Shatered identity

Apple and Microsoft's Digital Signature Vulnerabilities Did Not Affect PACE Customers. Here's Why.

Earlier this month, Apple and Microsoft disclosed independent vulnerabilities in their digital signature infrastructure, affecting a huge range of operating systems.

In Apple's case, it was possible to create a fake signature and get macOS to trust it. (Details) This is like a fake ID that fools the bartender into selling alcohol to a teenager.

In Microsoft's case, it was possible to create fake signatures that looked like they were from a trusted entity. (Details) This is like being able to print your own ID cards, as if you were some authority.

What are Digital Signatures?

Digital signatures are like driver's licenses (or other ID cards, around the world), but for software. They say, with authority, who the holder is. They are used to convey trust: if I know who you are, I know what you should be allowed to do, and I can have reasonable trust in how you'll behave.

So too with apps.

All modern apps come with digital signatures, like ID cards, saying who they are. But a digital signature, unlike an ID card, can instantly be checked to see if it's valid. It doesn't just have to look authentic - you can actually check that it really is authentic, and who the publisher really is - through standard cryptographic techniques based on “public key infrastructure (PKI)”.

This idea underpins most consumer apps used today. Apps in the iOS App Store have always required digital signatures. So too with Android. macOS and Windows have been ratcheting up digital signature requirements for more than a decade, and now signatures are effectively a requirement to deliver software to macOS, while on Windows they are required for a good user experience.

Digital Signatures in Software

Digital signatures are also used by software publishers to establish their own trust systems. One common example is products that load content or have plugins, and need to verify that the content or plugins are authentic. Digital signatures are exactly the right tool for this job.

Both of these bugs have the same basic consequence: until they were fixed, digital signatures weren't really the strong guarantee of identity that we thought they were. Or in the Microsoft case, there might be fake digital signatures in the wild that can never be proven inauthentic. 

Those apps you installed, from trusted publishers, might not have been from those publishers at all.

This highlights one of the problems with digital signatures: they're a single source of trust. If you base all your trust on one system, then when that system is broken, you have no trust left. As happened last week, with Apple and Microsoft.

PACE Customers are Protected

But PACE customers are still protected, even now that these vulnerabilities are well known. Our licensing and content protection platforms use our own digital signature infrastructure - on top of the OS signature infrastructure - to verify the authenticity of plugins and content. We use a completely separate set of certificate authorities (but the same proven cryptography!) to provide a second layer of trust above and beyond the standard operating system signature checking.

Our signatures weren't broken by these vulnerabilities, and the software publishers who rely on PACE digital signatures can continue to trust the content and plugins they load into their products.

PACE customers also enjoy features that don't come with operating system digital signatures, like explicit identification of the product (not just the publisher), and connections between licensing and digital signatures that enable features like encrypting content that can only be decrypted by authorized products.

If you have a software product or content that would benefit from stronger authenticity guarantees, or from high-security licensing and distribution, we encourage you to contact us at to learn more about how PACE can help you protect your work.

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram