Would a digital signature have prevented the CCleaner compromise?

Based on the incomplete details that have been released so far, the malicious code was inserted before compilation and signing (e.g. on a developer's machine, or on a build server). As a result, the compromised version was signed by exactly the same processes as would be used by the uncompromised version. The flaw was introduced before the signing of the binary took place.

Similarly, a checksum would have been calculated based on the results of the compilation, by which point, the malicious code was already present.

This is a weak point in all signing architectures - if the process before the signature is compromised, there is no real way to detect it. It doesn't mean they're unhelpful - if the attackers didn't get access to the systems until after the signature had been applied, the tampering would have been detected easily, since the signature wouldn't have matched.


Being signed by a trusted cert and having a public hash/checksum of the code are different things.

The cert will (should) tell you the software is from a trusted source but that is it.

A hash or checksum will let you verify the binary matches the originally computed hash. In this case however the hash was computed while the malicious code was present in the source code, rendering this particular safeguard unless, if anything it adds a false sense of security.

When offering a public hash or checksum (assuming the source code has not been compromised), you should take measures to have that hash served from a 3rd party domain. Imagine a situation where an attacker compromises your site, swaps a genuine binary for a malicious one, then changes the public hash you are displaying on your site. At least if it is served from a 3rd party the attacker would also have to compromise that 3rd party to change the hash.

Remember though this particular attack was apparently the consequence of a hacked developer machine, so none of these hash/checksum or code signing controls would have been any use anyway.