Follow Code Signing Best Practices & Overcome Security Challenges Faced by Software Developers & Publishers
We live in an era where software surrounds everyone. Whether you’re at home, your workplace, in the car, or virtually anywhere –software somewhere connects everything, running millions of lines of code.
Being a software publisher or a developer, you know that code signing is a best practice pushed by the internet heavily, for ensuring that users can verify the source or publisher of the software, and confirm that the signed software hasn’t been altered since its signing.
But you’re already aware that signing code is essential. You’re also aware that your code signing certificate must be from a trusted certificate authority (CA) such as Sectigo. You also know about the validation and issuance process. And you know that when code signing is done properly with all the protection, it can be one of the most potent cyber-security weapons at the industry’s disposal for mitigating risks while protecting trust and integrity.
Code signing your apps and other executable files are not enough, though, you must also take on the responsibility of protecting your cryptographic keys and certificates. If your keys aren’t protected, then you may run into more risk compared to not code signing your apps and files at all, mainly because you can create an easy target for malicious actors. Digital certificates and their private keys that are not secured are often compromised and used to sign and distribute signed malicious code disguised as legit software or firmware.
Such issues can be avoided with proper protection of the private key of a code signing certificate. In case the private key gets compromised or lost for any reason, a code signing certificate will lose its trust and value while exposing your customers to security threats. To overcome such issues, certain code signing practices must be implemented.
Here Are the Top 10 Code Signing Best Practices We Would Recommend
Below are some of the practices we recommend for implementing code signing securely:
1. Minimizing & Controlling Your Private Key Access:
The private key of a code signing certificate being compromised, lost, or exfiltrated is one of the most significant security threats. It’s quite alluring to hackers due to freedom it gives to malicious actors for signing any code, anywhere. Also, it’s been found that code signing certificates with their compromised private keys are offered for sale on the dark web, priced higher than passports or guns, giving a clear indication of how much demand there is for code signing certificates for illicit use. To avoid losing a private key, some of the code signing best practices you can follow are:
- Allowing the minimum number of computers possible to access private keys.
- Access to private keys must be minimized by giving rights to only authorized personnel.
- Physical security controls must be used to reduce access to private keys.
2. Using Cryptographic Hardware Solutions for Protecting Private Keys
It’s recommended to use cryptographic hardware products that:
- Don’t allow the export of private key to software, ultimately preventing the private key from being attacked.
- Make use of FIPS 140 Level-2 certified product (if possible, go for better).
Tip: Choose an EV Code Signing Certificate provided by a trusted certificate authority like Sectigo, which generates and provides the private key already on a hardware token.
3. Time Stamping Your Code While Signing
A timestamp is a small piece of data included with your signature whenever you sign your executable or other files using a code signing certificate. The time stamp process uses a timestamp server (provided by the CA) to record when the software was signed. So, whenever the client sees your signature with the timestamp, it gives assurance that the certificate was valid at the time signing the code.
In other words, it’s seen as one of a code signing best practice to timestamp, because it lets you verify your code even after the certificate is expired or revoked.
4. Test Signing vs. Release Signing – Know the Difference Between the Two
Be sure which signing certificate you’re using and keep them separate. Because there’s a difference which you must be aware of. Test Signing and Release Signing for code signing best practices are:
- Test signing doesn’t require rigorous security standards as a production code signing certificate does.
- Test-signing typically uses a self-signed certificate that can be from internal test CA, not the root used by the production signing certificates. So, this helps ensure that test certificates are only trusted within the expected test environment.
- You must ensure that internal testing signatures don’t get confused with the release signatures.
- Test code signing infrastructure must be made separately for test-signing pre-release software.
- Test signing is mainly used for the development process. Moreover, specific Windows versions of 64-bit allow test-signed drivers. Whereas release signing is used for production release, and it requires you to purchase a code signing certificate from a respected certificate authority such as Comodo. That’s required so that your release software can be installed on any Windows version without prohibitions.
5. Authenticating Code Before You Sign It
Code authentication has to take place within the actual development cycle. You need to confirm that your software, executables and other files are ready to be signed before signing them. Code signing best practices to follow for authenticating code you’re signing are:
- Before you sign and release your software, executables, or other files with the key, they need to be fully authenticated.
- Implement a separate process for code signing submission and approval to avoid the signing of malicious, unreliable, or unapproved code.
- All code signing activities must be logged for incident response and auditing purposes.
6. Scan Your Code for Viruses Before Signing It
It’s no brainer, but still, we’re mentioning it explicitly. Code signing is not responsible for confirming the safety or quality of your software, executables, or other files you sign. It merely confirms the publisher’s name and whether the code has been altered since its signing. Furthermore, if your code signing certificate is used to sign any infected code and it ends up on a user’s computer or device, you’re in for a bad fallout—this will cause the revocation of your code signing certificate along with hard time for you to get another one because of the validation requirements. So, it’s recommended to follow certain code signing practices before you sign your software:
- Performing full code review to ensure all lines of code have been checked and confirmed.
- Ensuring full QA testing to avoid code which could cause unforeseen bugs or problems.
- Doing proper virus-scanning, which helps you double-check the safety of your released code.
- Whenever you integrate your code or software with other sources, it’s expected you take proper care of it.
7. Avoid Overusing One Private Key for Signing
Whenever you sign any software or files, there’s always a small percentage of certainty that something can go south. No doubt, today’s modern cryptography is quite challenging to break, but still, risk is involved. For example, the loss of private key can lead to revocation of your certificate, which invalidates your signatures. So, it’s best practice to take a diversified approach by not signing all your codes with one single key and certificate and change it once in a while to avoid this type of conflict.
8. Revoke Compromised Certificates:
It’s obvious that sometimes things don’t go well, and your code signing certificate has to be revoked. If that happens, then your digital signature will be invalidated (unless you’ve used timestamping). And a security prompt about the revoked certificate will occur whenever someone tries to use the signed software or file. To avoid these situations, some of the best practices for code signing you can follow are:
- Immediately notifying your CA if your signing certificate is compromised or any other issue arises like the loss of the private key.
9. Centralize Your Code Signing Management Throughout Your Organization
Due to today’s modern IT infrastructure with diverse offices and development teams, it’s an unfortunate fact that centralized management of code signing tools and keys is not on most company priority lists. However, it’s recommended to have central management of your signing certificates to reduce the risk by following good code signing practices that can pick out and address attacks in a short amount of time.
- You should centralize the management of your private key throughout your organization.
- Deploy certificate lifecycle management with the help of tools that allow you to manage specific tasks such as automatic certificate generation, renewal, and tracking of your code signing certificate’s expiry date.
10. Provide Agility & Flexibility Into Your Code Signing Environment:
- Apply secure code signing consistently on multiple types of files and platforms, which can be used across your organization and quickly change as per the requirement to reduce and manage the risk.
- Be flexible to quickly adapt to new cryptographic algorithms for supporting future requirements or any change due to security flaws discovered later on.
Many times, we take security measures for granted until the threat has been prevalent. And this is similar when it comes to the security of code signing. However, these are the top 10 code signing best practices we would recommend to you, which will prove beneficial for you as well as your customers.