The SWID Tag Signing utility follows the SWID Tag Signing Guidelines and allows publishers to digitally sign their SWID tags. By signing the tag, both publishers and software consumers can validate that the tag came from the vendor and that nothing in the tag has been modified in anyway.
This is particularly useful if the publisher includes the file manifest for their applications inside the tag, or in a referenced tag (that is also digitally signed). With a properly signed SWID tag that includes a file manifest, software users can ensure that no application files have been tampered with and that all files are where they are supposed to be. This supports the following security tenets:
- Supply chain security (knowing you received exactly what you were supposed to)
- If used properly, this reduces the risk of DLL hijacking because tools will know the relative location where DLLs are supposed to be located
- Finally, signed SWID tags provide an easy method to submit application data to the Cleanfile Meta exchange (CMX) – they provide all the data required for that system, are in an importable format and include the publishers digital certificate providing further trust of the data
Signed SWID tags can be supported by any publisher creating software for any platform. They can be provided by both commercial publishers and free and open source publishers.
The utility is written in Java and supports the following types of digital certificate storage formats:
- Windows keystore (personal or system)
- Java keystore
The utility is designed to fit in with existing build processes so is a command line driven tool. If using on a Windows device, there are batch files that enable the processing of multiple files at a time.