Code Signing

What is a Code Signing Certificate?

In our software-driven world, trust is everything. But how do we know which software we can trust and which ones we shouldn’t? We have code signing to thank for that.

Code signing is how developers prove the authenticity of a piece of software and guarantee that it comes from a legitimate source and hasn’t been tampered with. Code signing relies on cryptography and, more specifically, what’s known as a code signing certificate.

This article will explore everything you need to know about the all-important code signing certificate, including answering critical questions like:

  • What is a code signing certificate?
  • How does a code signing certificate work?
  • Why do we need code signing certificates?
  • What are the potential vulnerabilities of code signing certificates?
  • What are top tools for managing a code signing certificate?
  • What are best practices for security teams to maintain code signing certificates?

What is a Code Signing Certificate?

A code signing certificate is a special class of digital certificate that identifies an organization. To fully understand what a code signing certificate is, it’s important to first clarify how certificates more generally work.

Certificates are an important building block of public key infrastructure (PKI). They are based on asymmetric cryptography and can be used to verify authenticity. Specifically, the certificate is based on the private key of a public-private cryptographic key pair.

Issuing a signature with a certificate serves as a form of authentication and protects against tampering. Anyone who has the corresponding public key can:

  1. verify that the signature comes from who it’s supposed to come from and
  2. confirm that nothing in the package (be that code, a document, or anything else) has changed since the signature was issued.

This brings us back to the code signing certificate, which is a special type of certificate used by developers to sign applications and software. The code signing certificate details the identity of the organization issuing the software and allows any end user of the software to verify its legitimacy by:

  1. confirming the company that developed the software and
  2. ensuring the software has not been tampered with since the company shipped it.

How Does a Code Signing Certificate Work?

A code signing certificate is issued by a trusted Certificate Authority (CA) specifically for the purpose of developers signing code. Once developers have a valid code signing certificate, they can use it to sign any code they are shipping live to production. This signature includes all of the information contained in the certificate (such as company name, location, and more — think of it like a driver’s license for the digital world) as well as a timestamp for when the code was signed with the certificate.

Notably, most browsers and devices will issue a security warning if users try to download or install software that does not have a signature from a code signing certificate issued by a trusted CA.

The typical use cases for a code signing certificate include:

  • ensuring the integrity of IoT devices
  • submitting new mobile apps to a software publisher (i.e., Microsoft, Google, and Apple all require apps to be signed before they can be listed on their app stores)
  • issuing software for installation publicly
  • developing enterprise IT software programs for internal use (that way employees know they can trust the application)

Many organizations use an enterprise PKI program to manage their code signing activities along with their SSL certificates. In addition to simplifying the code signing process for developers, this management is especially important as companies must safeguard their code signing certificates the same way they would with any other private security element.

If a code signing certificate falls into the wrong hands, that means malicious parties can issue software that appears to be legitimate. As a result, any compromise to a code signing certificate must be reported as part of a certificate revocation list (CRL), which will invalidate anything signed with that certificate. This situation makes it essential for organizations to manage and protect their code signing certificates through a centralized PKI program.

Why Do We Need Code Signing Certificates?

At this point, all of the popular app stores, operating systems and so on require software to be signed with a code signing certificate. But why is this the case? Why exactly are code signing certificates so important?

The code signing certificate is so important for three main reasons:

  1. Protects against attempts from third parties to alter any code
  2. Lets users know they can trust the software with their information
  3. Creates a chain of trust for a smooth user experience

1) Protects against altered code

First, once software gets signed with a code signing certificate, it means that any version of the software that has that signature has not been altered by a third party.

Confirming that a body of work has not been altered in transit is an important function of any cryptographic certificate, and that’s especially the case for code signing certificates. That’s because any alterations to the software code could indicate the presence of malicious activity. The signed code means that what end users see and experience is exactly what the software creator intended.

2) Lets users know they can trust the software

Along the same lines, software that’s signed with a code signing certificate is a symbol of trust for end users.

This trust is important, because many software requires users to input sensitive information to take full advantage of the system. If users are unsure if they can trust the software, they may feel uncomfortable putting in those details, rendering the software significantly less powerful. While this trust has always been important, it’s particularly the case in our digital world in which everything gets consumed online versus users going to a store and buying software.

3) Creates a chain of trust

Lastly, using a code signing certificate creates a chain of trust that allows for a smooth user experience by avoiding any potential security warnings.

That’s because the signed code not only creates trust among users, but also among any browser or operating system running the software. This means the system can easily validate the authenticity of the software and help users understand they can trust it. One example of this is that any software that’s properly signed will have a smooth download process free of security warnings that may create potential red flags for users — even if they are completely legitimate.

What are the Potential Vulnerabilities of Code Signing Certificates?

For all the value that a code signing certificate offers, it does have potential areas of vulnerability that any organization needs to consider. The biggest areas of vulnerability for code signing certificates include:

  • Key theft: The private keys linked to code signing certificates are one of the biggest steals a hacker can make, as getting their hands on this part of the code signing certificate means they can create new software that appears to be legitimate and from a reputable source.
  • Signing breach: Hackers can get malicious code signed even without access to the appropriate private keys if they can get into a developer workstation that has open access to the code signing certificate. Once that happens, they can simply submit their software for signature and release.
  • Internal misuse: Human error is always a security risk, and it’s no different when it comes to code signing certificates. If a developer has open access to the corresponding code signing key and accidentally misuses or misplaces it, they can create an opening for hackers to infiltrate operations.

Recognizing and understanding these vulnerabilities is the first step in addressing them. From there, you can take action to protect against these vulnerabilities, including:

Balancing developer access

Developer access to code signing certificates is tricky — if you give too much access, the process becomes vulnerable to attack, but if you give too little access, it creates friction in the development process and teams are likely to circumvent security policies. Getting this balance right requires:

  • Comprehensive protection for private code signing keys so they remain in a secure location and can only be accessed by restricted users
  • Controlled access to private code signing keys that eliminate the need for developers to handle or store them
  • Automated workflows that allow for different permissions based on roles to increase security and create a smooth, yet consistent process

Increasing visibility and control for security teams

Security teams also play an important role in protecting the code signing certificate, and one common challenge to doing so is a lack of visibility into and control over signing processes. Introducing technology that can centralize visibility and control to make it easy for the security team to audit everything can go a long way toward easing this challenge. Specifically, it can help:

  • Track and monitor code signing activities
  • Create an audit log for code signing certificates and signing attempts
  • Centralize and standardize policies for who can sign code

What are Top Tools for Managing a Code Signing Certificate?

From securely managing the code signing process to helping development teams generate signatures, there are a variety of tools teams can use to manage a code signing certificate and everything that comes along with it. Here’s a look at a few of the top solutions:

  • Keyfactor Code Assure: Allows developers to sign code from anywhere while protecting private encryption keys.
  • PrimeKey SignServer: Offers PKI-based signing for documents, PDFs, and code, with versions for open-source, enterprise, and cloud.
  • SignTool: Offers command-line code signing as part of Microsoft’s Windows software development kit.
  • Jarsigner: Allows for code signing and signature verification for Java Archive (JAR) files.
  • Docker trust sign: Allows developers to sign Docker images and enables tags to be digitally signed to create signed repositories.
  • APK signer: Enables signature generation and verification for Android devices.
  • iOS App Signer: Allows iOS apps to be signed and bundled to run on iOS devices.
  • Garasign: Offers rapid code signing for enterprise applications and protection for private encryption keys.
  • SignPath: Allows for on-premise or service-based code signing, with integration into the CI/CD pipeline.
  • Unbound Key Control: Offers software-based code signing, with integration into DevSecOps processes.

What are Best Practices for Security Teams to Maintain Code Signing Certificates?

Of course having the right technology in place is only one piece of the equation. Security teams must also introduce best practices to properly protect and maintain code signing certificates. With that in mind, here’s a look at what it takes.

Properly protect private code signing keys

Given the importance of private code signing keys to maintaining the integrity of the entire code signing process, one of the most critical steps teams can take is to properly protect these keys.

Doing so requires security teams to have the appropriate visibility to understand the code signing certificates and associated private keys that live within their organization and centralize management for all of those elements. Additionally, it’s important to store those keys in a certified hardware security module.

Develop consistent and secure signing processes

The code signing process itself can create an area of vulnerability that hackers can infiltrate, making it critical for security teams to develop consistent and secure operations. Best practices for doing so include:

  • establishing clear roles in the signing process to ensure only authorized users can use a code signing certificate
  • limiting code signing activities based on windows of time
  • tracking all code signing activities to ensure the policies are executed as intended

Tracking activities in real-time also gives security teams visibility to quickly identify and react to anything unusual that may happen.

Integrate into development processes

The best way to ensure developers don’t circumvent security policies or accidently open them up to risk is to integrate code signing activities into their existing DevOps processes. This should include integrating any signing tools with DevOps tools, enabling remote signing capabilities for distributed teams, and introducing checks and verifications that must happen before any code signing takes place.

Evaluate and evolve best practices

Finally, introducing security around code signing certificates should not be a one-time exercise. It’s something the security team needs to regularly evaluate and evolve as both team needs and the external threat landscape change.

This should include keeping close tabs on all code signing activities, auditing all key usage, and covering code signing certificates in any broader PKI certificate management activities. These ongoing efforts can not only help security teams spot threats earlier on, but it can also ensure all of the controls put in place to protect a code signing certificate get properly maintained over time.

Sami VanVliet

Principal Product Manager