Code Signing

What is Code Signing?

Code signing is the process of digitally signing executables, scripts, drivers, software packages, or container images to guarantee their origin and integrity. Using cryptographic techniques, code signing provides verification that the code was created by a specific author (authenticity) and hasn't been altered since it was signed (integrity).

When software is code signed, it includes a digital signature created using the developer's or publisher's private key. This signature can be verified using the corresponding public key, which is typically backed by a certificate issued by a trusted Certificate Authority (CA).

How Code Signing Works

The code signing process typically involves the following steps:

1. Certificate Acquisition: The developer obtains a code signing certificate from a trusted Certificate Authority (CA), which involves verifying the developer's identity.

2. Digest Creation: A cryptographic hash (digest) of the code is generated, creating a unique fingerprint of the software.

3. Signing: The hash is encrypted using the developer's private key, creating a digital signature.

4. Attachment: The signature and the developer's certificate containing their public key are attached to the software.

5. Verification: When a user runs the software, their operating system:

   • Verifies the certificate was issued by a trusted CA
   • Uses the public key to decrypt the signature
   • Compares the decrypted hash with a newly calculated hash of the software
   • If the hashes match, the software runs; if not, a security warning is displayed

Benefits of Code Signing

For Software Developers and Publishers:

• Brand Protection: Prevents impersonation and protects reputation
• Trust Establishment: Builds confidence with users and customers
• Reduced False Positives: Signed code is less likely to be flagged by security tools
• Distribution Platform Requirements: Meets requirements for app stores and platform distributors

For End Users:

• Publisher Verification: Confirms the software came from a legitimate source
• Tamper Detection: Ensures the software hasn't been modified since it was signed
• Malware Protection: Reduces the risk of executing malicious software

Code Signing in Software Supply Chain Security

Code signing plays a critical role in software supply chain security:

1. Securing Artifacts: Ensures the integrity of all software artifacts throughout the supply chain
2. Chain of Trust: Establishes a verifiable chain of trust from developer to end user
3. Compliance: Meets regulatory requirements for software integrity verification
4. Attack Prevention: Mitigates specific supply chain attacks like dependency substitution

Modern Code Signing Approaches

Traditional PKI-Based Code Signing

Uses X.509 certificates issued by commercial Certificate Authorities (CAs).

Sigstore

An open-source project providing free code signing infrastructure:

• Cosign: Tool for container signing
• Fulcio: A free root certificate authority
• Rekor: Transparency log for code signing events

Keyless Signing

Newer approaches like Sigstore's keyless signing eliminate the need for long-term key management by using short-lived certificates based on identity provider authentication.

Decentralized Signing

Blockchain-based approaches that don't rely on centralized certificate authorities.

Best Practices for Code Signing

1. Secure Private Keys: Store private keys in hardware security modules (HSMs) or secure key management systems
2. Strong Key Algorithms: Use strong cryptographic algorithms (e.g., RSA 4096-bit, ECDSA with P-256 curve)
3. Timestamp Signatures: Add timestamps to signatures to maintain validity after certificate expiration
4. CI/CD Integration: Automate code signing in secure CI/CD pipelines
5. Key Rotation: Regularly rotate signing keys according to security policies
6. Signing Policy: Establish clear policies on what code must be signed and by whom
7. Access Control: Implement strict access controls for signing operations
8. Audit Logging: Maintain comprehensive logs of all signing activities