Matomo

Close Menu
    Code Signing

    Understanding the New Requirements for Code Signing

    DanielBy 10 Mins Read
    New Code Signing Certificate Requirements

    Understanding the new requirements for code signing is critical for organizations to protect the integrity of their software and infrastructure. Effective June 1, 2023, there will be new key storage requirements for Organization Validation (OV) and Individual Validation (IV) Code Signing Certificates. Certificates will either be issued with FIPS-validated USB tokens or through cloud signing services, based on new CA/Browser Forum requirements to enhance the security and trust in the code signing process. The key material for code signing certificates will no longer be exportable, and activation links will no longer be sent during the issuing process. These changes will affect all new, renewing, or reissuing certificates.

    To comply with the new requirements, it is recommended to use secure hardware like USB tokens or cloud HSM services for key storage. This update will strengthen the protection against unauthorized modification of software and the spread of malware. Code signing is becoming even more important in today’s zero-trust environment to verify the authenticity and trustworthiness of software.

    The introduction of new standards by GitHub and regulations for secure software supply chains are driving the push for code signing. The requirements for publicly-trusted Code Signing Certificates now include storing keys on secure hardware and implementing stricter verification processes for publishers. The use of a RFC-3161-compliant Timestamp Authority (TSA) is also required to include trusted timestamps with each signature. These new standards aim to prevent key compromise, malicious code signing, and improve incident reporting and revocation processes. Microsoft will be enforcing these guidelines starting February 1, 2017.

    Key Takeaways:

    • New key storage requirements for OV and IV Code Signing Certificates will go into effect on June 1, 2023.
    • Certificates will either be issued with FIPS-validated USB tokens or through cloud signing services.
    • To comply with the new requirements, it is recommended to use secure hardware like USB tokens or cloud HSM services for key storage.
    • The new requirements aim to enhance the security and trust in the code signing process, preventing unauthorized modification of software and limiting the spread of malware.

    Why the Change?

    This change is based on new CA/Browser Forum requirements. The updated code signing requirements reflect best practices and guidelines to improve security and trust in the code signing process. Certificates that allow for key material to be exported are considered less secure and are more vulnerable to unauthorized use. By instituting safer key storage requirements, the new regulations aim to prevent key compromise and the issuing of certificates to malicious publishers.

    The new requirements are an industry-wide mandate and affect everyone purchasing new, renewing, or reissuing code signing certificates. In addition to stricter key storage requirements, the changes include the implementation of a certificate problem reporting system and the requirement for all certificate authorities to operate a RFC-3161-compliant Timestamp Authority. These changes are essential steps toward cutting down on code signing attacks, and the new standards will be enforced by Microsoft starting February 1, 2017.

    Enhancing Security and Trust

    Certificates that allow for key material to be exported are found to be less secure and more vulnerable to unauthorized use. The industry-wide mandate, effective June 1, 2023, will require key storage for code signing certificates to be non-exportable, leading to safer key storage requirements. This is a significant step towards preventing unauthorized modification of software and limiting the spread of malware and viruses through the software supply chain.

    The adoption of code signing has been relatively slow due to limited awareness and prioritization, but with the rise of zero-trust security strategies and increased insider threats, code signing is gaining recognition. More standards and regulations are expected to be introduced, with GitHub already setting authentication requirements for code check-in.

    The use of secure cryptographic hardware, such as USB tokens or hardware security modules (HSMs), is crucial in preventing key compromise and ensuring the trustworthiness of signed code. Certificate authorities (CAs) are implementing stricter identity verification and cross-checking to prevent issuing certificates to malicious publishers. CAs are also required to maintain a reporting system for suspected private key compromise or certificate misuse.

    The inclusion of a trusted timestamp in code signing certificates helps maintain the validity of signatures even after the certificate expires. This helps ensure that legitimate code remains trusted, even after a key compromise event. The implementation of these new requirements and standards aims to enhance the security of the code signing process and build trust in the software supply chain.

    Industry-wide Impact

    The impact of these changes is industry-wide and will affect anyone purchasing new, renewing, or reissuing OV or EV Code Signing Certificates. Effective June 1, 2023, new code signing certificates will only be issued with Federal Information Processing Standard 140-2 (FIPS) validated USB hardware tokens or through  Cloud Signing Services, like Certum CodeSigning in The Cloud (SimplySign). This change is being implemented to enhance security and prevent unauthorized modification of software.

    The key material for these certificates will no longer be exportable, and alternative options for key storage include cloud signing services and FIPS-compliant security key USB devices. This shift toward stronger code signing practices is driven by the need to protect software integrity in a zero-trust environment and combat insider threats.

    Furthermore, these changes are expected to become the norm, with an increase in standards and regulations. Compliance with code signing requirements and the code signing process itself will become increasingly vital, as organizations seek to maintain the trust of their users and safeguard their software and infrastructure.

    Stricter Key Storage Requirements

    The key material bound to affected code signing certificates will no longer be enabled for exporting through formats such as PKCS#12 or PFX, effective June 1, 2023. This change is part of the new requirements for code signing, aimed at enhancing trust in the code signing process and preventing unauthorized use of key material. As a result, activation links will no longer be sent during the issuing process.

    To comply with the new requirements, organizations will need to store their keys on secure cryptographic hardware. The options for key storage include using a FIPS-compliant USB token, Certum’s Cloud Signing Service, cloud HSM services, or on-premises FIPS-compliant HSM.

    Adoption of code signing is becoming increasingly important due to the zero-trust environment and the rise in insider threats. As awareness grows, more standards are expected to be introduced, and banks are starting to require code signing. The new requirements also address verification processes, certificate problem reporting systems, and the inclusion of trusted timestamps with signatures.

    Implementing these changes will help to decrease code signing attacks and improve the security of software and infrastructure. Organizations need to understand the new requirements and take action to ensure they are in compliance by June 1, 2023.

    The Importance of Code Signing

    According to Eric Mizell, VP of Field Engineering at Keyfactor, code signing is becoming increasingly important in today’s zero-trust environment. It plays a critical role in protecting the integrity of software and infrastructure and ensures that only authorized individuals and tools have access to sign code.

    The resulting signature allows users and devices to determine which software to trust, which is especially crucial in an era of rising cyberattacks and supply chain vulnerabilities. However, code signing has not been widely adopted due to varying levels of awareness and limited standards and best practices.

    As awareness around the importance of code signing increases, more standards are expected to be introduced. GitHub has already set the standard by requiring certificate authorization for developers. The tipping point where code signing becomes the norm is on the horizon, as it will soon be required for banks and new regulations for secure software supply chains are being introduced.

    The new requirements for publicly-trusted code signing certificates focus on protecting against key compromise and issuing certificates to malicious publishers. These requirements include storing the keys on secure cryptographic hardware and conducting strict identity verification of publishers. Code signing authorities are also required to operate a reporting system for suspected fraud or abuse and must maintain an RFC-3161-compliant Timestamp Authority for including trusted timestamps with signatures.

    Overall, code signing is crucial for maintaining trust in software and safeguarding against breaches and supply chain attacks. As organizations continue to recognize its importance, it will become an increasingly essential aspect of software security and integrity.

    Increasing Awareness and Standards

    The main reasons code signing has not yet been widely adopted are varying levels of awareness and limited standards and support for code signing. In today’s zero-trust environment, it is crucial to increase awareness and standards in code signing to protect the integrity of software and infrastructure.

    To address this, the Code Authority Security Council has introduced minimum requirements for publicly-trusted Code Signing Certificates. These requirements aim to enhance security and trust in the code signing process, preventing unauthorized modification of software and limiting the spread of malware.

    The new requirements emphasize the need for secure key storage, such as using cryptographic hardware like USB tokens or HSMs. Additionally, they introduce stricter identity verification and cross-checking processes to prevent certificates from being issued to malicious publishers. The new standards also mandate the operation of a certificate problem reporting system for the timely investigation and revocation of reported issues.

    Another significant requirement is the inclusion of trusted timestamps with each code signature. This ensures that signatures remain valid even after the certificate expires, thereby guaranteeing the continued trust in legitimate code even in the event of a key compromise.

    Microsoft has already adopted these guidelines, and other industries are expected to follow suit. By increasing awareness and adhering to these new requirements, organizations can ensure the security and integrity of their software, protect their brand reputation, and maintain customer trust.

    Storing Keys on Secure Hardware

    The new requirements for code signing include storing the keys on secure cryptographic hardware such as a USB token or Hardware Security Module (HSM) to decrease the chances of key compromise. Certificates that allow for key material to be exported are found to be less secure and more vulnerable to unauthorized use. In order to comply with the new industry-wide mandates, organizations must ensure that their keys are stored on secure cryptographic hardware.

    FIPS-validated USB tokens and HSMs are excellent solutions for secure key storage. These devices are tamper-evident and can keep the keys isolated from the host system, making them difficult to steal or compromise. With this added security, it reduces the risk of key compromise and further enhances the overall security of the code signing process.

    The new requirements also include strict identity verification for publishers and maintaining a system for reporting and investigating certificate issues. This ensures that only trusted publishers are able to sign code and that any issues are promptly addressed and remedied. Additionally, Certificate Authorities (CAs) are now required to operate an RFC-3161-compliant Timestamp Authority (TSA) for code signing certificates, which ensures that signatures remain valid even after the certificate expires. This added layer of security ensures continued trust in legitimate code.

    Microsoft has adopted these guidelines, and it is expected that other organizations will follow suit. Storing keys on secure hardware is crucial in preventing unauthorized use and maintaining the integrity of code signing processes. Organizations must ensure that they understand and adhere to the new requirements to maintain software security and trust.

    Timestamp Authority and Continued Trust

    Another new requirement for publicly-trusted Code Signing Certificates is the operation of an RFC-3161-compliant Timestamp Authority (TSA) that provides trusted timestamps for each code signing signature. This is crucial for maintaining the validity of the signature even after the certificate expires or in the event of a key compromise.

    Trusted timestamps are used to prove that a digital signature was created at a specific time, ensuring continued trust in legitimate code. As the code signing process is used to sign software and infrastructure, trusted timestamps are essential for ensuring the integrity of these assets. They also provide a mechanism for establishing the order of events in case of a dispute or audit.

    Without a trusted timestamp, it is impossible to verify when a code signing signature was created, and the validity of the signature cannot be proven. This makes it easy for attackers to modify code signatures and spread malware, compromising the security of users and devices. This is why it is essential to operate an RFC-3161-compliant Timestamp Authority (TSA) that provides trusted timestamps for each code signing signature.

    Cutting Down on Code Signing Attacks

    These new requirements are aimed at cutting down on Code Signing attacks and increasing the overall security of the software supply chain. Code Signing attacks occur when a hacker gains access to the private key of a legitimate code signer and uses it to sign their malicious software with a valid Certificate Authority-issued code signing certificate. This allows the attacker to bypass traditional security measures, such as virus scanners, and distribute the malware as legitimate software.

    To prevent Code Signing attacks, the Certificate Authority Security Council (CASC) has introduced new minimum requirements for publicly-trusted Code Signing Certificates. These requirements include strict identity verification and cross-checking processes before issuing certificates, as well as storing keys on secure cryptographic hardware. These measures prevent attackers from obtaining private keys and signing malicious software with legitimate certificates.

    In addition to these requirements, the CASC mandates that Certificate Authorities have a Certificate Problem Reporting system in place to allow for quick response to any issues with certificates and operate a RFC-3161-compliant Timestamp Authority. The Timestamp Authority ensures that even in the event of a key compromise, the legitimate code can still be trusted through trusted timestamps.

    By implementing these new requirements, the CASC aims to increase the security of code signing and reduce the risk of attacks. It is important for organizations to adhere to these requirements to ensure the integrity of the software supply chain and protect themselves and their customers from code signing attacks.

    Conclusion

    In conclusion, understanding the new requirements for code signing is essential for anyone purchasing or using code signing certificates. The updated code signing requirements enforce best practices and guidelines to enhance software security, prevent unauthorized modification, and limit the spread of malware.

    The new standards require strict identity verification of publishers and cross-checking against lists of suspected or known malware publishers. They also introduce a certificate problem reporting system that allows for quick investigation and revocation of certificates in case of misuse or compromise.

    Moreover, the new requirements mandate storing the keys on secure cryptographic hardware, such as USB tokens or hardware security modules. This significantly reduces the risk of key compromise and ensures the continued trustworthiness of the code signing certificates.

    The requirement for a RFC-3161-compliant timestamp authority ensures that signatures remain valid even after the certificate expires. This ensures continued trustworthiness of legitimate code even in the event of a key compromise.

    These changes aim to enhance the security and trustworthiness of code signing certificates, making them a vital part of protecting software and infrastructure in the zero-trust environment.

    FAQ

    Q: What are the new requirements for code signing certificates?

    A: Effective June 1, 2023, code signing certificates will have new key storage requirements, meaning that the key material will no longer be exportable and activation links will no longer be sent during the issuing process.

    Q: Why are these new requirements being implemented?

    A: The new requirements are being implemented to increase the security and trust in the code signing process by implementing safer key storage and preventing unauthorized modification of software.

    Q: Who will these new requirements affect?

    A: These new requirements will affect anyone purchasing new, renewing, or reissuing Organization Validation (OV) or Individual Validation (IV) Code Signing Certificates.

    Q: What options are available for key storage under the new requirements?

    A: The options for key storage include Certum’s SimplySign cloud signing service, a secure FIPS-compliant security key USB device, a dedicated cloud HSM service, or an on-premises FIPS-compliant Hardware Security Module (HSM).

    Q: What are the benefits of Certum’s SimplySign cloud-based signing service?

    A: Certum’s SimplySign signing service allows users to conveniently add globally trusted digital signatures and timestamps to software code from anywhere, without the need for USB tokens, HSMs, or other special hardware.

    Q: Why is code signing important?

    A: Code signing plays a critical role in protecting the integrity of software and infrastructure by ensuring that only the right people and tools have access to sign code and enabling users and devices to determine which software to trust.

    Q: What is the expected impact of these new requirements on code signing adoption?

    A: As awareness around the importance of code signing increases, more standards are expected to be introduced, leading to wider adoption of code signing practices.

    Q: How will the new requirements enhance security and trust?

    A: The new requirements include storing keys on secure cryptographic hardware to decrease the chances of key compromise, strict identity verification of the publisher, cross-checking against lists of suspected or known malware publishers, and the operation of an RFC-3161-compliant Timestamp Authority (TSA) to provide trusted timestamps for each code signing signature.

    Q: How do the new requirements contribute to cutting down on code signing attacks?

    A: The new requirements aim to increase the overall security of the software supply chain by implementing stricter verification procedures and allowing for the prompt investigation and revocation of certificates in the event of suspected abuse or fraud.

    Source Links

    Share.

    Related Posts