Protect & Secure Your Private Keys: 3 Steps for Safe & Secure Code-Signing

in #private8 years ago

A recent article by the Microsoft malware protection center, “Be a real security pro – Keep your private keys private,” reminded me of some best practices.

lockThere are far too many cases of illegitimate code being signed by a stolen private key for legitimately signed code-signing certificates.

In these cases, the owners of the private keys have not secured the keys.The problem with code-signing is that many developers may need to sign their code.

If there is no controlled signing process, then the signing private key, password and code-signing certificate are readily distributed among developers.

The thinking? “Since more than one developer is using the private key, let’s make the password simple, so that everyone remembers it.”

With this process, there is no control on how the private key and password are protected.

This makes the challenge of accessing these items even easier. When managing code-signing private keys, the following is recommended:

Minimize Access to Private Keys — Computers with private keys should have minimal external connections. Minimize the number of users who have access to the private keys.

Use Physical Security to Protect Keys — Protect private keys with cryptographic hardware products that meet the minimum of FIPS 140-2 Level 2 certified.

Cryptographic hardware does not allow export of the private key to software where it could be attacked.

Test-Signing versus Release-Signing — Test-signing certificates require less protection than production code-signing certificates.

Test-signing certificates can be self-signed or come from an internal test CA.

Establish a separate test code-signing infrastructure to test-sign prerelease builds of their software.

Test certificates must chain to a completely different root certificate than the root certificate that is used to sign publicly released products.

This precaution helps ensure that test certificates are trusted only within the intended test environment.

If you’re interested in more information, Microsoft provides an extensive set of best practices to support code-signing

Hope this helps 😉

Sort:  

follow and upvote me i am doing that for you
its a very informative topic ,a best piece of information you really deserve for upvoting on that post keep it up my bro nice work cheers i am supporting to you its a very helpful topic following you my bro