Skip to content

Code signing

Jump to bottom
David Anderson edited this page Mar 9, 2026 · 1 revision

When a project is created, an RSA key pair is created in the project's key/ directory. The public key is sent to clients when they attach to the project. When you create an app version, a signature is created (using the private key) for each of its files. These signatures are sent, together with the files, to clients. The client verifies that the file matches the signature.

The goal is to prevent hackers - even if they've broken into your server - from using your project to distribute malware. This could result in the end of your project, and would negatively impact all BOINC projects.

This system is weakened if the private key is left unencrypted on your server. We suggest that you keep the private key file encrypted:

gpg --symmetric --cipher-algo AES256 keys/code_sign_private
(enter passphrase)
rm keys/code_sign_private

Before adding app versions, decrypt it:

gpg -o keys/code_sign_private --decrypt keys/code_sign_private.gpg

... and encrypt it again when you're done. Keep the passphrase secure, and don't lose it.

Using a separate code signing machine.

The above can potentially be broken with a key sniffer. If you want to be extremely secure, you can do signing on a separate computer.

  • Install crypt_prog on the code signing machine.

  • Disconnect the computer. It must remain physically secure and disconnected from the network. You'll need a mechanism for moving files to and from the code-signing machine. such as a USB memory stick.

  • Run crypt_prog --genkey to create a code-signing key pair. Copy the public key to your server. Keep the private key on the code-signing machine, make a permanent, secure copy of the key pair (e.g. on a USB stick).

  • To sign an executable file, move it to the code-signing machine, run crypt_prog --sign to produce the signature file, then move the signature file to your server.

  • Use update_versions to install your application, including its signature files, in the download directory and database.

Changing your code-signing key

You can change your project's code-signing key at any point. To make this invisible to users, you must do the following steps (otherwise users will have to detach/reattach).

On your code-signing machine:

  • Rename your current key pair to old_key_private_i and old_key_i for the next available i (i.e. old_key_0, old_key_1 etc. is the history of your public keys).
  • Generate a new key pair, say code_sign_private and code_sign_public.
crypt_prog -genkey 1024 code_sign_private code_sign_public
  • Create a "stripped" version (removing the trailing \n) of the public key:
head -c -1 code_sign_public > code_sign_public_stripped

(this is needed because 7.0+ clients strip \n from the end of keys).

  • For each old key i, sign both the original and stripped versions of the new public key:
crypt_prog -sign code_sign_public old_key_private_i > signature_i
crypt_prog -sign code_sign_public_stripped old_key_private_i > signature_stripped_i
  • Put code_sign_public and (for all i) old_key_i, signature_i, and signature_stripped_i on a USB memory stick.
  • Sign all your app version files with the new key; put these signatures on the memory stick also.

On your project server:

  • Stop the project.
  • Use update_versions to create new app versions, using the new file signatures.
  • Copy code_sign_public and (for all i) old_key_i, signature_i and signature_stripped_i from the memory stick to your project's keys/ directory.
  • Start the project.

Home

Clone this wiki locally