Digital content is constantly being distributed online. Every day, we download executable scripts, applications, and files for a variety of business and personal activities. Both end-users and developers need a secure way of knowing that the software that is distributed is reliable and secure against tampering.
This is where code signing comes in. Most computing platforms, like Windows, have strict rules about what content can be distributed through their channels or run on their systems. There is a variety of solutions for software developers in order to comply with these rules and make sure that the code they send out to the world is not compromised.
Also, the modern workspace environment integrates remote work, asynchronous cooperation, and a rising need for distributed team sharing options. One of the most robust and convenient solutions for code and document signing that incorporates these modern trends is SSL.com’s eSigner cloud signing service.
Code Signing Essentials
Code signing is the procedure of applying a digital signature to a piece of software like an application or a driver. This signature serves a double purpose, to ensure both the authenticity and integrity of the code:
- It provides cryptographic proof of the developer’s identity (authenticity).
- It ensures that the content of the software has not been tampered with from the time it was created until the time it is used (integrity).
The validity of the signer’s certificate and identity is itself confirmed by the digital signature of a reputable, publicly trusted certification authority (CA), like SSL.com, thus building a chain of trust to the CA’s root certificate in the platform’s trust store. With this chain of trust established, operating systems and end-users may be certain that you are a trusted developer and that installing your software in their system is safe.
Not using a code signing certificate leads to warning messages and errors when a user tries to install your software, like “Windows can’t verify the publisher of this driver software.” No one wants to be on the receiving end of such a situation, especially a developer. In fact, compliance with a number of platform standards requires code signing; for example, you can’t publish Windows kernel-mode drivers at all without an EV code signing certificate.
Protection against tampering
Digital signatures protect the integrity of a message (in this case a piece of code) through cryptographic hash functions. These are mathematical algorithms that map data to a bit array of prearranged size, called a hash value or message digest. Cryptographic hash functions are one-way functions, and even a small change in the original message results in significant changes in the hash value. So, when a user receives the message with its hash value included in the digital signature, their OS will apply the same hash function to the message received and compare the two digests. If they are identical, they can be confident that the message received is undifferentiated from the original. If not, the system will warn them that the file is corrupt in some way.
Options for code signing
There are a number of technical options for code signing, each with its own pros and cons in terms of the level of security offered, pricing, applicability, and ease of use. Below we are going to take a look at these options and what they offer.
Locally Installed OV/IV Certificates
The first and simplest option is to have a locally installed organization validated (OV) or individual validated (IV) code signing certificate and private key on your machine. These types of certificates are distributed by SSL.com in the PKCS#12/PFX file format and may be installed in your computer’s certificate store or on some cloud services like Azure Key Vault. For more information on ordering OV/IV code signing certificates from SSL.com, please read this how-to.
The advantage of this type of code signing is relatively easy implementation, and it is also the cheapest of the available options. However, it does not confer the security level of a USB token, HSM, or cloud signing service (see below), and this type of installation is not acceptable for Extended Validation (EV) code signing. This last piece of information is particularly important since some applications (notably signing Windows 10 drivers) require an EV certificate.
USB tokens
A more secure code signing option is using a Hardware Security Module (HSM) with a physical form. The most common HSM used for code signing is a USB token, like the YubiKey FIPS tokens SSL.com uses to distribute EV code signing certificates. This token is responsible for storing a user’s certificates and keys and is also safe against tampering and key compromise, thanks to its hardware architecture and its packaging. The USB token is used like a key that needs to be physically inserted into a computer in order to digitally sign a piece of software. The token additionally requires a PIN to be accessed for extra security.
This method is currently the most common for EV code certificates, as it provides high security and is easily implemented by users. These small hardware tokens are also easily portable and one can sign from anywhere.
However, this method has its shortcomings. First of all, it can be quite expensive for an organization to purchase and replace these tokens. Especially in the remote work environment of today, distributing and taking care of hardware tokens can be quite a logistical challenge for an IT department, costing both financial and human resources. Additionally, these tokens can be stolen or lost, creating security gaps with a potentially high risk of compromise, along with the high cost of replacement. Finally, they are inconvenient when compared to cloud-based options for sharing between developers.
Networked HSM
Going one step further, another option is using a networked HSM in the cloud to host code signing certificates and keys. Examples of such options are cloud services like Azure, AWS, and Google Cloud. In this case, the HSM is in the cloud instead of the pocket of the developer.
This method offers security standards of the same high level as the physical devices since the private keys are not exportable from the HSM, and access to digital signing requires user authentication with the aforementioned services. The digital signature can be applied from anywhere, and EV code signing is available with this option. This method is also easily scalable to incorporate new members of an organization and/or replace digital certificates in case of lost credentials.
On the other hand, implementing this method may require additional expense and expertise, since it requires a certain level of familiarity with the technology. For more details, please read this guide for the various ways that SSL.com supports cloud HSM services.
eSigner: Cloud Code Signing as a Service
Finally, a modern and very convenient approach is dealing with code signing as a service. SSL.com’s eSigner cloud signing service is an example of this approach to code signing.
With eSigner, SSL.com handles both the public key infrastructure (PKI) and HSMs for code signing. The non-exportable signing keys are stored in eSigner’s HSMs, where neither the customer nor SSL.com can view them. This way, the security standard is as high as with tokens and cloud HSMs, but there is no need for the client to deal with them directly.
eSigner uses OAUTH TOTP for secure two-factor authentication, thus giving the chance for code signing from any internet-connected device regardless of location. eSigner supports EV code signing, so developers can use it to sign Windows 10 kernel-mode drivers.
eSigner also makes sharing code signing certificates between teammates easy and secure. By using the SSL.com dashboard, it is easy to share a code signing certificate, and each member has their own PIN. This feature of eSigner allows for globally dispersed teams to work quickly and asynchronously, without compromising the organization’s security. For more details about this option, please consult this how-to.
eSigner Options
The eSigner environment includes a number of signing options to accommodate the needs of a variety of customers, from individual developers to complex organizations.
- eSigner Express: As the name indicates, this option is useful for those times that a file needs to be remotely signed quickly and conveniently. eSigner Express is a web-based GUI app and makes code signing extremely easy through dragging and dropping of code files.
- CodeSignTool: CodeSignTool is a command-line utility for EV code signing certificates that can be used across various platforms, including Windows, macOS, and Linux. It is especially useful for signing sensitive files since only the hashes of the files are sent to SSL.com for signing, instead of the code itself. CodeSignTool is also ideal for creating automated processes, such as the signing of multiple files in batches or Continuous Integration/Continuous Delivery (CI/CD) pipeline workflows. For more details regarding the usage of CodeSignTool, please refer to this guide.
- APIs: SSL.com’s enterprise customers can access the same Cloud Signing Consortium (CSC) and Code Signing APIs that power eSigner Express and CodeSignTool for the development of their own front-end code signing apps.
Conclusion
EV code signing has become a necessity for many developers. With today’s increased reliance on remote work and asynchronous cooperation, a fast, reliable, and secure tool for remote EV code signing that also emphasizes team sharing is an essential addition to any developer’s and software publisher’s arsenal. eSigner fulfills those needs in the most convenient, versatile, scalable, and powerful way while complying with the highest security standards of the industry.
How Can I Try eSigner?
eSigner is currently available to all SSL.com EV code signing and document signing customers as a subscription service with service tiers to support organizations and enterprises of all sizes. Please check the main eSigner page for pricing details. For much more information about eSigner cloud code signing, check out these SSL.com guides and how-tos, or use the information form below to contact SSL.com’s enterprise sales team.
eSigner Code Signing Guides and How-Tos
- Remote EV Code Signing with eSigner
- eSigner CodeSignTool Command Guide
- Team Sharing for eSigner Document and EV Code Signing Certificates