Many software publishers digitally “sign” files or applications created or published by the publisher in order to demonstrate the authenticity of such files and applications. For example, a software publisher may digitally sign a file by encrypting a checksum or hash of the file using a public-key cryptographic system in order to enable recipients to verify that the file was both created by the publisher and has not been altered since leaving the publisher's possession.
Because malicious or unscrupulous individuals or entities may attempt to pose as respected software publishers when distributing files, a software publisher may also obtain, and include within all files that it subsequently publishes, a digital certificate from a well-known and/or trusted certificate authority that certifies that files signed by the publisher in fact originated from the publisher in question. A digital certificate, which is typically digitally signed by a trusted certificate authority using the certificate authority's private cryptographic key, attests that a particular public key belongs to an identified entity, thereby enabling recipients to verify that a digitally signed file in fact originated from a particular entity.
Unfortunately, current digital certificates (and the authorities responsible for generating the same) fail to make any statement as to the trustworthiness of a digitally signed file and/or the publisher of such a file. As such, the fact that a digitally signed file includes a certificate from a trusted certificate authority does not preclude the possibility that the file contains (either intentionally or unintentionally) malware and/or other vulnerabilities. Accordingly, the instant disclosure identifies and addresses a need for systems and methods for providing digital certificates that attest as to the trustworthiness of digitally signed code.