If I’m a developer of code and I sign my code with a code signing certificate, I am keeping my code safe from hackers and malware, right? Well the answer is, you are only partially safe.
What is a code signing certificate? Code signing certificates are a valuable security tool for developers. A code signing certificate utilizes an encryption algorithm in the form of a digital x.509 certificate issued from a trusted Certificate Authority in conjunction with a time stamp to secure code files. Code signing certificates are not exclusively useful for software, but can also be used for applications, scripts, and even firmware.
Developers can use these code signing certificates to ensure the code they provide to their end-users has not been altered especially with viruses, malware, or spyware. Similar to the way websites use TLS certificates to validate a secure connection to a verified website, code signing certificates use a similar Public Key Infrastructure (PKI) methodology. Developers sign their code with a private key, which is securely stored, and the end user will use the public key from that developer to validate the code has not changed since it was signed by the developer. In the circumstance where the code has been altered, the signature will provide an untrusted alert just as a website with an untrusted or expired certificate does with TLS.
Code signing certificates allow developers to provide their customers with assurance that the code (in whatever format it might be) is unaltered as well as confidence that the code they are downloading came from that developer.
Now that we have an understanding of what a code signing certificate is and how it can be used to protect a developer’s code, let’s look at why simply signing your code with a code signing certificate is not enough on its own. Let’s go back to just before Thanksgiving in 2014 when Sony Pictures was hacked. Hackers gained access to the Sony network and planted malware that crippled many employees’ computers with a worrisome warning message followed by a massive data breach which included the releases of previously unseen films, a staggering amount of employee personal information, and the destruction of a significant amount of corporate data. After long investigations, at a cost to Sony of over $15 Billion, it was later discovered that the attackers gained access to the Sony network through dozens of unprotected SSH private keys. An SSH private key operates under a very similar Private Key Infrastructure as code signing private keys do.
Back to the Sony example, a few months after the breach, malware known as “Destover” was found online signed with Sony’s code signing certificate. This malware is the same as the one hackers used against Sony to delete massive amounts of data in the breach. How could these hackers have signed code with Sony’s code signing key? Well, just like the SSH keys, a private key in the PKI infrastructure is only as secure as it’s means of storage. Many private keys (SSH, TLS, and code signing) are not stored in secure locations. Administrators will save a key in a file system or even on their desktops and these keys are often never rotated. The trouble is that once someone has access to your private key, they have essentially stolen your identity and can pose as you or your organization in the digital world. Hackers with access to Sony’s private code signing key can now release nefarious code of all kinds that will be trusted and downloaded by individuals without ever receiving a warning from a virus or malware scanner.
Code signing can be an extremely powerful security tool for developers and can provide comfort to end users. However, as we illustrated, the private keys in all Private Key Infrastructures must be securely and adequately protected in order to provide full protection of the developer’s code as well as the organization or developer’s reputations. Another means of protecting your private keys and therefore your code (or infrastructure) is by rotating the private key. Rotating a private key means the previous key will no longer work and a new private key is now used in its place. Often, it can be quite cumbersome to rotate a private key because you must first identify where it is used and replace those occurrences with the new key; this is often nearly impossible without the appropriate software to assist. Key rotations provide an added layer of security by ensuring that even if a private key was somehow compromised, it can no longer gain access or “sign”.
In summary, code signing can be a powerful security tool for developers as long as the private key is properly managed through storage and rotation.