If a file is digitally signed, is posting a hash very useful for security purposes?
In this question I asked about how to handle situations when SHA-256 hashes are not available for a file downloaded from the internet that contains executable code. Another community member insightfully asked if a hash is really needed to validate the download (in this case, LibreOffice), since it is a digitally signed file.
I don't know the answer to that good question, so I thought it best to ask it here: If a file is digitally signed, is it important to also have a good hash (such as SHA-256) to help validate the file?
One of my concerns is that is is trivially simple to create strings of text that look nearly identical (and in some cases completely identical), but are actually different (often by using various Unicode characters). For a digital signature to be secure, it would require sufficient safeguards to prevent this type of attack.
I do not think so. Forging Code signing signature is infeasible whereas hashes can be updated to match the uploaded binary. If the website, which is providing you, the download is compromised than hashes can also be changed. This is not possible with digital signature and you at least need signing key access.
So, Digital Signature is sufficiently secure at least more secure than providing the hashes. Digital Signature uses PKI (Publick Key infrastructure) for verification of signatures. You can read it more over here Digital Verification
For signing binaries like msi you will need code-signing certificates which can be issued by trusted CA's or CA you trust. You will sign the binaries with signing keys (Private Keys). There are measures in place to secure these signing keys like storing it in Hardware Security Module HSM, TPM etc.
Trusted third party CA's do not sign code-signing keys without checking the security of keys or else they provide security hardware themselves before releasing the keys like Tokens (this depends on type of code signing certificate as well for e.g. EV code signing certs). There are other measures as well like physical verification or organization level verification. The process is quite good.
However, there is no way to find if code-signing keys signed by CA are compromised until the vendor release a statement and inform CA which in turn release the CRL (Certificate revocation list).
Before you verify the digital signature, you can ensure that:
- Integrity of the system where you verify the binaries is intact.
- System is regularly updated with latest patch specifically certificate/CRL from trusted source such as Microsoft.
Because of the key security measures and other verification measures you only trust the trusted third parties CA like DigiCert, QuoVadis etc.