10 Code Signing Best Practices You Should Follow
Follow Code Signing Best Practices & Overcome Security Challenges Faced by Software Developers & Publishers
We live in an era where software surrounds everyone. Whether you’re at home, your workplace, in the car, or virtually anywhere –software somewhere connects everything, running millions of lines of code.
Being a software publisher or a developer, you know that code signing is a best practice pushed by the internet heavily, for ensuring that users can verify the source or publisher of the software, and confirm that the signed software hasn’t been altered since its signing.
But you’re already aware that signing code is essential. You’re also aware that your code signing certificate must be from a trusted certificate authority (CA) such as Sectigo. You also know about the validation and issuance process. And you know that when code signing is done properly with all the protection, it can be one of the most potent cyber-security weapons at the industry’s disposal for mitigating risks while protecting trust and integrity.
Code signing your apps and other executable files are not enough, though, you must also take on the responsibility of protecting your cryptographic keys and certificates. If your keys aren’t protected, then you may run into more risk compared to not code signing your apps and files at all, mainly because you can create an easy target for malicious actors. Digital certificates and their private keys that are not secured are often compromised and used to sign and distribute signed malicious code disguised as legit software or firmware.
Such issues can be avoided with proper protection of the private key of a code signing certificate. In case the private key gets compromised or lost for any reason, a code signing certificate will lose its trust and value while exposing your customers to security threats. To overcome such issues, certain code signing practices must be implemented.
Here Are the Top 10 Code Signing Best Practices We Would Recommend
1. Minimizing & Controlling Your Private Key Access:
The private key of a code signing certificate being compromised, lost, or exfiltrated is one of the most significant security threats. It’s quite alluring to hackers due to freedom it gives to malicious actors for signing any code, anywhere. Also, it’s been found that code signing certificates with their compromised private keys are offered for sale on the dark web, priced higher than passports or guns, giving a clear indication of how much demand there is for code signing certificates for illicit use. To avoid losing a private key, some of the code signing best practices you can follow are:
- Allowing the minimum number of computers possible to access private keys.
- Access to private keys must be minimized by giving rights to only authorized personnel.
- Physical security controls must be used to reduce access to private keys.
2. Using Cryptographic Hardware Solutions for Protecting Private Keys
It’s recommended to use cryptographic hardware products that:
- Don’t allow the export of private key to software, ultimately preventing the private key from being attacked.
- Make use of FIPS 140 Level-2 certified product (if possible, go for better).
3. Time Stamping Your Code While Signing
A timestamp is a small piece of data included with your signature whenever you sign your executable or other files using a code signing certificate. The time stamp process uses a timestamp server (provided by the CA) to record when the software was signed. So, whenever the client sees your signature with the timestamp, it gives assurance that the certificate was valid at the time signing the code.
In other words, it’s seen as one of a code signing best practice to timestamp, because it lets you verify your code even after the certificate is expired or revoked.
4. Test Signing vs. Release Signing – Know the Difference Between the Two
Be sure which signing certificate you’re using and keep them separate. Because there’s a difference which you must be aware of. Test Signing and Release Signing for code signing best practices are:
- Test signing doesn’t require rigorous security standards as a production code signing certificate does.
- Test-signing typically uses a self-signed certificate that can be from internal test CA, not the root used by the production signing certificates. So, this helps ensure that test certificates are only trusted within the expected test environment.
- You must ensure that internal testing signatures don’t get confused with the release signatures.
- Test code signing infrastructure must be made separately for test-signing pre-release software.
- Test signing is mainly used for the development process. Moreover, specific Windows versions of 64-bit allow test-signed drivers. Whereas release signing is used for production release, and it requires you to purchase a code signing certificate from a respected certificate authority such as Comodo. That’s required so that your release software can be installed on any Windows version without prohibitions.
5. Authenticating Code Before You Sign It
Code authentication has to take place within the actual development cycle. You need to confirm that your software, executables and other files are ready to be signed before signing them. Code signing best practices to follow for authenticating code you’re signing are:
- Before you sign and release your software, executables, or other files with the key, they need to be fully authenticated.
- Implement a separate process for code signing submission and approval to avoid the signing of malicious, unreliable, or unapproved code.
- All code signing activities must be logged for incident response and auditing purposes.
6. Scan Your Code for Viruses Before Signing It
- Performing full code review to ensure all lines of code have been checked and confirmed.
- Ensuring full QA testing to avoid code which could cause unforeseen bugs or problems.
- Doing proper virus-scanning, which helps you double-check the safety of your released code.
- Whenever you integrate your code or software with other sources, it’s expected you take proper care of it.
7. Avoid Overusing One Private Key for Signing
8. Revoke Compromised Certificates:
- Immediately notifying your CA if your signing certificate is compromised or any other issue arises like the loss of the private key.
9. Centralize Your Code Signing Management Throughout Your Organization
- You should centralize the management of your private key throughout your organization.
- Deploy certificate lifecycle management with the help of tools that allow you to manage specific tasks such as automatic certificate generation, renewal, and tracking of your code signing certificate’s expiry date.
10. Provide Agility & Flexibility Into Your Code Signing Environment:
- Apply secure code signing consistently on multiple types of files and platforms, which can be used across your organization and quickly change as per the requirement to reduce and manage the risk.
- Be flexible to quickly adapt to new cryptographic algorithms for supporting future requirements or any change due to security flaws discovered later on.