Code Signing certificates are a must for code publishers. With so many digital programs available to download, protecting users from malware and viruses is a prerequisite for any successful IT company or independent developer. Code Signing certs prove the identity of software’s creators and ensure that no one can alter the original code without being noticed.
We have already written extensive guides on Code Signing certificates and how they work. In this article, we want to show you how to correctly implement them so that you follow the latest code signing and security practices.
Getting the Code Signing certificate
Code Signing certs follow the same cryptographic technology as regular SSL certificates. The entire trust process rets on PKI (Public Key Infrastructure). When you request a code signing cert from a Certificate Authority, you first generate the private and public keys. The CA uses the public key to verify your identity and affixes its own public key to the code signing certificate.
After the validation, you receive the code signing certificate and the encryption key pair. Before you can encrypt and sign your software, you must hash the software’s code. Hashing is the procedure of converting code into an arbitrary fixed value. The output of hashing, called a digest, is then encrypted using the private key. Next, you have to combine the digest with the code signing certificate and the hash function to create a signature block that goes into the software.
Private Key – the most important element
To ensure that your code signing certificate works and protects the software, you must store your private key in a safe location. If someone unauthorized gains access to your private key, your software becomes compromised. Many companies keep the private key on physical devices such as Hardware Security Modules, where cyber-attackers don’t have access. If you discover a security breach in the code signing process or lose your private key, you should revoke it immediately and issue a brand new key. You can read more about private key storage here.
Best Code Signing Practices
Code Signing certificates are not a magical tool that will solve all your security and trust issues indefinitely. However, without them, you won’t even have the chance to sell your digital products. Users are well aware of the dangers that come with unverified software. That’s why it’s imperative to follow the latest code signing practices if you want your software to look professional and reliable. Below we’ve listed a few tips on what to avoid and how to enhance your Code Singing certificate.
Buy only from trusted Certificate Authorities
Any software publisher can issue a self-signed certificate, but no one will trust it. Unless you need it for testing purposes, you should always get a code signing cert from a trusted third-party entity authorized to issue them to the public. Among the leading Certificate Authorities that issue a wide range of code signing products for every need are DigiCert and Sectigo. If you pick one of them, consider half the job done. For additional security and customer trust, invest in an Extended Validation Code Signing certificate.
Control the access to private keys
We’ve already touched on the importance of keeping private keys safe, but sometimes, in a large IT department too many individuals may have access to them. You should put strict guidelines on who has access to the organization’s private keys and how are they deployed. To further protect your private keys, establish a role-based access (RBAC) policy within your company.
Time-stamp the code
It’s always a good practice to time-stamp your code and not rely only on the certificate’s date of issuance. When the certificate expires or is revoked, a time-stamped code is still considered authentic. The timestamp is an integral part of the code signing process and can be completely trusted as it follows the Universal Time Coordinated sources.
Validate and scan your code
A code signing certificate verifies and confirms the publisher’s identity, but it doesn’t validate the code itself. Before launching your software, check your code for potential errors and vulnerabilities. A rigorous validation plan will ensure that the commercial version is bug-free and secure. The code signing certificate is the final layer of security that ties everything together and allows customers to use the products with peace of mind.
Don’t delay revocation when certs are compromised
Certificate revocation is a standard practice that keeps the code safe. CAs revoke certificates every time there’s a breach. When a certificate is revoked it becomes invalid before its expiration date. If your code signing certificate is compromised, you should contact the CA and ask it to be revoked. To make this process smooth and efficient, ensure your organization has certificate revocation guidelines and a designated individual authorized to initiate the revocation process.
Code Signing certificates are an integral part of digital downloadable goods. Every developer and software company needs them, but not everyone knows how to harness their power beyond buying and installation. By following the best code signing practices you’ll eliminate more security risks and keep both your reputation and user’s satisfaction high.