When a mobile application, software, or embedded firmware is digitally signed using a private key, the code provided to the end-users ensures that it is originated from a trusted and legitimate source and hasn't been tampered with ever since the code was signed. Code signing — when deployed correctly — is a powerful way to secure code. It guarantees that the code hasn't been tampered with. Code signing is a popular cryptographic method used by software developers to prove that a piece of software or the code used to create it, is authentic and without any malware.
Why Is It Important to Protect Code Signing Keys?
The most significant issue with code signing is protecting the private code signing key linked with the code signing certificate. If the private key is compromised, the certificate suffers trust and value, endangering the software you have signed.
Numerous organizations use secure vaults and Hardware Security Modules to protect themselves. It helps in increasing the degree of security of their private keys. Other than these, organizations also use certificate managers that help in automating and securing the lifecycle management of all code signing certificates. Thus, the importance of certificate managers goes a long way towards supporting the integrity of private keys and other encryption assets.
How Do You Implement Code Signing?
An adequately hashed unique private key is required to implement the Code Signing Certificate. This is crucial so that the encryption/decryption combination is not easily defeated. The public and the private key combination is the core of the process within public-key cryptography, allowing communication without access.
Once the new key pair is generated using public key infrastructure (PKI), the public key is forwarded to the certificate authority. Upon receiving the keys, they verify the identity of the developers and append their own public key to the code signing certificate. The certificate and code are then sent back to the source developer that requested for the certificate.
Now that the developer owns a signed code certificate and an encryption key pair, they are required to hash the software's code before encrypting and signing it. Here, hashing is a process in which a hash function is practiced converting code into an arbitrary fixed value. The output of hashing, called a digest, is then encrypted employing the private key. Once it is done, the developer links this digest with the code-signing certificate and the hash function to perform a signature block. In this process, all of the above items are combined into a code that can be conveniently embedded into the software.
Top 5 Code Signing Best Practices
- Reducing & Controlling Your Private Key Access: One of the most significant security threats is compromising, losing, or exfiltrating the private key of a code signing certificate. It's pretty alluring to hackers due to malicious actors' freedom to sign any code, anywhere. To avoid losing a private key, make sure to allow minimum access to private keys. Physical security controls must be used to reduce access to private keys.
- Avoid creating bad habits: It is essential to use the code signing certificates within your system properly. However, if behavioral patterns are not enforced to maintain and properly use the keys, then no matter what practices you employ, it will be useless. Try developing a culture where people understand the application and importance of code signing and different types of certificates. This can only improve your organizational security as a whole.
- Protect private keys with cryptographic hardware: You can use cryptographic hardware that basically allows you to protect your private keys with the latest encryption algorithms. This type of hardware protects your private keys from falling into the hands of malicious actors. You can use a FIPS 140 Level 2-certified product (or better) or an EV code signing certificate which requires the private key to be generated and stored in hardware.
- Time-stamp code: Time-stamping your code allows you to recognize when code was written of the certificate it uses. This allows the code to be reverified as a legitimate one, in case the certificate is expired or revoked. This helps recognize the exact date and time as the level of protection can be weakened or outright broken as technology and cryptographic threats evolve.
- Authenticate code: Code signing does not explicitly identify code as safe; however, it states who wrote it and when it is published. The code, even after signing, needs to be fully authenticated before it can be released to the public in good faith. By following proper authentication steps, the developers and users can ensure that the code doesn't contain malicious data that can harm customers and damage your reputation. All authentication procedures of the code signing activities should be documented for posterity in case of a probable investigation or incident.
Give your organization that extra security boost — and save yourself from exposure — by taking steps to implement code signing certificate correctly. Let's schedule a meeting to walk through how to help maintain your organization's day-to-day security, health, and longevity. Mail us at sales-in@globalsign.com and share your concerns with us to solve them with our best in the market solutions.
