Security Considerations For Code Signing
Code signing is defined as a process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed.
Code signing certificate software helps digitally sign data that is available online and plays a crucial role in preventing third party access while downloading software online.
TYPES OF CODE SIGNING CERTIFICATES
Code signing certificates for all types of devices that connect to the internet are conveniently available online. The most popular code signing certificates are:
1. Desktop Type Code Signing Certificates The desktop type code signing certificates are further classified into the following types:
a) Code Signing Certificates for Microsoft Authenticode This will assist Microsoft Authenticode users by reducing the warning messages and will also ensure the integrity of the code to the users. The digital signature can be deployed with different encryption algorithms and also for kernel-mode software. It was particularly designed and created for Microsoft Windows programs.
b) Code Signing Certificates for Java This will defend the software code and content present on Java Applets. The certificate signs *.jar files using the digital shrink web technology. It ensures the code's integrity since it was signed and is recognized by Java Runtime Environment(JRE).
c) Code Signing Certificates for Microsoft Office and VBA This is a successfully tested security certificate for Microsoft Office and other third-party applications using Microsoft Visual Basic Applications.
d) Code Signing Certificates for Adobe AIR This certificate consists of digital signatures for code and content to retain the software's integrity or application on the internet. A digital signature for Adobe Ajax and Flex files is also available. It is specifically for people who develop a desktop-based application for Adobe AIR.
2. Mobile Type Code Signing Certificates The mobile type code signing certificates are further classified into the following types:
a) Code Signing Certificates for Windows Phone This is particularly for Windows Phone and Xbox applications and is required for Microsoft App Hub service.
b) Code Signing Certificates for Windows Phone Private Enterprise This is particularly for Windows Phone's Private enterprise applications and is required for organizations that use Windows Phone Dev Center.
c) Code Signing Certificates for Java Verified This is used to sign the Java ME applications which are present within the Java Verified Program framework.
d) Code Signing Certificates for Android This is used for the Android OS platform and automatically keeps track of the certificate keys.
e) Code Signing Certificates for Brew This is particularly used by commercial Brew Developers and is required to notarize Brew applications digitally.
WORKING OF CODE SIGNING
The workings of an SSL certificate and code signing certificate are quite similar, and so many Certificate Authorities(CA) sell both. Let's look at how to obtain, install, and use a code signing certificate:
1) Purchase a certificate The user chooses a code signing certificate based on their requirements and whether we require it for an individual or an organization. Notably, there is no difference between the certificate granted to an individual or an organization; only the verification process varies.
2) The CA verifies the identity The CA authenticates the individual or organization's identity that has applied for the code signing certificate and ensures that they will operate in good faith. The vetting process differs for an individual and an organization.
3) Install the Code Signing Certificate Here the user installs the code signing certificate to the platform they are using.
4) Start signing executables and scripts The signing process requires adding a digital signature, and every platform has a different way to handle this process. For example, we have code that needs to be signed, that code will be converted to a hashed code using a hash function. Then it will be encrypted using a private key, and a timestamp will be attached with the code to reach the final stage of signing.
5) Distribute the signed software Once we conclude the signing of the code, we can distribute it. Once a user runs the code, it will display our signature, and if it's hashed, it will display our identity and indicate whether the code is authentic.
BENEFITS OF CODE SIGNING
A few benefits of code signing are:
1. Authentication Once the software code is signed using code signing, it has an authentication stamp displaying the creator's details and assuring that it is authentic, proving that the creator's content can be trusted. Code signing maintains the software's integrity.
2. Elimination of pop-up errors The browser identifies a software lacking a proper code signing certificate, and as a result, the browser warns the user with the help of pop-up alerts. This impacts the user experience and also adversely affects their trust from using software available on the internet.
3. Security Man in the middle(MITM) attacks are prevalent over the internet. Code signing prevents MITM attack as signed software cannot be tampered with or intercepted by an attacker. Code signing reduces security flaws that could otherwise leave the code vulnerable to MITM attacks.
4. Trust Code signing helps an organization build a strong relationship with their clients by securing the customers against modified or corrupted code.
BEST CODE SIGNING CERTIFICATE AUTHORITIES
Some of the most popular code signing certificate authorities are:-
1. Sectigo Code Signing https://www.ssldragon.com/product/sectigo-code-signing-ssl/ Sectigo is one of the cheapest but the only certificate to secure individually coded software. Also, it is used for business validation.
2. GoGetSSL Code Signing https://www.ssldragon.com/product/gogetssl-code-signing-ssl/ GoGetSSL is one of the newest and most affordable SSL Certificates which are easily issued.
3. DigiCert Code Signing https://www.ssldragon.com/product/digicert-code-signing-ssl/ DigiCert is one of the most popular and trusted internet security brands with a quick and smooth validation process.
4. DigiCert Code Signing with EV https://www.ssldragon.com/product/digicert-code-signing-ssl-ev/ DigiCert with EV is arguably the best code signing certificate authority, which has retained customers' trust and has obtained recognition from various existing and potential customers.
SECURITY CONSIDERATIONS FOR CODE SIGNING
Since there is a human factor involved with handling the private keys, code signing may not be immune to tampering, misuse, or malicious intent. Following these security considerations will make the process of code signing more effective.
1. Control access to keys To keep the private keys safe from misuse by a hacker, we must grant role-based access for the keys. Physical security controls can also be used to reduce access to keys.
2. Protect private keys with cryptographic hardware solutions To maximize private keys' security and promote their integrity, store them using secure vaults or hardware security modules(HSM). This adds an extra layer of security for their storage. Cryptographic hardware doesn't export private keys to a destination where it could be attacked. During the transfer of private keys, ensure that the cryptographic hardware is protected with a randomly generated password.
3. Use test signing certificates Use self-signed certificates or certificates issued by an internal Certificate Authority to sign pre-release code.
4. Exercise caution Users should be aware and should not be installing software when the browser warns them through security alerts or pop-ups. Otherwise, the security provided by code signing will not be effective.
5. Always timestamp code If the code is timestamped, it can be verified even after the certificate has been expired or revoked. Timestamp certificates are issued for a maximum validity period of 135 months and support signed software validation for up to 11 years.
6. Understand the difference between a test signing certificate and a release signing certificate Test signing certificates are only trusted within the test environment and sign pre-release builds of software. Moreover, a test signing certificate can be self-signed or signed by a trusted internal CA of the corporate network. It requires less security access controls than release signing certificates. Release signing certificates are used to sign production code that is shipped to end-users across the globe. These users trust the root certificate that is used to sign the publicly released build.
7. Authenticate code to be signed A proper code signing submission and approval process must be set up to prevent the signing of unapproved or malicious code. Every code submitted for signing should be accurately authenticated before it has been signed and released for the users.
8. Virus scan code before signing The person who is signing the code must ensure the safety and the quality of the code as code signing confirms the publisher's identity and whether it has been tampered with. If the code is incorporating resources from other sources, then the code must be thoroughly scanned. Virus scanning must be implemented before code signing takes place.
9. Avoid overuse of any one key When code with security flaws is found, then the publishers prompt a User Access Control dialogue box, which appears when the code is installed in the future. It is done by revoking the code signing certificate. If the code with security flaws was issued before good code, then revocation of the certificate will affect the good code. Hence, changing the keys and certificates more often will help to avoid such a conflict in the future.
10. Revoking compromised certificates The certificate authority should be aware of a key compromise or signed malware because the code signing certificate has to be revoked. If the signed code has been timestamped, then the revocation date will not affect the code signed before it.
11. Integrate with DevOps To avoid security gaps, the developers must be able to sign any code from anywhere without disruption. Code signing is a mutual responsibility of the security and development teams to protect keys without disrupting the SDLC. Code signing processes should be integrated with existing developer tools and workflows for flawless functioning.
12. Ensure policies and practices Hackers do not need to steal the keys to access code signing infrastructure; they can simply submit malware code to be signed and then distribute it without being detected. Only by enforcing proper access controls and signing policies we can ensure the safety of our code-signing infrastructure.
13. Continuously monitor and audit signed code We can only stay ahead of the threats by continuously monitoring the status of code signing certificates, the strength of algorithms used, and all the code signing activities for incident-response purposes.
This article offers wholesome knowledge about code signing and is an ultimate guide for looking to deep dive into the topic. Security recommendations for code signing are a must that owners of a code signing certificate should be aware of.
- https://aboutssl.org/what-is-code-signing-certificate/ (Image 1)