The process of getting your software and other executables signed with a certificate from a trusted certificate authority is called code signing. Signing your code will help verify the integrity of your code and it is more like a seal that guarantees that the code has not been tampered with or altered after it was signed.
This process is quite straightforward, but there are certain issues with code signing. Sometimes, attackers steal private keys and jeopardize the code or software you already signed. So it is crucial to take certain measures to keep private keys safe.
In this article, we have listed the seven best code signing practices. If you already have a code signing certificate, we believe these best practices will help you secure your private keys and help you securely sign your code. If you do not have a code signing certificate, you can get a code signing certificate from a trusted certificate authority like DigiCert, Comodo, or Sectigo.
Top 7 Code Signing Best Practices
1. Access to Private Keys
It is important to give access to private keys only to authorized personnel. Losing a code signing certificate’s private key or the private key getting compromised is one of the critical security threats. Hackers who steal the private keys will be able to sign any code with the stolen private key. They also sell it on the dark web for a huge profit. The best way to make sure your private keys are safe and to prevent them from being illicitly used is by controlling access to private keys. Access has to be given only to specific people and you can also use physical security solutions to minimize access to the keys. Likewise, make sure only certain computers can access private keys.
2. Secure the Key Storage Device
Employees might use certain devices to store the private keys. Make sure those devices are not left outside where others can pick them up and copy the contents stored in the device, including the private keys of a code signing certificate. It is important to keep the device in a locked drawer to make sure the private keys are secure.
3. Use Strong Passwords
Protect your private keys with 16-character solid passwords when you transport them. The password you use to secure the cryptographic hardware has to be generated randomly and must be a combination of numbers, special characters, upper case, and lower case letters to make it hard to crack. Malicious actors can easily decrypt passwords that include names, locations, birthdays, etc.
4. Use Cryptographic Hardware
One of the best ways to protect your private keys is by using cryptographic hardware. Cryptographic hardware uses the latest encryption algorithms to protect private keys and it will ensure that no third party can get their hands on your private keys. You can very well use a FIPS 140 Level 2-certified product to keep your private keys secure. This device will not allow the private keys to be exported and will require multi-factor authentication.
5. Code Authentication
Code authentication has to be made a part of the actual development cycle and the code must be authenticated before it is released. Fully authenticate your executables, software, etc., before you sign them. To prevent signing malicious or unapproved code, set up a separate process for approving the code and signing it. This process will help confirm that your files or software are ready to be signed.
6. Scan Your Code
Though code signing states who wrote the code and when it was published, it does not ascertain that the code is safe. If you accidentally use your code signing certificate to sign an infected code, you might get into trouble as the infected software or the downloadable will harm the user’s device. This could result in the revocation of your code signing certificate and due to strict validation requirements, you might find it hard to get a new code signing certificate.
To prevent all this from happening, perform a full QA testing to make sure there are no issues or bugs. Likewise, a code review will help ensure that the code is thoroughly checked. You can scan your code for viruses to verify its safety before signing it.
7. Revoke Compromised Code Signing Certificates
If you notice that your private keys have been compromised, report it immediately to the certificate authority. If your code signing certificate was used to sign malware or if the keys were compromised, it is important to request the certificate authority to revoke the certificate. If you time-stamped the signed code, you can select a revocation date before the date of compromise to show that the code signed before the date of revocation of the certificate has not been impacted.
The Final Word
Code signing is the best way to secure your code as it guarantees users that the integrity of the code they downloaded is intact and has not been tampered with. To boost the security of your organization, follow the above-mentioned best practices for signing code.
