Code Signing Reading Time: 6 minutes

What are the best practices for code signing and how to implement them?

When dealing with cybersecurity and the security of an organization, it is vital to prepare for every eventuality. One of the most important forms this takes, especially with organizations creating and distributing software to customers, is code signing. At its core, code signing is a relatively simple process. A software publisher or distributor wants to create code to send out to be used by a customer, but first they must ensure that the code can be trusted by the user. This is where code signing comes in. First, a key pair is generated from a trusted, usually external, Public Key Infrastructure (PKI) using something called a Certificate Signing Request.

A Certificate Signing Request, or CSR, requests that a certificate be generated and signed by a trusted PKI and associated with a key pair. A key pair involves a public key and private key which, as the names imply, are kept publicly and privately available respectively.

The CSR and keypair are then sent to the Certificate Authority of the PKI, and the user’s identity is verified by the Certificate Authority, or CA. After this verification, the CSR itself is authenticated and the public key is bundled with the requestor’s identity, thus creating a valid code signing certificate once the CA signs the bundle. The requestor then receives the certificate and can begin signing code.

Once the code signing certificate is created, the code signing process truly begins. First, the code to be signed is hashed via a hashing algorithm. A hashing algorithm takes a file as input, and creates a hash digest.

A hash digest is a series of numbers and letters that is unique based on the contents of a file. If a file had a single letter changed, then the hash digest would be completely different. The hash and private key of the certificate are then passed into a signing algorithm and creates a signature. The signature is then attached to the code and sent to the user. Before we delve into the best practices of code signing, let us take a short look at why code signing is so important.

The Importance of Code Signing

Code signing is vital to many organizations’ security. If an attacker can steal the ability to sign code with malware in it, the reputation of your organization would be at risk. Additionally, the validity of the software and the developer of the software can be authenticated through code signing. This allows the door to big application stores to be opened as well.

The biggest application stores require the use of code signing with applications used in these app stores. This will allow many smaller application owners to get their apps onto the big app stores with the simple process of code signing. Now that we know why code signing is so important, let us take a look at the code signing best practices.

Code Signing Best Practices

  • Virus Scanning

    An important part of any code signing should be that malware and virus scanning is in place. Virus scanning should be done when the file is uploaded to be hashed. The reason virus scanning is so vital is because if code has malware embedded into it and then is hashed, that malware may go undetected during the signing process.

    Once the code is signed and approved by your organization, with malware embedded, then a user would install that code onto their computer without hesitation since a trusted organization has approved the signed code. Once downloaded, the malware can begin infecting the user’s computer, thus giving your organization a bad name and harming users who trusted that organization. It is best to select a code signing tool that can integrate with your organization’s already in place virus and malware scanning.

  • Secure Private Key Storage

    One of the most vulnerable parts of the code signing process is the private key associated with the certificate. If this is improperly protected, then the whole process of code signing is for nothing. Once the key is stolen, an adversary can use that key to sign their own code under the organization’s name, making the users think it is a trusted piece of software when it is not.They can then send out code, said to be from your organization, filled with malware such that all users who download and use the software will become infected. In recent years, many supply chain attacks have occurred in this very way. With improper protections in place on private keys, adversaries were able to get ahold of these keys and sign code with malware in the code.

    The code was then sent to Service Providers, who each have thousands of users that use this software in multiple different companies. The malware was then able to infect all of these users, thus allowing the attackers to steal information, money, and more. Software-based storage of keys is possible, but it is much less secure than hardware based key storage. It is recommended that a code signing solution be selected based on its use of a hardware-based storage method, such as a Hardware Security Module. These store keys so securely that an attacker would need to steal the device itself before cracking into the device to steal the keys. By that point, the keys could be rotated or made useless, so that the keys are now useless.

  • Secondary Verification

    Other tools can be used with code signing to ensure that any signings are kept secure. Tools like Active Directory, Multi Factor Authentication, 2 Factor Authentication, and more are great ways to keep track of who can sign code and when. With these tools, a user would need to not only sign in with a password but also with a secondary layer of verification before accessing a webpage to create code signing key pairs and before the actual signing process. This will stop outsider attackers from signing when they shouldn’t and can also track any insider threats that may occur within an organization. Any code signing product in use by an organization should be utilizing some type of secondary verification to ensure the most security is in place to protect sent out by said organization.

  • Time Stamping

    The usage of time stamping is another important tool used in the process of code signing. Time stamping involves imprinting a specific time and date at the time of signing for the purposes of logging and tracking signing processes. This is usually done by contacting a timestamping server during the code signing process. This timestamp will help with the next best practice I will discuss, the process of logging signing operations.

  • File Logging

    One other important factor in code signing is logging each code signing operation and other related tasks. Operations like creating a key pair, creating a code signing certificate, actually signing code, and changing code signing certificates or key pairs should all be logged for future usage. Having logs stored in one location will allow auditors to view processes that have occurred to make note of what is occurring within the code signing tool.

    Additionally, if an insider or outsider threat occurs, then it is also important to have these logs. This will allow an organization to track the processes that have occurred to discover who has signed what. Logging can also be used to stop a malicious developer from signing mid process. If a signing process is not approved by the proper teams, then it can be stopped before it is too late.

  • Key & Certificate Management

    To ensure the security of your keys, it is critical to have a strong key and certificate management system.

    • Limit Repeated Key Use

      Key rotation is one practice that reduces the extent to which any given key is utilized. It is the process of retiring an existing signing key and replacing it with a freshly generated cryptographic key. Rotating your keys frequently minimizes the risk, as using a key for multiple signings creates a vulnerability.

      If compromised, all software signed with that key becomes invalid. Attackers can exploit this and make you more susceptible to a software breach by distributing malware disguised as legitimate software.

    • Revoke Compromised Certificates

      Certificate revocation is the process of stopping the usage of a certificate before its period of validity gets complete. Stopping the usage of the compromised certificate is vital, as unauthorized parties cannot continue to sign malicious code under your enterprise’s name.

      If you suspect a break in your key or certificate, action is crucial; contacting your Certificate Authority (CA) and revoking the certificate to prevent the use of this key for code-signing is a good option to consider.

  • Streamlined Signing Process

    Automation in signing should be implemented to maintain efficiency in the workflow and development so that it takes less time due to fewer human factors:

    • Test Signing and Release Signing Difference

      To avoid accidentally releasing untested code, one could differentiate between test signing and release signing. Test signing is for internal use only to check inwards in the company or organization but not for clients, while release signing is the final state deployed to clients.

      This could be achieved in many ways, like having different certificates or a well-defined name for the signings for testing and release.

    • CI/CD & Code Signing

      The CI/CD pipeline is fully automated and gets you from development to deployment. This includes the building, testing, signing, and deploying. Code signing integrated with your Software Development Lifecycle (SDLC) saves time and helps with consistency.

      Signing manually can take time and become error-prone, especially on larger projects with numerous developers. The acquisition of an automated code signing process using a CI/CD pipeline would speed up the process and reduce the risk of human error.

  • Advanced Security Measures

    Prevention is better than cure; to do that, one must be vigilant and take proactive measures against evolving security threats. The following are some advanced security measures against signing any malicious code.

    • Stay Up to Date

      Code Signing is a domain that must keep up with the times; source code must be proven trustworthy and up to date. Outdated cryptographic algorithms might be prey to new assaults, leaving your code-signing protocol inoperable.

      Regularly evaluate and upgrade your organization’s cryptographic standards to ensure they’re in sync with the most recent best practices.

    • Compare Signings

      Existing conditions and the threat of code manipulation make it necessary to verify one signing against the other, keeping the source code’s trustworthiness in front of the user. Signing’s comparison from different servers’ builds could be used to check for disparity, revealing sources of exploitation.

      Differences in signings reflect unauthorized changes or criminal attempts to populate the source with malware to extract sensitive information. The output from such checks turns into a “vote of confidence” if two or more signing builds show an equivalent result, representing a safe user environment.

Conclusion

If you are wondering where you can gain access to a code signing tool, look no further than Encryption Consulting. At Encryption Consulting, we have a code signing tool called Code Sign Secure. Our tool utilizes all the different best practices mentioned in this blog, and more. Our tool uses Hardware Security Modules to safely secure private keys relating to code signing certificates. We also utilize Active Directory to login to our website to create keys and certificates and Multi Factor Authentication which is necessary before signing any code. We also use role-based access control, so that only those with the proper permissions may use any part of our code signing product. Finally, we use virus scanning before a file is hashed, we timestamp every signature that is created, and we have centralized logging accessed via our webpage.

To find out more about Code Sign Secure, or to try our Proof of Concept, reach out to CodeSigning solution.

Free Downloads

Datasheet of Code Signing Solution

Code signing is a process to confirm the authenticity and originality of digital information such as a piece of software code.

Download

About the Author

Riley Dickens's profile picture

Riley Dickens is a graduate from the University of Central Florida, who majored in Computer Science with a specialization in Cyber Security. He has worked in the Cyber Security for 4 years, focusing on Public Key Infrastructure, Hardware Security Module integration and deployment, and designing Encryption Consulting’s Code Signing Platform, Code Sign Secure. His drive to solve security problems and find creative solutions is what makes him so passionate about the Cyber Security space. His work with clients has ensures that they have the best possible outcome with encryption regulations, implementations, and design of infrastructure. Riley enjoys following his passion of penetration testing in his spare time, along with playing tennis.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo