4 min read

Enterprise-grade code signing: Securing the Signing Process

Enterprise-grade code signing: Securing the Signing Process

This article outlines the importance of code signing and describes a centralized approach for securing and streamlining the code signing process through technical and procedural enhancements.

Unlike in the past when installing software from a disc was the norm, today most software, like Windows applications, enterprise and banking services, and of course mobile apps like Android and iOS apps, are distributed via downloads over the web. This of course does present a challenge in protecting the integrity of the code. When software is branded, packaged and sold through well-known retailers, users have a sense of security when purchasing it that its integrity is intact. But how can users be assured that the code they are downloading has not been altered from its original form? Or even more importantly, has the code been corrupted by malicious code that puts users’ systems are risk?

Your browser may warn you of possible dangers that could happen by downloading data, but it cannot tell whether the code is what it says it is. This is where the process of code signing comes in.

What is Code Signing?

Code signing is a process where executables and scripts (software or firmware) are digitally signed to confirm who is the author of the software. Code signing uses cryptographic hashing that can validate the authenticity and ensures the integrity of the code by verifying it has not been tampered with since being published.

Why Do We Sign Code?

Simply put, we sign code because we do not want to risk that our code will be damaged intentionally. We are extremely dependent on software. Therefore, software integrity is one of our top priorities. Damaged or “cracked” code can cause:

  1. Financial losses
  2. Human losses
  3. Political instability
  4. Reputation loss
  5. Large scale disasters

Examples of Code That is Usually Signed?

  1. Under MS Windows - Via software restriction policies, you can only run signed programs, only load signed libraries and only run signed PowerShell scripts. Unsigned code will just simply not run! If you have established other policies and do not give your user too many freedoms, code signing works perfectly.
  2. On mobile devices - As a rule, all software must be signed.
  3. OS Drivers - Basically all are signed on every platform.
  4. Java Virtual Machine - You can enforce code signature checking, e.g. applets must be signed.
  5. Open source archives and packages
  6. POS terminals and other highly secure devices - Only signed code is permitted to run.
  7. Medical and avionic device software are signed

On an industrial or mission-critical scale, there are various application scenarios, such as

  • e-Government
  • e-Banking
  • Internet of Things (IoT) manufacturing
  • Power plants

Securing the Code Signing Process

As code signing protects the authenticity and integrity of software, the code signing process itself needs to be secured to protect access to the signing key that is used. If the key were to become compromised and fall into the wrong hands, it could mean disaster for the software producer. A malicious actor could use the key and release code under the producer’s name or brand and cause serious reputational damage.

Some important aspects to secure the signing process include:

  • Protecting the most vital information - the private key (or keys) should be protected with dedicated hardware security modules HSM(s) to ensure that they can only be accessed by authorized users or systems.
  • The code signing process should be protected against the voluntary decision of a single person
  • Some level of quality and workflow enforcement should be built into the process to ensure that only approved code can be signed.

To summarize the requirements, the code must be signed by one particular key at a particular moment by an authorized person, in secure way. As a rule, this signing process must be “approved” somehow.

For signing code at enterprise-grade level security or above, using a Hardware Security Module (HSM) is the strongest way to protect key material. But the problem is that HSMs can be difficult to manage and, by themselves, don’t address the challenge of enforcing a secure signing process. To address these issues, Cryptomathic developed Crypto Service Gateway (CSG) to make it easier to both manage and use HSMs to deliver secure code signing services.

CSG Enforces the Secure Signing Process with “Endorsed Code Signing”

CSG is a cryptographic server platform, where all cryptographic operations and policy enforcement mechanisms are protected by the HSMs. Roughly speaking, CSG enforces crypto policies and executes the cryptographic commands issued by remote parties (users, applications, administrators). Some of these commands are “privileged”, some are not. The workflow described below to secure and streamline the code signing process is known as “endorsed code signing”.

With endorsed code signing, some commands cannot be executed immediately. They have to be confirmed by a specified number of authorized users (known as “endorsers”). For example, if a developer (working on some software) attempts to initiate the code signing operation, this command will not be executed immediately. This command will be postponed and queued; firstly, the authorized endorsers with approval authority will be notified about a signing attempt. Next, the endorsers can endorse the code or disapprove it. If code signing is approved or endorsed by the required set of endorsers, then the code signing command will be executed by CSG and signed by the private key, which is protected by the HSM. In other words, endorsed code signing requires that a quorum m-of-n authorized endorsers - distributed across multiple groups - must approve a code signing request before it is executed.

Such a solution provides a set of advantages:

  • Strong protection of the signing keys and application logic
  • Streamlined and secure workflows
  • Improved security, as many errors, including human error, can be avoided
  • Central management of the signing policies
  • Faster ramp up of any new application
  • Improved auditability through analysis features and logs on all signed code
  • Shorter recovery times in cases of system failures or breaches through automated routines

Conclusion

The world relies on software for business-critical systems as well as in most aspects of day-to-day life. It is therefore crucial that the code running in these systems can be relied upon. Secure code signing has become more important since the majority of applications are being downloaded or operated online as a service and updated/distributed digitally on a regular basis. Applications that contain sensitive data, commercial transactions or processes related to the safety of human lives require more than the typical off-the-shelf signing procedures. This article recommends secure signing approaches using HSMs to store the key material and enforcing secure processes to avoid erratic or malicious and unverified signing. Cryptomathic offers the Endorsed Code Signing approach using CSG, delivering a streamlined and strengthened secure system for code signing by enforcing a workflow that requires multi-party approval.

Solution brief - CSG Code Signing