Why are code signing certificates shipped on tokens?

Why do code signing certificates use hardware tokens?

Code Signing certificates verify the authenticity and integrity of any distributed file, most commonly used for software applications or modules. They're used in software development and distribution to ensure that code has not been tampered with or altered in the time between when it was signed and executed on a user's system. They help establish trust in software and prevent unauthorized modifications or the distribution of malware.

As of June 1, 2023, all Code Signing certificates must comply with the new Certification Authority Browser Forum (CABF) regulations. The subscriber’s private key must be generated, stored, and used in Federal Information Processing Standard (FIPS)-compliant hardware. The new rule provides an additional layer of security by isolating the security keys from the host system in case it's infected with malware.

Additionally, you can protect hardware tokens with PINs or biometric authentication to prevent unauthorized personnel from accessing the keys, even if the tokens are stolen. This layered protection helps strengthen security while meeting various compliance requirements and standards.

You can use different types of hardware tokens for Code Signing, such as:

• USB tokens, small devices that connect to a USB port and require a PIN or biometric verification for access

• Hardware security modules (HSMs), specialized devices for securing cryptographic operations, such as generating and storing private keys
• Smart cards credit card-sized devices with embedded microchips for private key storage, commonly used in secure authentication and digital signatures
• Trusted platform modules (TPMs), specialized chips built into some computers to provide a hardware-based root of trust

Key attestation and secure code signing

Key attestation is integral to code signing security. It ensures the cryptographic keys used in the process are legitimate and unaltered by verifying that they're associated with a trusted source and are not compromised. It is impossible for attackers to forge code signatures and distribute malicious software.

In general, key attestation prevents malicious actors from using compromised or unauthorized keys for fraudulent activities. It makes it significantly harder for the private key to be stolen by a third party, ensuring data security in online communication, data encryption, and digital signatures. Also, key attestation and management may be mandatory for compliance with various data privacy regulations and security standards.

The most common key attestation techniques are remote attestation and local attestation. In remote attestation, a device provides evidence about the state and legitimacy of its cryptographic keys to a remote verifier. Meanwhile, local attestation involves a device attesting to the integrity of its own keys or components—e.g., during secure boot to ensure the system is not compromised.

Key attestation has various applications, including:

• Confirm the legitimacy of the signing key used in digital signatures and certificates to enhance trust.
• Verify the authenticity and trustworthiness of Internet of Things (IoT) devices to ensure secure communication and data exchange.
• Ensure a device starts with a trusted and untampered configuration through secure boot processes.

Ensure software integrity with the best Code Signing certificates

Code Signing helps ensure the security and integrity of software distribution.

The Sectigo Code Signing Certificate is trusted by global leading brands. We offer a three-year option to help you transition to the new hardware token requirement and save on hardware and shipping costs.

Related posts:

• Code Signing for application development
• Root Causes 309: What is key attestation for Code Signing