What is a Code Signing Tool?
A digital signature is a cryptographic artifact that validates the authenticity and integrity of the signed data. Digital signature algorithms use a private key to generate signatures and a related public key to validate them. Only someone with knowledge of the private key can generate a digital signature, and anyone can validate its authenticity with the public key.
Digital signatures can be used to sign any type of data, and code signing tools use them to validate the integrity and authenticity of software. By shipping a digital signature alongside code, the creator allows users to validate that the code is authentic and has not been modified since the signature was generated. Code signatures are the basis for operating systems’ decisions regarding whether or not a particular program is “trusted”. On some platforms, software that doesn’t include a signature from a trusted public key can’t even run.
Code signing tools work similarly to document signing tools, but they serve different purposes. A document signing tool (like Docusign) uses digital signatures to ensure that all parties on a document have agreed to the terms and that the document hasn’t been modified since. A code signing tool uses digital signatures to prove that it was actually created by the alleged developer and hasn’t been modified since. One tool is mostly used on PDFs, while the other signs executable code.
Common Use Cases for Code Signing Tools
Secure code signing tools enable developers to append a digital signature to their code that provides a few different advantages. Some common use cases for code signatures include:
- Authenticating Code: A code signature validates that a piece of software was actually created by its alleged maker. This helps to protect against trojans and other malware that masquerades as legitimate software to gain access to a computer.
- Validating Software Integrity: A digital signature is only valid if the signed data has not been modified since the signature was generated. A code signature validates that the software has not been modified to include malicious or otherwise undesirable functionality.
- Protecting Against Supply Chain Attacks: Supply chain attacks like SolarWinds involve the modification of legitimate code to contain malware. Code signatures can make these attacks more difficult to perform since the attacker needs to have their malicious code signed to be trusted.
However, for these advantages to apply, the code signing process must be secure. If an attacker can gain access to signing keys or get their malicious code signed by an organization, then the malicious code looks legitimate to users.
This occurred in the SolarWinds case and underscores the need for signing keys to be strongly protected. At the same time, code signing tools must also offer rapid, frictionless signature generation to not impede DevOps processes.
The Top Code Signing Tools for 2021
A variety of different tools exist for code signing, and many are designed to address specific use cases, such as protecting JAR files or virtual machine images. These are the twelve most commonly used tools for generating code signatures.
Keyfactor Code Assure
Keyfactor Code Assure makes it possible for developers to sign code from anywhere while properly protecting sensitive encryption keys.
- Frictionless code signing without the need to manage sensitive keys
- Encryption keys protected in cryptographic hardware
- Single pane of glass visibility into all code signing activities
- Policy-based controls to block unauthorized workflows
- Support for code signing via APIs, console, or remote utilities
PrimeKey SignServer offers PKI-based signing for documents, PDFs, and code. They offer multiple versions including open-source, enterprise, and cloud.
- Open-source code signing tool
- Protection of signing keys in Hardware Security Module (HSM)
- Server-side code signing in appliance and cloud-based form factors
SignTool is a Microsoft code signing tool available on Windows.
- Available as part of the Windows SDK
- Offers command-line code signing
- Selects best certificate based on specified options
jarsigner is a code signing tool developed by Oracle to allow code signing and signature verification for Java Archive (JAR) files.
- Native signatures for JAR files
- Ability to run signed code on Android devices
Docker trust sign
Docker trust sign enables tags to be digitally signed to created signed repositories.
- Ability to sign Docker images
- Client-side or runtime verification of image integrity and authenticity
APK signer is available as part of Android SDK Build Tools and enables signature generation and verification for Android devices.
- Digital signatures for APKs
- Run trusted code on Android devices
iOS App Signer
iOS App Signer allows iOS apps to be signed and bundled into ipa files to run on iOS devices.
- Enables the creation of signed iOS apps
- Support for Mac or online signature generation
GaraSign is an enterprise code signing tool created by Garantir to offer rapid code signing while protecting sensitive encryption keys.
- Sensitive encryption keys are protected within an HSM
- Integration with common CI/CD pipeline software
- Client-side hashing improves network transport and signing speed
- Verifies hash authenticity by building repo code and comparing hashes
SignPath provides on-premise or service-based code signing solutions.
- Integration into CI/CD pipelines
- Security policy enforcement for automated code signing processes
- Offers origin verification for software artifacts
- Nested signing of all files within a package
Unbound Key Control is a software-based code signing solution created by Unbound Tech.
- HSM-level security for keys implemented in software
- Integration with DevSecOps processes
- Auditing tools for code signing actions
- Platform-agnostic solution for centralized code signing management