We recommend that all Code Signing Certificate customers, and more specifically those involved in the code signing process (e.g. software developers), follow the best practices described below.
When you request a code signing certificate from Actalis it is assumed that you have read and understood these guidelines.
Access to private keys should be restricted to authorized personnel. To make sure this is the case, we recommend following these good security practices.
- Restrict access to the computers used for Code Signing.
- Minimize the number of users who have access to Code Signing keys.
- Take physical security measures to restrict access to Code Signing keys.
If private keys are stored using software, they are highly exposed to security attacks. We recommend generating and storing Code Signing keys using cryptographic hardware devices and following the precautions outlined below.
- Use a device (such as a smart card or USB token) that meets FIPS 140-2 Level 2 or Common Criteria EAL4+ security requirements.
- Make sure that the device is protected with a PIN or passphrase of adequate length and complexity (avoid common sequences that are easily guessed).
By adding a timestamp to the signed code, the code can be validated even after the code signing certificate has expired or been revoked.
- Add a timestamping service to the signed code.
Test Code Signing keys and certificates do not have to meet the same security requirements as those that apply to the production environment (a test certificate can also be self-signed, or issued by a private CA).
- Sign the code during the testing phase (before it has been issued) with a test certificate (not issued under a trusted Root CA), using different keys from those used in the production environment.
Any code subject to Code Signing should always be authenticated before it is signed and issued.
- Define and implement a strict procedure for submitting code to the code signing process and for approving it, so as to prevent unapproved or malicious code from being signed.
- Keep track of all code signing operations to help with audits and investigations in the event of security incidents.
Code Signing lets you verify the source of the code and its integrity (no alterations) but does not guarantee that the code is free from viruses. This also applies to any third-party libraries embedded in your code.
- Always scan for viruses before signing code.
If a security issue is detected in your code, you can display a warning message when an attempt is made to install the code in the future: this can be achieved by revoking the code signing certificate. However, if other software (without this problem) has been signed with the same certificate, the warning message will also appear for that.
- Avoid signing all your software with the same certificate.
- Use multiple code signing certificates, changing keys regularly if possible.
If the Code Signing private key is compromised, or if malware or suspicious code signed with the certificate is detected, you must notify the Certification Authority that issued it. In such cases, the code signing certificate must be revoked, as set out by the CPS, as a security measure.
- Notify Actalis if the Code Signing private key is compromised (send a message to [email protected]).
- Revoke the compromised certificate.
“Code” refers to any type of executable code (e.g. application, Java applet, software library, script, MS Office macro, etc.) that is subject to the Code Signing process.