Signing and security for product files
Which files are signed?
SquaredUp uses a DigiCert Extended Validation (EV) Code Signing Certificate to sign all product binaries including our installer.
Which hashing algorithm is used?
We use the SHA-256 cryptographic hash function to create a digest of each binary before encrypting the digest using SquaredUp's private key. A signature block is then created that contains the encrypted digest, timestamp, and Code Signing Certificate that includes SquaredUp's public key that can be used to verify SquaredUp's signature. This signature block is included in the binary metadata.
The FIPS 140-2 HSM used for SquaredUp's private key and certificate is Azure Key Vault (more information from Microsoft). Azure Key Vault uses nCipher HSMs, which are Federal Information Processing Standards (FIPS) 140-2 Level 2 validated.
Note: You can view the signature block under Properties if you right-click on the SquaredUp DS installer or one of the SquaredUp DS binaries.