What are the best practices for code signing and how to implement them?
When dealing with cybersecurity and the security of an organization, it is vital to prepare for every eventuality. One of the most important forms this takes, especially with organizations creating and distributing software to customers, is code signing. At its core, code signing is a relatively simple process. A software publisher or distributor wants to create code to send out to be used by a customer, but first they must ensure that the code can be trusted by the user. This is where code signing comes in. First, a key pair is generated from a trusted, usually external, Public Key Infrastructure (PKI) using something called a Certificate Signing Request.
A Certificate Signing Request, or CSR, requests that a certificate be generated and signed by a trusted PKI and associated with a key pair. A key pair involves a public key and private key which, as the names imply, are kept publicly and privately available respectively. The CSR and keypair are then sent to the Certificate Authority of the PKI, and the user’s identity is verified by the Certificate Authority, or CA. After this verification, the CSR itself is authenticated and the public key is bundled with the requestor’s identity, thus creating a valid code signing certificate once the CA signs the bundle. The requestor then receives the certificate and can begin signing code.
Once the code signing certificate is created, the code signing process truly begins. First, the code to be signed is hashed via a hashing algorithm. A hashing algorithm takes a file as input, and creates a hash digest. A hash digest is a series of numbers and letters that is unique based on the contents of a file. If a file had a single letter changed, then the hash digest would be completely different. The hash and private key of the certificate are then passed into a signing algorithm and creates a signature. The signature is then attached to the code and sent to the user. Before we delve into the best practices of code signing, let us take a short look at why code signing is so important.
The Importance of Code Signing
Code signing is vital to many organizations’ security. If an attacker can steal the ability to sign code with malware in it, the reputation of your organization would be at risk. Additionally, the validity of the software and the developer of the software can be authenticated through code signing. This allows the door to big application stores to be opened as well. The biggest application stores require the use of code signing with applications used in these app stores. This will allow many smaller application owners to get their apps onto the big app stores with the simple process of code signing. Now that we know why code signing is so important, let us take a look at the code signing best practices.
Code Signing Best Practices
An important part of any code signing should be that malware and virus scanning is in place. Virus scanning should be done when the file is uploaded to be hashed. The reason virus scanning is so vital is because if code has malware embedded into it and then is hashed, that malware may go undetected during the signing process. Once the code is signed and approved by your organization, with malware embedded, then a user would install that code onto their computer without hesitation since a trusted organization has approved the signed code. Once downloaded, the malware can begin infecting the user’s computer, thus giving your organization a bad name and harming users who trusted that organization. It is best to select a code signing tool that can integrate with your organization’s already in place virus and malware scanning.
Secure Private Key Storage
One of the most vulnerable parts of the code signing process is the private key associated with the certificate. If this is improperly protected, then the whole process of code signing is for nothing. Once the key is stolen, an adversary can use that key to sign their own code under the organization’s name, making the users think it is a trusted piece of software when it is not. They can then send out code, said to be from your organization, filled with malware such that all users who download and use the software will become infected. In recent years, many supply chain attacks have occurred in this very way. With improper protections in place on private keys, adversaries were able to get ahold of these keys and sign code with malware in the code.
The code was then sent to Service Providers, who each have thousands of users that use this software in multiple different companies. The malware was then able to infect all of these users, thus allowing the attackers to steal information, money, and more. Software-based storage of keys is possible, but it is much less secure than hardware based key storage. It is recommended that a code signing solution be selected based on its use of a hardware-based storage method, such as a Hardware Security Module. These store keys so securely that an attacker would need to steal the device itself before cracking into the device to steal the keys. By that point, the keys could be rotated or made useless, so that the keys are now useless.
Other tools can be used with code signing to ensure that any signings are kept secure. Tools like Active Directory, Multi Factor Authentication, 2 Factor Authentication, and more are great ways to keep track of who can sign code and when. With these tools, a user would need to not only sign in with a password but also with a secondary layer of verification before accessing a webpage to create code signing key pairs and before the actual signing process. This will stop outsider attackers from signing when they shouldn’t and can also track any insider threats that may occur within an organization. Any code signing product in use by an organization should be utilizing some type of secondary verification to ensure the most security is in place to protect sent out by said organization.
The usage of time stamping is another important tool used in the process of code signing. Time stamping involves imprinting a specific time and date at the time of signing for the purposes of logging and tracking signing processes. This is usually done by contacting a timestamping server during the code signing process. This timestamp will help with the next best practice I will discuss, the process of logging signing operations.
One other important factor in code signing is logging each code signing operation and other related tasks. Operations like creating a key pair, creating a code signing certificate, actually signing code, and changing code signing certificates or key pairs should all be logged for future usage. Having logs stored in one location will allow auditors to view processes that have occurred to make note of what is occurring within the code signing tool.
Additionally, if an insider or outsider threat occurs, then it is also important to have these logs. This will allow an organization to track the processes that have occurred to discover who has signed what. Logging can also be used to stop a malicious developer from signing mid process. If a signing process is not approved by the proper teams, then it can be stopped before it is too late.
If you are wondering where you can gain access to a code signing tool, look no further than Encryption Consulting. At Encryption Consulting, we have a code signing tool called Code Sign Secure. Our tool utilizes all the different best practices mentioned in this blog, and more. Our tool uses Hardware Security Modules to safely secure private keys relating to code signing certificates. We also utilize Active Directory to login to our website to create keys and certificates and Multi Factor Authentication which is necessary before signing any code. We also use role-based access control, so that only those with the proper permissions may use any part of our code signing product. Finally, we use virus scanning before a file is hashed, we timestamp every signature that is created, and we have centralized logging accessed via our webpage.
To find out more about Code Sign Secure, or to try our Proof of Concept, reach out to CodeSigning solution.