Method implemented by computer and a computer system to avoid security problems in the use of digital certificates in the signing of codes and a computer program product thereof

摘要

A method implemented by computer to avoid security problems in the use of digital certificates in the code signing, comprising: - signing, by a software distributor through a first server (300), at least one software file using a digital certificate with a digital signature that identifies said software distributor; and - acquiring, by at least one user (100) through a calculation device, a copy of said at least one signed software file; and - generating, by means of a second server (200) in communication with said first server (300), following a request made by the software distributor, an indication of the hash function of the at least one signed software file, said method implemented by computer, in which, before the second server receives the request, said digital certificate to be used for said signature is recorded in said second server (200), the digital certificate to be recorded being provided by the software distributor (300) after registering the latter in said second server (200) and including the digital certificate information obtained from a chain of trust certificate associated with the digital certificate when performing said registration, wherein said record comprises checking, by the second server (200 ), data included in the digital certificate provided that includes at least one domain and / or an electronic address; and wherein said register further comprises: - performing, by the second server (200), an authentication of said digital certificate by performing the following steps: - generating a one-time password, OTP; - sending said generated OTP to the software distributor (300) through a communication channel that includes at least one text message, an electronic message or an instant message; and - certifying, upon receipt of said OTP from the software distributor (300), that the received OTP matches said generated OTP, and in that: - said hash function indication includes information about the software distributor (300) and about the signed software file and a time record that certifies a time when the signature of the software file is notified to the software distributor (300).