OV Code Signing certificates are to software developers like SSL certificates are to a website. Without them, the publisher remains unknown, while the code is highly susceptible to cyber-attacks. As is with any PKI product, protecting Code signing keys is essential. But just like with regular SSL certs, sometimes the keys fall into the wrong hands and bring all kinds of trouble.
Just ask Nvidia, the renowned technology company that recently saw not one but two of its OV code signing certificates stolen. The hackers from the notorious Lapsus$ group used the compromised certificates to sign their malicious software and make it look like it came from Nvidia itself.
While attacks of this magnitude are uncommon, their security and reputational damages could be significant. The lesson learned from this latest breach is simple: don’t store code-signing certificates and keys on your server!
The CA/Browser forum reacted quickly and amended the issuance and installation of code signing certificates by voting to issue them on special physical security hardware devices starting from November 15.
Code signing changes – the overview
The change itself is not groundbreaking as the CAs already deliver the Extended Validation code signing certs to customers on USB devices or hardware security modules (HSM). Soon, the same procedure will apply to Organization Validation and Individual Validation code signing certificates.
Technically speaking, the secure hardware will include FIPS (Federal Information Processing Standards) compliant devices such as FIPS 140-2 Level 2, Common Criteria EAL 4+, or signing solutions (as a minimum) like:
- Hardware security modules (HSMs),(cloud or physical devices)
- Security tokens such as physical USB hardware tools
- Key storage and signing services
In practice, you will no longer have to generate the Certificate Signing Request as the CA will take care of all the technical side.
The reason behind the code signing overhaul
Most CA/Browser Forum changes and improvements are driven by emerging security issues that can no longer be neglected. This particular one is not an exception. After a few high-profile debacles, the CA/B Forum outlined the code signing security standards in the Baseline Requirements (BR) for the Issuance and Management of Code Signing (version 2.8), updated via Ballot CSC-13 — Update to Subscriber Key Protections Requirements.
As a result, all the code signing certificates, regardless of validation method, will be shipped on secure hardware devices. And, since the CAs already use physical appliances to deliver EV code signing certificates, the changes should be smooth and straightforward.
The upcoming changes are confirmed in section 16.3.1 Subscriber Private Key Protection of the code signing certificates BR (version 2.8). Here’s what it states:
“The CA MUST obtain a contractual representation from the Subscriber that the Subscriber will use one of the following options to generate and protect their Code Signing Certificate Private Keys in a Hardware Crypto Module with a unit design form factor certified as conforming to at least FIPS 140-2 Level 2 or Common Criteria EAL 4+.”
How should I prepare?
Officially, the adjustment will occur on Tuesday, November 15, 2022, at 12. a.m Coordinated Universal time (UTC). You can use a timezone converter to determine your local time. However, as often is the case, some CAs like Sectigo and Digicert may start rolling out the changes ahead of schedule to resolve any potential issues before the official deadline. So far, we haven’t received any updates from the CAs on this matter, so we’ll keep you updated.
The new requirements will affect anyone who buys an OV or IV code signing certificate after the November target date. If your certificate expires after the deadline, you’ll have to reissue it following the new rules.
Existing code signing certificates issued before November 15 will function as intended. You can continue signing your software as you always have. After the changes take place, the code signing applicants will have to affirm that they will store their keys in one of the following options:
- An HSM or USB security token
- A cloud-based key generation and protection solution
- A signing service that meets the requirements outlined in the CA/B Forum Baseline Requirements
The CAs are yet to iron out all the details for issuing the code signing certificates after the November rollout. We expect a streamlined buying process similar to how the EV code signing certificates are obtained. The CAs will also provide the security tokens for your private key, but you will also have the option to use your own if it meets all the compliance requirements.
System administrator vector created by macrovector – www.freepik.com