1. Field of the Invention
This invention pertains in general to computer security, and more specifically to distribution of a software application to a user where the software is modified after being digitally signed.
2. Description of the Related Art
Software applications are commonly received by users electronically. For example, a user might download the software application from a software vendor's website. To ensure that the user receives an authentic copy of the software application, copies of the software are typically digitally signed prior to transmission of the application to the user so the authenticity of the software can be verified upon receipt.
A digital signature can be used for a number of purposes. For example, a digital signature can be associated with an application to protect the integrity of the application, to protect access to the application, or to protect any confidential information the application contains. A digital signature can also be used to authenticate the identity of the entity providing the software application to the user, and to verify that the software application is being provided by the expected entity or to verify that the software has not been tampered with in transit. Thus, for a user who has purchased a software application from a website, the digital signature associated with the purchased software provides the user with some confidence that the application has not been supplied by a malicious entity that intends to cause damage or otherwise invade a user's computer (e.g., by installing a virus or other type of malicious code on the user's computer).
In order to facilitate installation, activation, registration, and use of electronically-provided software, it is desirable to incorporate user-specific data into the software application along with the digital signature. For example, the vendor may wish to incorporate specific information about the user's computer into the application. The user-specific data might also include activation information, language specification, and so forth, which allows installation of the software application onto the user's computer with minimal or no user intervention.
With the increase in security for operating systems, operating systems now commonly require digital signature of downloadable executables. However, this signature process is designed for the signing of fixed, non-changing executables and other content. It is typically not possible to dynamically add information, such as the user-specific data described above, to the application after signing without invalidating the signature. If a downloaded application has an invalid signature or is not correctly digitally signed, the operating system may prompt the user with a warning that the application is potentially dangerous. When the operating system provides a warning, the user must respond to each prompt, and thus the installation, activation, and registration processes for the software become processor intensive and time-consuming. Furthermore, re-signing each application after addition of user data is not a reasonable solution, since digitally signing a file can be a slow process, which would again delay the user's ability to download the software.
Therefore, there is a need in the art for a solution that allows for modification of software after it has been digitally-signed to incorporate post-signing data into the application.