Code-Signing Certificate Agreement

The following agreement regarding rules governing the use of UCSC code-signing certificates is included in UCSC's code-signing certificate request form. A violation may result in certificate revocation and may constitute a violation of UC policy, UCSC policy, or applicable laws.

AGREEMENT:

Code-signing certificates are used to identify the publisher of software (in this case, UC Santa Cruz). A code-signing certificate verifies that software has not been modified since it was signed.

UCSC code-signing certificates are available to UCSC staff and faculty solely for University business purposes. Requests must be evaluated and approved by an authorized RAO or DRAO and are governed by the following requirements.

A violation of this agreement may result in certificate revocation and may constitute a violation of UC policy, UCSC policy, or applicable laws.

1) UCSC code-signing certificates may only be used to sign code developed or used for University business purposes, and only where the signer (you) can personally vouch for the signed code. As the signer, you are responsible for all code you sign. Signing unexamined code, such as unvetted student-developed or third-party code, is not strictly prohibited.

2) Security Requirements for private keys:

3) Certificates must be revoked and replaced if the private key is suspected or reported to be potentially compromised. This includes if any device storing the private key is stolen, lost or otherwise compromised. Immediately report potentially compromised private keys via Slug Hub (slughub.ucsc.edu/its or help@ucsc.edu).

4) Prohibited Uses - from InCommon’s Code Signing Certificate Practices Statement (CPS):

  • Certificates may not be used to complete or assist in performing any transaction that is prohibited by law.
  • Certificates may not be used for any application requiring fail-safe performance systems such as the operation of nuclear power facilities, air traffic control systems, weapon control systems, or any other system where a failure of the system could cause loss of life or property.
  • Use of the certificate must not interfere with or infringe on any rights of third parties or be used for any unlawful purpose, including tortious interference with contract or prospective business advantage, unfair competition, injuring the reputation of another, and confusing or misleading a person, whether natural or incorporated.
  • You must not interfere with or reverse engineer the technical implementation of InCommon PKI services, including, but not limited to, the key generation process, the public website, and the InCommon repositories except as explicitly permitted by InCommon’s Code-Signing CPS or upon prior written approval of InCommon or Comodo as appropriate.