Secure code signing best practices

Secure Code Signing Best Practices

Code signing is the process that enables developers to put their digital signatures on programs or applications to authenticate their identity while ensuring the integrity of the file. The code signing certificates, available in both Standard and Extended Validation forms, use public-key cryptography to embed a digital certificate into the source code of a software, update, or executable.

Although it is a fairly straightforward process, the Certificate Authority Security Council (CASC) encourages organizations and developers to follow the code signing best practices. These preventive measures ensure their programs and valuable data remain safe and secure.

What is the Importance of Code Signing?

The code signing process protects the end-user against malware. If a file is secure and signed, attackers will have a hard time taking its control and using it to bypass the system firewall. On the other hand, a corrupt program may take over the entire system while being disguised as a harmless file or a seemingly un-suspicious event, such as a Windows update.

If a program is embedded with a digital certificate authenticating its source, the users will easily ascertain if it is indeed safe or may contain malicious code. To put it simply, code signing reinforces the concept of trust between the developers and the end-users.

8 Code Signing Best Practices

Here are the most noteworthy best practices for code signing that all developers must strive to implement.

Restrict Access to Private Key

The private key associated with the code signing certificate presents the biggest security threat. If this key is compromised in any way, the certificate loses its value, thus jeopardizing the program that one has developed and signed. It is also worth mentioning that there is a high demand for compromised private keys on the dark web, which means developers must take every measure to protect them.

The best way to secure private keys is by restricting access to them. Therefore, developers should limit connections to the computers with these keys and limit the number of users who can access the key. In addition, developers must employ physical security controls to ensure the keys remain safe and sound – which takes us to our next point.

Utilize Cryptographic Hardware Devices

Given the importance of code signing certificates, developers must use cryptographic hardware devices to ensure the safety of their private keys.

For the uninitiated, one of the best things about cryptographic hardware is that it does not allow the owner – or anyone else, for that matter – to export the code signing key to a destination where it may become compromised. Hence, please make sure to use at least a FIPS 140 Level-2 certified product to maintain your software’s integrity.

In addition, use a randomly generated password containing a combination of at least 16 uppercase and lowercase letters, numerical digits, and special characters to protect the cryptographic hardware.

Monitor the Status of Code Signing Certificates

We live in an era where everything is run by code, be it the smartphone in your hand or the smart navigation system in your car. As the technology continues to evolve, so does the malware that threatens to steal your private data or interfere with your security.

Therefore, it is highly recommended for developers to keep an eye on the status of their coding certificates to prevent malicious actors from posing a threat to the end-users. Auditing the usage of private keys and keeping an eye on the expiration date of code signing certificates will allow developers to stay on top of the code signing best practices.

Time-Stamp the Code

Time-stamp is a small piece of data used while code signing a program to verify the date and time someone signed it. It utilizes a time-stamping server provided by the certifying authority via a URL. This method lets the organization or developer verify their code even after the certificate expires or is revoked. Moreover, it reassures the end-user the certificate was valid at the time the developer signed the code.

Authenticate the Code

It is important to authenticate the code during the development cycle. Developers must also confirm that their programs and applications are secure and ready to be signed before attaching the digital certificates. According to the code signing best practices, one must fully authenticate the software or any file with a private key before signing and releasing it to the end-user.

Furthermore, it is extremely crucial to log and audit all signing activities.

Scan Code for Viruses

As a rule of thumb, developers must make sure to scan their code before signing it.

Even though code signing does not confirm the quality of the software, it confirms the publisher’s identity and notifies if the code has been changed or modified in any way since the signing. So, suppose a developer uses their code signing certificate to sign an infected program or malware. In that case, their certificate might get revoked, and they may have a hard time getting a new certificate. To avoid the fallout, programmers should take extra care to scan their executables and updates for viruses, perform a comprehensive review, ensure QA testing to identify bugs, and double-check the safety of the release code.

Do Not Overuse the Private Key

Distributing the risk with multiple certificates is yet another best practice for code signing that protects developers in situations when modern cryptography fails to keep their private key safe. Nevertheless, the most effective way to minimize the risk is by taking a diversified approach. Instead of signing all digital certificates with a single private key, developers must occasionally change it.

Revoke Compromised Certificates

Last but not least, developers must immediately notify their code singing authority if they believe their private key has been compromised or if someone has tried to access their signed software. The code signing certificates are revoked in such situations, which renders the digital signature invalid unless it is time-stamped.

Our Final Thoughts on Secure Code Signing Best Practices

Contact us for solutions and services related to Secure Code Signing Best Practices. Further blogs within this Secure Code Signing Best Practices category.