8

Microsoft recently started enforcing apps to be signed by EV code-signing certificates instead of just regular certificates. These usually come on an external device such as USB smart card or a HSM, where the private key is stored and can't be exported.

SW company that wants to sign an app with EV certificate probably has automated build/deployment process. The build infrastructure is either (1) in cloud, or (2) locally in a server room/building, or worse (3) in a rack in their office. Having the "sign" server separate is probably the best idea, the signing device is connected to it and release executables are only signed on this server.

My question is: Where to put this sign server in all three scenarios?

If we have our build infrastructure in the cloud, should we tunnel to a local VPN where the sign server is located? Where should the sign server be in this case?

Or even if we have our private build infrastructure locally, should the "sign" server just be a random server in server room/building along with other 10s or 100s of servers? Will I just plug the sign device to USB of one seemingly "random" server in the server room? Maybe a better approach would be to have a special room with cameras and restricted access. What if we don' have a private server room though? What if we rent a rack? Should the key just "lay around" in the rack?

How to scale this? What if we have 10 different apps with different keys? Do we go to this server every year and change it physically after expiration?

This thread is partially related What Are Good Code Signing Environment Guidelines?, but it was closed as too broad.

Jakub Žitný
  • 379
  • 1
  • 2
  • 9
  • I think it is better to have dedicated server only for this purpose. Why not something small like Raspberry Pi. You can put it in metal box to limit physical access even for system administrators and access it only over LAN. – i486 Oct 10 '18 at 15:53
  • This one should be closed too cause it is still to wide in a scope. – nethero Apr 13 '21 at 14:03

1 Answers1

1

Since I think all 3 of the CIA model would apply here, you would want to physically store it in a location where you can enforce physical access controls to restrict access to only those that need access to it. You would also want to install a FIM (File Inegrity Monitoring) solution of some type to ensure the integrity of the file system doesn't change from unauthorized changes. I would recommend locking it down based on one of the CIS benchmarks depending upon the operating system along with a host-based firewall and probably have a network firewall in front of it to restrict network access to it as well.

Justin Andrusk
  • 305
  • 1
  • 6
  • Yeah, that's obviously the safest option. But how to scale it? Let's say we have a number of HSMs that need to be changed every year, and the rest of our infra is in the cloud. So do we keep virtual networking from the cloud to this server room alive all the time? Do we change it regularly? Maybe every time we switch the HSMs? – Jakub Žitný Aug 11 '20 at 08:45
  • In my opinion code signing should be out of band. The server used for code signing can be virtualized and placed anywhere really. What is crucial here is the HSM that stores the actual private key used for signing. It is all dependent on the type and level of compliance of your organization. Once you can classify your asset its protection should be done in accordance with your security framework for given type of asset. – nethero Apr 13 '21 at 14:09