The Global Trusted Repository (GTR) is a repository of file information (i.e. file name, hash value, etc.), and metadata derived from software packages as they are published by the original software vendor. This technology provides customers with the ability to unequivocally identify and validate the authenticity of the files that make up the software system and/or application.

The repository contains millions of signatures covering thousands of software applications from multiple vendors and suppliers, a broad collection of file and software components associated with diverse operating systems, applications, drivers, etc.

Back to top

Through cooperation from industry players, software signatures (cryptographic hashes) are gathered as early in the software release process as possible, using methods and procedures that ensure the authenticity of the files. This approach provides the best available coverage, and highest quality reference to meet the demands required by IT leaders and regulators alike. The integrity reference database is updated via proprietary methods to ensure the timeliness and security of the signatures. Metadata stored with each signature maintains source and collection information for the signature regarding when, how, and where it was collecting, thus providing an auditable chain of custody for the data elements in the reference.

Back to top

SignaCert has millions of signatures, but the real value is in the verified authenticity of the broad enterprise application coverage SignaCert provides. The GTR is a multi-vendor, multi-platform repository that includes operating systems, business applications, and other software elements that are found in the enterprise. SignacCert works closely with IT vendors to maximize the authenticity and verifiability of the signatures and the software elements they represent.

Back to top

SignaCert maintains strict controls over access to the Global Trust Repository. Only verifiable ‘from-the-manufacturer’ signatures are published to the database, and the SignaCert security architecture ensures that the signatures cannot be tampered with or inappropriately altered.

Back to top

No. SignaCert does provide an end-to-end solution, but SignaCert is working with leading industry players to have the SignaCert solution integrated into current and future systems management, security and compliance solutions. SignaCert’s goal is to enhance current vendor solutions by adding a vital and foundational capability that is missing today.

Back to top

Submissions are coded to each individual publisher and encrypted prior to transmission. All submissions are quarantined and verified prior to inclusion in SignaCert’s trusted reference database.

Back to top

Yes. SignaCert has captured malware signatures and maintains them in our repository. SignaCert may pursue relationships with malware signature providers, but it is not the company’s core value.

Back to top

The Global Trust Repository will include signatures for:

• Operating Systems
• Desktop applications
• Enterprise applications
• ISV niche products
• Open Source products
  

The Enterprise Trust Server will contain signatures from the GTR for commercially available products and signatures for customers' proprietary products and files. Harvesting tools will be provided allowing customers to capture these signature as required.

Back to top

Signatures for commercial products can be harvested at their release point ensuring the highest accuracy possible. This is referred to as source harvesting.

Another method, referred to as self harvesting, can be used by customers to capture signatures for their own proprietary products or files.

Back to top

It is growing all the time, but we wont disclose the actual quantity. It is SignaCert’s position that actual quantity is irrelevant, and that the contents relevance to the customers is a much better measure of usefulness. SignaCert is actively capturing signatures for a wide variety of commonly deployed commercially available products.

Back to top

It depends on how they are captured. If signatures are source harvested, they will actually be capture either just before or in parallel with the release process.

If self harvested, they will be reasonably current, but may take days, weeks, or in the worst case months to capture signatures for newly released products.

Back to top

Very. They understand that customers are demanding improved quality and manageability from their products and view this as an opportunity to help achieve this.

Back to top

Yes, but these data sets are incomplete and not up to date. NIST provides NSRL, but there are several others as well.

Back to top