When distributing code, apps or firmware updates it is now almost universally required that these must be securely signed. Code signing gives the receiving party the ability to validate the authenticity and providence of the code and its creator.
How to sign code typically depends on two things:
Ideally, any keys used for code signing are well guarded against misuse and theft from the moment they are generated and well beyond when they are retired. Also, deciding to release new software typically follows stringent processes of approvals. Why not tie that into the signing process as well?
For large business corporations and institutions, the code signing process must recognize the business rules, security policies and resilience expected with it - as signing the code is equivalent to securely tying your brand and reputation to the product.
Cryptomathic's Crypto Service Gateway (CSG) offers a code signing platform which allows businesses and their teams to address the above to an industrial-grade.
CSG provides the necessary secure workflows for controlling the code signing process. Once code is ready for signing, trusted actors can endorse that the code may be signed and propagated for release. Endorsements are time-limited and cryptographically tied to the code and key that should be used. With enough endorsements, the system will allow signing of the endorsed code (while also ensuring that it will refuse to sign anything which has not been appropriately endorsed).
Explore the benefits of versatile cryptographic and code signing services using CSG
Read the case study to see why Barclays Bank chose CSG as their strategic enterprise crypto service.