Code Signing Platform

Trust applications and plug-ins in your ecosystem through cryptographic verification

Software platforms that allow users to run modules (applications and plug-ins) from 3rd-party developers should verify that those modules come from a trusted source. Otherwise, you risk poor quality 3rd-party code damaging the whole ecosystem, or users accidentally running malicious code that steals their data or high value content.
PACE’s Code Signing Platform gives you everything you need to deploy code signing as part of your software platform. This gives you the control to ensure every 3rd-party module comes from a trusted developer—increasing the quality and security of your ecosystem.
PACE's Code Signing Platform

What is Code Signing?

Modern software platforms and operating systems use code signing to build trust in their ecosystem. The compiled code of each 3rd-party software module is cryptographically signed with a private key issued by a trusted party, the certificate authority. This creates a digital signature that is attached to the software binary. Only the module developer has access to the private key and so only the developer can create the signature. When the software platform loads the signed module, it validates the signature using the associated public key. This confirms the identity of the module’s developer and that the module hasn’t been altered since the developer signed it.

PACE’s platform supports this standard code signing deployment, but can go further by allowing modules to defend themselves against reverse engineering or by building a web of trust which allows validation to be performed by the 3rd-party modules as well as the host platform.

Protecting your software ecosystem

Code signing protects your ecosystem and the users of your ecosystem.

It protects by ensuring only trusted software modules (applications or plug-ins) can execute within the ecosystem. Any untrusted module will be detected, allowing you to take mitigating steps. This prevents modules created or manipulated by threat actors from concealing malicious activities, like stealing personal data, from entering the ecosystem. It also allows you to manage who is creating modules for your ecosystem, allowing you to control the quality of modules available to your end users—higher-quality 3rd-party modules increase the overall reputation of your ecosystem.

It’s worth noting that code signing on its own does not defend against reverse engineering of your platform or the 3rd-party modules. Additional tooling, such as PACE’s Fusion and White-Box Works, is required for that.

Digital Signatures and PKI

PACE’s Code Signing Platform is based around digital signatures and PACE’s own Public Key Infrastructure (PKI) platform.
cryptographic validation

Cryptographic validation

Digital signatures are one of the most exciting uses of public key cryptography. They provide a mechanism to verify that a given private key owner signed a given piece of code, and that the code has not been modified since it was signed. In practice, validating the signature means that you know who developed the software and that it hasn’t been modified since it was signed.

Managed securely

PACE is a certificate authority and hosts its own PKI platform. This created a platform that is tailored to code signing use cases—with extensions beyond an off-the-shelf PKI platform. It also means that PACE takes care of all the security requirements. After all, the root certificates and private keys are high value assets.
Managed securely
private keys

PACE private keys are not exposed

The private keys used for signing are never exposed outside of iLok USBs: an advanced active security device. Developers can use their own iLok USB with iLok-generated private keys and a corresponding PACE-issued certificate for signing, or they can use PACE's Cloud Signing Service to sign. In either case, an iLok USB securely stores the key that generates the signature.

High Security

Highly secure PKI and CA are hosted by PACE, while client-side validation SDKs are underpinned by PACE’s Fusion and White-Box Works software security.
Fast Adoption

Fast Ecosystem Adoption

Tools for 3rd-party developers make it easy for them to sign their software modules, whether manually by the developer or automated with on-prem or cloud-based CI systems.
Cross Platform

Cross Platform

Support for Windows, macOS, Linux, and IoT binaries and popular plug-in formats such as AAX.

Compatible with OS Signing

PACE’s signatures are compatible with modern operating system signing, meaning a software module can be signed once and validated both by the OS and by your ecosystem.
Single Source

Single Source of Truth

All your 3rd-party developers are registered in PACE’s database for easy reporting and management.
Managed Solution

Managed Solution

The infrastructure is hosted by PACE, which lets you focus on building your ecosystem without diverting time and effort into building and securing your digital signature platform.

Create a Web of Trust

Going beyond digital signature verification is PACE’s Web of Trust.

Like standard signatures, the Web of Trust allows software publishers to verify that their code and the code of participating 3rd-party publishers is valid and unmodified. Further, it provides a mechanism for each module to validate the signatures of all other modules loaded into the ecosystem. Thus creating a network, or “web”, where signature checks are distributed throughout the ecosystem. Compromising the ecosystem would require compromising every single module within it—totally impractical, as each module comes from a different source.

Web of Trust

Take, for example, a software platform that supports a plug-in architecture. The platform publisher can work with PACE and their 3rd-party plug-in developers to establish policies for validating each other’s digital signatures. In the simplest case, every participant must have a valid digital signature, or else the platform and plug-ins refuse to run—the entire system locks the user out. Of course, softer approaches are also possible, e.g., the system warns the user about the untrusted module.

Industry-wide solution

Typically, when we talk about software ecosystems, we refer to a platform provided by one developer that 3rd parties can hook into. But not all ecosystems follow that model. In many industries (e.g. video production), multiple developers provide tools that are used in a chain, with high-value content passed through the chain.

In this model, one insecure tool in the chain has the potential to leak the high-value content.

PACE’s Web of Trust is uniquely positioned to allow all the tools in the chain to validate each other, keeping content safe by stopping it from being passed to an insecure tool.

Web of Trust Workflow

What makes PACE’s Code Signing Platform different?

Contact Us!

To learn more about how PACE Anti-Piracy can protect your software ecosystem, contact our team of security experts today.

PACE’s Code Signing Platform gives you the tools to secure your ecosystem keeping it and your users safe from malicious 3rd-party modules.

Key Benefits

Strong Security

Leave software protection to us - that's what we do. Your focus can be on developing great products.

Custom Settings

We put the control in your hands. Design your security to work for your business.

Cryptographic Verification

Ensure 3rd-party modules come from a trusted developer.

Developer Freedom

Full freedom to build upon PCI,  EMVCo, MPoC and SPoC standards.

Customer Support

Our customers receive full documentation, quality support, and access to our engineering team.

Proven Track Record

PACE brings nearly 4 decades of security and licensing experience.
homelicensemove linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram