Code signing was introduced in Java to provide a mechanism for granting elevated privileges to code depending on the security policy in effect. For example, Java applets that need to read system properties from a user's machine can escape the default sandbox restrictions when signed. When a signed applet is run, the user is prompted with a security dialog, asking whether the party that signed the code is considered trustworthy. This element of trusting the signature allows applets to escape the default security sandbox restrictions. On the other hand, with applications that use a custom security policy, explicit permissions need to be granted to the particular codebase and optionally, the signer. This has the benefit of ensuring that only trusted signed code runs with the specified privileges.
| Signing code, however, has its own problems. According to Schneier \[[Schneier 00|AA. Java References#Schneier 00]\]: | 
First, users have no idea how to decide if a particular signer is trusted or not. Second, just because a component is signed doesn't mean that it is safe. Third, just because two components are individually signed does not mean that using them together is safe; lots of accidental harmful interactions can be exploited. Fourth, "safe" is not an all-or-nothing thing; there are degrees of safety. And fifth, the fact that the evidence of attack (the signature on the code) is stored on the computer under attack is mostly useless: The attacker could delete or modify the signature during the attack, or simply reformat the drive where the signature is stored."
Code signing is designed primarily to verify authenticity of origin and integrity of the code. It relies on the Certification Authority (CA) to duly confirm the identity of the principal signer. Naive users should not be expected to understand how certificates and the Public Key Infrastructure (PKI) work. All too often, they associate digital signatures with safety of code execution, and trust the code to cause them no harm.
In general, there is a misconception that signed code is safe to be executed. The problem manifests itself when a vulnerability is discovered in signed code. As many users choose the option of permanently trusting the organizations that they have full confidence in, they are not notified about potentially harmful content if an adversary offers them the vulnerable software with the intentions of exploiting it. Consider, for example, signed Java applets. Whenever a certificate is verified to be correct (as opposed to being self-signed or tampered), on widely used platforms the user is confronted with a security dialog that has the check box option "Always trust the content from the publisher" turned on. The dialog asks whether the signed code should be executed or not. Unfortunately, by default this setting overrides any future warning dialogs when the user chooses to execute the code with the check box selected. An adversary may take advantage of this by supplying vulnerable code signed by the trusted organization. In this case, the code executes without the user's permission and may be freely exploited.
An organization that signs its code must not vouch for code acquired from a third party without carefully auditing it. The AccessController mechanism may be used wherein only the privileged code (doPrivileged() section) should be signed. The other code can be left unsigned, restricting it to the sandbox. Any code that is incomprehensible or unaudited must not be signed (SEC32-J. Create and sign a SignedObject before creating a SealedObject). 
It follows that unprivileged code is not required to be digitally signed and consequently should not be. This conviction adequately respects the guideline SEC00-J. Follow the principle of least privilege. For instance, unsigned applets and JNLP applications are granted the minimum set of privileges and are restricted to the sandbox.
EX1: An organization that has an internal PKI and uses code signing for internal development activities (such as to facilitate code-check-in and track developers) may sign unprivileged code. This codebase should not be carried forward to the production environment. The keys used for signing must not be used to ship the products.
Signing unprivileged code violates the principle of least privilege as it can circumvent security restrictions defined by the security policies of applets and Java Network Launch Protocol (JNLP) applications, for example.
| Rule | Severity | Likelihood | Remediation Cost | Priority | Level | 
|---|---|---|---|---|---|
| ENV00- J | high | probable | medium | P12 | L1 | 
TODO
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
| \[[Schneier 00|AA. Java References#Schneier 00]\] \[[McGraw 00|AA. Java References#McGraw 00]\] Appendix C: Sign Only Privileged Code \[[Dormann 08|AA. Java References#Dormann 08]\] | 
01. Runtime Environment (ENV) 01. Runtime Environment (ENV) ENV01-J. Do not deploy an application that can be accessed by the JVM Tool Interface