According to a recent mandate by the CA/B Forum, the new minimum key size for code signing certificates increased from 2048 bits to 3072 bits on June 1, 2021. Today’s cybersecurity landscape is changing as digital transformation continues to sweep the globe, and 2048 bit RSA key length may no longer be enough to secure code in the coming years.
Making the switch to a 3072-bit minimum key length ensures that developers are publishing software that can be used safely for many years to come. Let’s dig into the reasons for the changes in key length requirements and how to prepare for the switch.
What is a Code Signing Certificate?
Code Signing Certificates are digital certificates that fully identify publishers. They’re issued by a certificate authority that adheres to minimum RSA key length requirements. If there are any changes made to the code, a new signature will need to be issued.
Browsers and users know that they are in a safe application environment when a digital signature is applied. Code signing not only identifies the source of an application, but also certifies the safety and validity of the software. If there is no certificate, or the digital signature appears to have been tampered with, users will receive a security warning, letting them know that the software may not be trusted.
This is why valid code signing certificates are vital for developers. Customers will not be likely to trust a publisher that does not have the proper certificates in place, and they shouldn’t. Without a code signing certificate, code changes can be made without warning and users could unknowingly download malicious code injected by cybercriminals trying to steal their data.
This means any software applications that are used in conjunction with the most widely accepted root programs must be validated by a code signing certificate, in addition to the SSL/TLS certificates on websites. Just as SSL/TLS certificates provide trust in websites, code signing provides trust by protecting software, applications, and drivers.
Why change the minimum key length?
Updating key lengths is how the CA/B Forum future-proofs certificates because a longer key equals a stronger digital signature. Increasing the key length provides that the computational power needed to crack it does not exist yet and likely won’t for a long time.
With a new generation of technology comes new threats, and security experts must adapt. Changing the code signing key length requirements enables developers to continue providing trustworthy products for consumers that accurately identify the publisher and prevent hackers from injecting malicious code into application software.
For example, 1024-bit keys were considered to be safe until about a decade ago when computing power caught up. 2048-bit keys have been in use since then, but computational advancements have given experts reason to assume these keys will be able to be cracked within the next 5-10 years. Upgrading the minimum key length requirements to 3072 bits exponentially increases the length of time it takes to crack the key, meaning code signing certificates under the new mandates will hopefully keep developers safe for the foreseeable future.
These key length changes come along shortly after Apple and Google announced that after September 1, 2020 SSL and TLS certificates would no longer be issued for more than 13 months. The reason is simple: the longer in between SSL/TLS validations the greater the risk.
Google has said ideally domain validation should occur every six hours, and the CA/B Forum and browsers have relationships where they depend on each other to create secure connections. When major root programs see the need to implement certificate changes, minimum baseline requirements usually follow.
As computers become more powerful, maintaining certificates will require longer and longer key lengths with shorter and shorter validation terms. To ensure interoperability, automated certificate lifecycle management software will be crucial to support a secure environment for users.
How to prepare for code signing changes
Any certificates that are issued after June 1, 2021 will automatically be updated according to the new standards, and you will not have to specify a 3072-bit trust chain when purchasing. If you’re curious about what key length your existing code signing certificate is running, you can easily check your key size by looking up the certificate file in Windows.
In a previous blog we mentioned that starting May 31, 2021, all GlobalSign Code Signing keys will be issued at 4,096-bit lengths. This includes renewals and re-issues, too.
While the key length change won’t have much of an effect on the end user experience, software developers need to be aware of the change to stay safe as we move forward with more advanced public key infrastructure. The cyber threat landscape in 2021 is more complex than ever, and eventually, the 2048-bit length will become an easy target for hackers to inject malicious code into your products.
Wrapping up
Developers often manage multiple keys across complex networks, and in the future an automated lifecycle management system might be mandatory in order to keep up with the rapid pace of code signing and SSL/TLS certification changes. As of now, code signing certificates are good from one to three years depending on the lifecycle that you choose, and SSL/TLS certifications are good for 13 months.
Aside from increasing security, the new key length changes give us a glimpse into the speed at which technology is developing. You can expect to see more news in code signing certifications as cloud computing rapidly increases the amount of computing power available to us.
Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign.
