Entrust Datacard

Entrust Certificate Services Support Knowledge Base

Last Modified: 2017-09-12 16:38:04.0

Best Practices for Code Signing certificates

Article Number: 70590

User-added image

Best Practices for Code Signing Certificates

The biggest issue with code signing is the protection of the private signing key associated with the code signing certificate. If a key is compromised, the certificate loses trust and value, jeopardizing the software that you have already signed.

Consider the following code signing best practices:

1. Minimize access to private keys.

  • Allow minimal connections to computers with keys.

  • Minimize the number of users  who have key access.

  • Use physical security controls to reduce access to keys.

2. Protect private keys with cryptographic hardware products.

  • Cryptographic hardware does not allow export of the private key to software where it could be attacked.

  • Use a FIPS 140 Level 2-certified product (or better).

  • If private keys will be transported, ensure the cryptographic hardware is protected with a randomly generated password of at least 16 characters which contains uppercase letters, lowercase letters, numbers and special characters.

3. Time-stamp code.

  • Time-stamping allows  code to be verified after the certificate has expired or been revoked.

  • Time-stamp certificates can be issued for a maximum of 135 months which can support the signed software to be validated for up to 11 years.

4. Understand the difference between test-signing and release-signing.

  • Test-signing private keys and certificates requires less security access controls than production code signing private keys and certificates.

  • Test-signing certificates can be self-signed or come from an internal test CA.

  • Test certificates must chain to a completely different root certificate than the root certificate that is used to sign publicly released products; this precaution helps ensure that test certificates are trusted only within the intended test environment.

  • Establish a separate test code signing infrastructure to test-sign pre-release builds of software.

5. Authenticate code to be signed.

  • Any code that is submitted for signing should be strongly authenticated before it is signed and released.

  • Implement a code signing submission and approval process to prevent the signing of unapproved or malicious code.

  • Log all code signing activities for auditing and/or incident-response purposes.

6. Virus scan code before signing.

  • Code signing does not confirm the safety or quality of the code; it confirms the publisher and whether or not the code has been changed.

  • Take care when incorporating code from other sources.

  • Implement virus-scanning to help improve the quality of the released code.

7. Do not over-use any one key (distribute risk with multiple certificates).

  • If code is found with a security flaw, then publishers may want to prompt a User Account Control  dialogue box to appear when the code is installed in the future; this can be done by revoking the code signing certificate so  a revoked prompt will occur.?
  • ?If the code with the security flaw was issued before more good code was issued, then revoking the certificate will impact the good code as well.
  • Changing keys and certificates often will help to avoid this conflict.

?8. Revoking compromised certificates.

  • Report key compromise or signed malware to your certification authority.

  • Compromised keys or signed malware of suspect code will require the code signing certificate to be revoked.

  • Assuming that all signed code has been time-stamped, then the revocation date can be selected before the time of compromise. This will mean that code signed before the revocation date may not be impacted.

You may wish to keep this graphic handy if you are deploying Code Signing certificates (right-click + save as):

User-added image

If you have any questions or concerns please contact the Entrust Certificate Services Support department for further assistance: 

Hours of Operation: 
Sunday 8:00 PM ET to Friday 8:00 PM ET 
North America (toll free): 1-866-267-9297 
Outside North America: 1-613-270-2680 (or see the list below) 
NOTE: It is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.
 

Country

Number

Australia

0011 - 800-3687-7863
1-800-767-513

Austria

00 - 800-3687-7863 

Belgium

00 - 800-3687-7863 

Denmark

00 - 800-3687-7863 

Finland

990 - 800-3687-7863 (Telecom Finland)
00 - 800-3687-7863 (Finnet) 

France

00 - 800-3687-7863 

Germany 

00 - 800-3687-7863 

Hong Kong

001 - 800-3687-7863 (Voice) 
002 - 800-3687-7863 (Fax) 

Ireland

00 - 800-3687-7863 

Israel

014 - 800-3687-7863 

Italy

00 - 800-3687-7863 

Japan

001 - 800-3687-7863 (KDD)? 
004 - 800-3687-7863 (ITJ)? 
0061 - 800-3687-7863 (IDC) 

Korea

001 - 800-3687-7863 (Korea Telecom) 
002 - 800-3687-7863 (Dacom) 

Malaysia

00 - 800-3687-7863 

Netherlands

00 - 800-3687-7863 

New Zealand

00 - 800-3687-7863 
0800-4413101 

Norway

00 - 800-3687-7863 

Singapore

001 - 800-3687-7863 

Spain

00 - 800-3687-7863 

Sweden

00 - 800-3687-7863 (Telia) 
00 - 800-3687-7863 (Tele2) 

Switzerland

00 - 800-3687-7863 

Taiwan

00 - 800-3687-7863 

United Kingdom

00 - 800-3687-7863 
0800 121 6078 
+44 (0) 118 953 3088 

Affected Products:

  • Entrust Authority Administration Toolkit for C 6.0 English HP-UX
  • Entrust Authority Administration Toolkit for C 6.0 English Solaris
  • Entrust Authority Administration Toolkit for C 6.0 English Windows
  • Entrust Authority Security Manager Administration Toolkit 4.0 English All Platforms
  • Entrust Authority Security Manager Administration Toolkit 5.0 English Solaris
  • Entrust Authority Security Manager Administration Toolkit 5.0 English Windows
  • Entrust Authority Security Manager Administration Toolkit 5.0.1 English HP-UX
  • Entrust Authority Security Manager Administration Toolkit 5.0.1 English Windows

Error Codes:

-2648
-7761
-2653