Secure Code Signing Implementation at Scale

This blog is co-written with Robert Masterson from Thales

In today’s development environment, it’s important for every organization to utilize code signing as a way to ensure that the applications and updates they deliver to end users are trusted. This starts from the build process and goes all the way through to the release in order to develop code with a high degree of authenticity and integrity.

However, in the real world, as development has become more agile and at the same time, more complex, implementing secure code signing practices at scale now has significant security implications. If you’re building code, spinning up containers, or running applications in the cloud, you need to seriously consider the risks involved in code signing, and how to respond if an incident occurs.

Secrets are your most critical security asset in any development environment, particularly your code signing keys. If private keys used to sign code find their way into the hands of an attacker, whether by accidental disclosure or a breach in the network, they can inflict serious damage on the business. IT and security teams can take hours or even days to remediate the issue, putting a drain on resources and creating unintended downtime.

Along with the security issues that come with agile development, the developers themselves need ways to access code signing certificates in ways that don’t hinder their workflows or tool sets. Often times, certificate administrators and infosec operations can find themselves at odds with a development philosophy, where the focus is on continuous delivery and integration, not mitigating risk.

• Not utilizing hardware to secure sensitive private keys tied to code signing certificates. Too often, we see developers store code-signing certificates in file systems, on workstations or build servers, or even emailed between developers, rather than stored securely in an HSM.
• Having a way to enforce approval processes and role-based access controls around the use of code signing certificates is still a struggle for many companies. As personnel shift and change, it can also be very hard to keep track of where code-signing certificates live and who has access.
• Many companies still struggle with how to enable geographically dispersed development teams to access code signing certificates, which also makes it more difficult to enable signing without exposing the private key and risking the assurance level of the digital signature that accompanies your software.
• When it comes to efficiency, keeping code-signing certificates secure can also create extra steps for developers, causing delays in the build pipeline or release cycle. These delays often result from the time it takes to access code singing certificates or perform the signing operation itself.
• Finally, and perhaps most importantly, it is incredibly difficult to track and log everything that occurs with code signing certificates for auditing and compliance.

After speaking with dozens of enterprises, we realized the need to build a solution that could solve these significant roadblocks facing application and security teams. Keyfactor and Thales teamed up to build an integrated solution – Keyfactor Code Assure – that would enable developers to move fast, without sacrificing the security of code signing certificates.

Using Keyfactor Code Assure, integrated with the Thales Luna or DPoD HSM, development teams can get access to code signing certificates from wherever they are, and use them to sign virtually anything – from container images and binaries to artifacts and software builds. Meanwhile, the private keys remain locked down in the Thales HSM, while developers can do their job efficiently and securely.

• Integrate directly with a Thales HSM for the highest level of protection for private keys, ensuring that they never leave the confines of the HSM.
• Enable code-signing operations at scale without sacrificing speed or efficiency in your software development lifecycle (SDLC)
• Leverage an identity provider to enable designated owners of code signing certificates to unlock access based on specific criteria such as location, time or number of signing operations.
• Allow developers multiple interfaces to use code-signing certificates, including a web portal, a robust API suite, and a remote CSP/KSP interface.
• Log every code signing activity that takes place, allowing you to know who signed what, when, and with which code signing certificate.
• Using existing signing tools such as Microsoft SignTool and JarSigner to build additional assurance into your signing operations.

Being able to control the usage of your code signing certificates and securing the private keys in an HSM will empower your organization to digitally sign with high assurance and confidence. Keyfactor Code Assure, combined with either a cloud-based Thales Data Protection On Demand (DPoD) HSM or on-premises Thales Luna HSM, will help you truly unlock your code signing operations and sign your code at scale.

Learn more about: Keyfactor Code Assure

Learn more about:  Thales Data Protection On Demand (DPoD) HSM and Thales Luna HSM

Discover how certificate lifecycle automation can help you achieve DevOps and security goals. Download the DevOps.com eBook: