Businesses spend billions each year on identity and access management to protect the digital identities of humans, i.e., usernames and passwords. On the other hand, relatively little is spent on managing machine identities, code signing keys and certificates, even though the entire digital economy hinges on access to secure software and infrastructure. As businesses increasingly transform operations to primarily digital—a trend known as digital transformation—every business is becoming a software business, and the need to protect that critical infrastructure with code signing machine identity management has become more critical than ever.">
Code signing is a method of putting a digital signature on a piece of software or digital file so its authenticity and integrity can be verified when used. Like a wax seal, it guarantees that the recipient knows who the author is, and that it hasn’t been tampered with after it was signed. In the past, code signing was used only on “final” software executables such as programs, software updates, and shell scripts to verify authenticity and integrity of these by end-users.
However, with the recent flurry of software supply chain attacks where hackers insert malware before the final software gets signed, code signing is now also used to protect intermediate software artifacts such as source code, build scripts, software libraries, execution containers like Docker, and the tools that are used by the software team to build their software. When software is signed with a valid machine identity—such as a code signing certificate and encryption key—computing devices implicitly trust the software and unconditionally run it. The valid code signature indicates that the code comes from the trusted source that signed it and hasn’t been modified by a third party. When this process is compromised, cybercriminals can misuse code signing machine identities to sneak malware that appears to come from your organization into your software.
Code signing guarantees that the code of a program or software download hasn’t been corrupted and tampered with after it was signed by the publisher/author. Just as you want to be certain when you log into your bank account that you’ve given your password to the intended bank and not a cybercriminal, it’s best to be sure that the programs and updates you download are safe and from the authentic publishers. To do that, you use the same public key infrastructure (PKI) used to secure HTTPS. When these machine identities are used to sign and verify software, it’s called code signing.
Code signing is a process by which a software file—such as a program, document, file, driver, firmware, container, mobile app or even a script—is digitally signed to show that it comes from an identifiable source and hasn’t been altered since it was signed. Three items are required in a code signing operation:
After the organization has the code signing certificate and private/public PKI key pair, developers can proceed with signing their code. Depending on the specific software development process being used by the software team, the process shown in Figure 1-1 could happen hundreds or thousands of times a day. This process varies depending on what types of code are being signed and how often they’re being released.
When developers want to sign their code or intermediate software artifacts, they use the code signing tool provided by their development environment. This tool completes the following steps:
When code signing machine identities are properly protected, they’re an effective tool for stopping cybercriminals from these sorts of attacks. Unfortunately, too many organizations have outdated and insecure code signing processes. This can leave your organization vulnerable to security and brand risks. Plus, with the explosion of software development within many organizations, traditional information security (InfoSec) teams don’t have visibility into how development teams are actually signing their software, or the steps that they’re taking to protect the code signing machine identities they’re using.
It’s easy to see why securely managing your private code signing keys and certificates is essential to maintain the integrity of your organization’s cybersecurity strategy. Traditional code signing is no longer sufficient in a world where threat actors are becoming increasingly sophisticated in their attacks. You need to protect your code signing machine identities, and Venafi can help. With CodeSign Protect, your organization can enjoy fast and secure code signing.