In the early days of computing, new applications were installed via physical disks and it was difficult for a malicious agent to impersonate a legitimate developer. Now, applications are downloaded from the Internet from a wide variety of servers, websites, and application stores. Fraudulent websites and malicious developers can easily mimic legitimate applications, causing users to download malicious applications and posing a great risk to the security of users, systems, and enterprises. Digital signatures are one of the ways in which users can ensure that the application they are downloading is from a legitimate, trusted developer rather than a potentially malicious imposter.
Unfortunately, the trustworthiness of a digital signature is directly related to the security of the private key used to create the digital signature. If a private key has been compromised, then malicious agents can impersonate the key's signatory even more effectively. Traditional systems for verifying digital signatures may lack mechanisms for determining if a private key used for a digital signature is legitimately associated with a developer of an application signed with the private key. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for validating application signatures.