed that is designed specifically to address this problem. This is why vChain decided to develop CodeNotary, a one-step solution that guarantees your code is exactly how you left it.
CodeNotary’s blockchain-based application gives you the ability to maintain a high-level view of all your code from the main release level on down to the fine, granular level of components, scripts, and beyond. Not only is CodeNotary a proactive DevSecOps best practice, but the savings that mount from preventing scaled problems happening further down the production pipeline is one of those rare moments to breathe easy.
Sound too good to be true? Don’t take our word for it. Grab a free trial and check it out for yourself.
You can also learn more about how CodeNotary works here.