How to Secure and Simplify the Code Signing Process

Threats to software — especially during the development and distribution phase — are increasing, making the case for code signing to ensure that the code is trusted and hasn’t been tampered with. Organizations can turn to our KMES Series 3 key management servers, to secure and store Extended Validation (EV) code signing certificates, generate keys, and automate the entire certificate lifecycle management process. Automatic digital certificate management helps implement security throughout the software supply chain, ensuring code authenticity without slowing anything down.

Digitally signing code for firmware, device drivers, applications, operating systems, or mobile applications is a common and effective method to protect software. Code signing can improve the security of the software supply chain by protecting the code integrity at each step, according to the National Institute of Standards and Technology (NIST). NIST explains, “Digitally signing code provides both data integrity to prove that the code was not modified, and source authentication to identify who was in control of the code at the time it was signed.”

Our HSMs provide hardened key storage and directly integrate with existing code signing technologies that validate publisher identity and ensure code integrity. Direct integrations currently include:

• Microsoft Authenticode
• Java jarsigner
• RPM (Red Hat)
• Docker

Integrating our KMES Series 3 into DevOps pipelines can improve workflow efficiency while supporting other cryptographic operations across the organization. Centralizing and automating certificate issuance and management will help incorporate compliance processes and speed up the development process.

Streamlining Code Signing in DevOps and DevSecOps Pipelines

We recommend that code signing — and the certificates used in that process — is centralized and automated using cryptographic hardware. Connor Smith, solutions architect at Futurex, walks through the process of hardened code signing in the steps below and provides more details in his recent article in DevOps.com.

1. Unsigned code ready for distribution. Time to generate public-private key pair. We start with an unsigned executable that is ready for distribution. To securely sign the code, the code publisher needs to generate a public-private key pair. The most secure way to generate code-signing keys is by using a FIPS 140-2 Level 3 HSM.
2. Submit public key and Certificate Signing Request (CSR) to an issuing certificate authority (CA). With the key pair generated in step No. 1, the CSR is generated and submitted to an issuing CA. The CSR contains information that identifies the publisher and signature algorithm, as well as the digital signature.
3. Identification of publisher and authentication of CSR. The Issuing CA verifies the code publisher’s identity then authenticates the CSR, ensuring the publisher has digitally signed it. If both identification and authentication are successful, the Issuing CA packages the publisher’s identity with the public key then signs the package, creating the code-signing certificate.
4. Ready to sign. Determine the level of security. Now that the code-signing certificate is ready for use, any executable can be signed and deployed unless further code testing or QA needs to occur. Enterprises often find themselves storing their code-signing keys on the code publisher’s local machine or server, an insecure method that can result in significant problems.

Using FIPS 140-2 Level 3-validated HSM for secure key generation and certificate storage can drastically reduce the manual labor that is typically required with continuous integration code builds. Introducing HSMs into DevOps and DevSecOps pipelines simultaneously improves workflow efficiency and supports other cryptographic operations across the organization.

Do you need help improving your code signing processes? Let’s schedule a virtual meeting and we can walk through how to make code signing more streamlined for your organization.