Stronger Private Key Protection For Code Signing: Are You Compliant With The Latest CA/B Forum Requirements?

Last year, on June 1, 2023, the CA/Browser (CA/B) Forum’s updated Code Signing Baseline Requirements went into effect, aiming to enforce stronger private key protection for code signing certificates. The updated mandate now requires both Extended Validation (EV) and Non-EV code signing certificate private keys to be generated and stored on hardware crypto modules that are certified as a minimum of Federal Information Processing Standards (FIPS) 140 –2 Level 2, Common Criteria EAL 4+, or equivalent. Essentially, this means that all newly issued code signing certificates issued after June 1, 2023, must be generated and protected on a compliant hardware security module (HSM) or token, where the private key is non-exportable.

Stronger Private Key Protection For Code Signin

This shift towards stronger private key protection was particularly focused on Non-EV also known as Organization Validated (OV) code signing certificates. While there have been strict mandates in place for EV code signing certificates for several years, the requirements for Non-EV or OV code signing certificates were more lenient. As a result, non-EV or OV code signing keys were commonly stored in software and on local developer machines for ease of use and accessibility, leaving them susceptible to unauthorized access, compromises, and misuse.

Why Strong Private Key Protection is So Important

The private key is the “secret key” used to create unique digital signatures during the code signing process, ultimately helping to verify the legitimacy and integrity of software. Therefore, it’s crucial for the private key to remain private, secured, and protected. If the private key associated with a code signing certificate falls into the wrong hands, malicious actors could exploit it – such as manipulate and re-sign existing code or sign and distribute malware under the guise of a legitimate entity. In fact, many notable, devastating breaches have occurred due to compromised code signing private keys, affecting even large reputable corporations like Sony and IBM. In 2014, for example, attackers compromised Sony’s code signing private key along with many other unprotected private keys. The attackers used the compromised code signing key to sign and distribute malware under the name of Sony Pictures Entertainment, Inc., breaching Sony itself and spreading general malware to consumers. This massive cyberattack cost the company millions of dollars in damages.

Given the surge in high-profile attacks exploiting code signing keys in recent years, it was logical for the CA/B Forum to tighten mandates around private key protection across the board for all code signing certificates. Enforcing the use of hardware crypto modules helps protect private keys, leveraging their built-in physical security features and tamper-resistant design. These devices store cryptographic keys in a secure hardware environment, safeguarding them from unauthorized access, theft, or tampering. Per the new baseline requirements, private keys must be marked as non-exportable, meaning they can not be exported or copied from the hardware device to other locations, helping mitigate the risk of key compromises. FIPS compliant and Common Criteria hardware devices also include encryption and authentication mechanisms, further enhancing the security and integrity of private keys throughout their lifecycle.

Webinar: How to Safeguard Your Software Supply Chain with Secure Code Signing

Complying with the Updated CA/B Forum Code Signing Requirements

If your organization purchased and acquired a code signing certificate, valid for 1 to 3 years, before the effective date of June 1, 2023, then you likely haven’t needed to comply with the updated code signing baseline requirements yet. However, as soon as your existing code signing certificate needs to be re-issued or renewed, you will be required to adhere to the new baseline requirements for private key protection. More specifically, the public Certificate Authority (CA) that issues your new code signing certificate will be required to verify and enforce that the private key was generated in a hardware crypto module, such as a:

  • Hardware (USB) Tokens: Most Certificate Authorities (CAs) will offer hardware tokens as a basic option for storing and protecting code signing keys. They will physically ship a cryptographic token (a secure USB drive) to organizations for key storage. This option has its drawbacks given individual USB tokens are not ideal or scalable for large or distributed development teams that need to securely access the token for signing.
  • Hardware Security Module (HSM): Another option is to use an HSM (cloud-based or on-prem) to secure and store code signing keys. Prior to issuing your certificate, the public CA will verify and require that your HSM is compliant (FIPS 140 –2 Level 2, Common Criteria EAL 4+, or equivalent) and supports remote key attestation, to prove HSM-based key generation and storage. Additionally, when sourcing your own HSM, it’s important to consider the integration of your existing signing and DevOps tools with the HSM, which can be highly complex. Without streamlined signing integrations, the HSM-based code signing certificate can be difficult to access and use, potentially impacting the speed and agility of developers.

Let Stronger Private Key Protection Work for You, Not Against You

The new CA/B Forum requirements are undoubtable a step in the right direction, helping to fortify security and mitigate the misuse and abuse of code signing certificates. However, the stringent HSM/token requirement for private key protection, does introduce complexities and operational hurdles for development teams needing to sign code quickly and efficiently. If your organization is struggling to adapt to the new requirements or are yet to adhere, AppViewX offers a streamlined, modern approach to code signing that is fully CA/B Forum compliant.

AVX ONE Code Signing is a fast, reliable, and secure code signing solution built to protect the integrity of code, containers, firmware, and software. Backed by FIPS-Compliant HSMs, AVX ONE Code Signing provides compliant, centralized, and integrated code signing that simplifies signing processes for developers and streamlines security. Customers have the flexibility to opt for Code Signing-as-a-Service or use a compliant HSM of their choice (on-premises or cloud-based). Instead of ad hoc practices with developers individually managing private keys, security teams can ensure that signing keys are centrally and securely stored on compliant HSMs.

Strengthening Code Signing Security with AppViewX SIGN+ and Fortanix DSM

As a major advantage, AVX ONE Code Signing seamlessly integrates with native signing tools, CI/CD pipeline tools and existing software development workflows to empower DevOps teams to securely sign code at speed and scale. Compliant HSM-based private key protection is handled behind-the-scenes, so DevOps signing processes can remain quick, agile and automated. Within the AVX ONE Code Signing solution, security teams have full visibility and policy-driven control over private key storage, code signing certificate access, usage, and management.

Contact us today to learn how you can help elevate your Code Signing experience with AVX ONE Code Signing, while ensuring CA/B Forum compliance and bolstering software supply chain security.

Tags

  • CA/B Forum
  • CA/Browser
  • Certificate Authority (CA)
  • code signing
  • DevOps tools
  • hardware security module (HSM)
  • Private Key
  • public key

About the Author

Cally Fritsch

Director - Product Marketing

A driven product marketer with over a decade of experience in the PKI industry, dedicated to crafting compelling strategies and narratives to propel product success and security innovation.

More From the Author →

Related Articles

How Does Google Chrome Make The Decision To Distrust A Certificate Authority (CA)?

| 4 Min Read

PKI-Based Passkeys Lead The Way For A Passwordless Future

| 7 Min Read

AnyDesk Breach Calls Urgent Attention To Code Signing Security

| 4 Min Read