Businesses spend billions each year on identity and access management to protect the digital identities of humans, i.e., usernames and passwords. On the other hand, relatively little is spent on managing machine identities, code signing keys and certificates, even though the entire digital economy hinges on access to secure software and infrastructure. As businesses increasingly transform operations to primarily digital—a trend known as digital transformation—every business is becoming a software business, and the need to protect that critical infrastructure with code signing machine identity management has become more critical than ever.
Code signing is a method of putting a digital signature on a piece of software or digital file so its authenticity and integrity can be verified when used. Like a wax seal, it guarantees that the recipient knows who the author is, and that it hasn’t been tampered with after it was signed. In the past, code signing was used only on “final” software executables such as programs, software updates, and shell scripts to verify authenticity and integrity of these by end-users.
However, with the recent flurry of software supply chain attacks where hackers insert malware before the final software gets signed, code signing is now also used to protect intermediate software artifacts such as source code, build scripts, software libraries, execution containers like Docker, and the tools that are used by the software team to build their software. When software is signed with a valid machine identity—such as a code signing certificate and encryption key—computing devices implicitly trust the software and unconditionally run it. The valid code signature indicates that the code comes from the trusted source that signed it and hasn’t been modified by a third party. When this process is compromised, cybercriminals can misuse code signing machine identities to sneak malware that appears to come from your organization into your software.
What are code signing machine identities?
Code signing guarantees that the code of a program or software download hasn’t been corrupted and tampered with after it was signed by the publisher/author. Just as you want to be certain when you log into your bank account that you’ve given your password to the intended bank and not a cybercriminal, it’s best to be sure that the programs and updates you download are safe and from the authentic publishers. To do that, you use the same public key infrastructure (PKI) used to secure HTTPS. When these machine identities are used to sign and verify software, it’s called code signing.
Code signing is a process by which a software file—such as a program, document, file, driver, firmware, container, mobile app or even a script—is digitally signed to show that it comes from an identifiable source and hasn’t been altered since it was signed. Three items are required in a code signing operation:
- The code being signed
- A code signing certificate that a certificate authority (CA) has previously issued
- A private code signing key used for encryption
After the organization has the code signing certificate and private/public PKI key pair, developers can proceed with signing their code. Depending on the specific software development process being used by the software team, the process shown in Figure 1-1 could happen hundreds or thousands of times a day. This process varies depending on what types of code are being signed and how often they’re being released.