Code signing is the particular process of getting your codes signed digitally by a trusted CA or certificate authority. The identity of the authority is verified by the CA, then assure end-users that the identity of whoever submitted it is verified.
Conceptually, this whole procedure is really straightforward. In order to make the whole process more effective and a bit smoother, you can implement some best code signing practices.
- 1 5 Major Code Signing Best Practices You Should Be Aware Of
- 2 Some More Practices
- 3 Conclusion
5 Major Code Signing Best Practices You Should Be Aware Of
Here I will guide you with 5 major code signing practices that you can utilize for a more effective and smoother process.
Restrict Access To private Keys
The first and really crucial practice is to restrict access to your private keys. The name itself suggests that private keys are not a key that can be shared publicly or with anyone you want to. It should be kept a secret.
You should grant access to only authorized persons to computers that contain code signing keys. In order to establish strict accountability for the usage of private keys, proper care for enforcing access control and that too using physical security solutions and their software counterparts can actually help.
Store Private Keys With Cryptographic Hardware Solutions
Use a FIPS or Federal Information Processing Standard 140-2 Level 2 certified cryptographic device as a minimum protection standard. All these devices never permit the exporting of private keys.
You can use an EV code signing certificate for storing the private key in a cryptographic hardware device, such as USB tokens, smart cards, etc. now, physically secure the specific device in a locked cabinet. You also need to make sure that the hardware device is protected with a strong, randomly generated password.
Never Forget To Timestamp Your Code
Timestamping is for extending the trust beyond the code signing certificate’s validity period. Even if the certificate has been revoked or expired, it allows the code to be verified.
The revocation depends on a particular date along with a signature that was issued prior to the revocation date. Up to a maximum validity period of 135 days, the timestamp certificates can be issued.
Difference Between A Release-signing Certificate And Test-signing Certificate
For signing software’s prerelease builds, a test signing certificate is used. And only within the test environments, it is trusted. The test signing certificate either can be self-signed or can be signed by an internal CA, who is completely trusted within the internal corporate network.
For signing the production code, which will be provided to the end-users, the release signing certificate is used. Users from the whole world will trust the root certificate that is used for signing the publicly released build.
For signing the prerelease code, develop a separate code signing infrastructure. Release signing certificates and keys always require more strict security access than test-signing private keys and certificates.
Authenticate The Code To Be Signed
Prior to signing and releasing, any kind of code that is submitted for signing is required for authentication.
As per Microsoft code signing practices, for stopping malicious or unapproved code from being signed, a streamlined process should be implemented for submission and also the approval of the code.
In order to maintain audit logs and also for escalation of those independent response cases, it is best to keep a record of all the activities related to code signing.
Some More Practices
Though I have mentioned 5 major code signing best practices that you should be aware of, here are some more practices that will also benefit you.
- Before signing, scan the code for viruses.
- Revocation of compromised certificates.
- For signing, do not overuse one private key.
- Centralize your code signing management.
- Offer flexibility and agility into your code signing environment.
So, these are all the necessary code signing practices that you need to consider. All these will enhance the security level, and your code signing process will become much more effective and smoother at the same time. Keep the focus on each of these practices.