Thales Blog

Enabling Secure Code Signing at Scale

March 3, 2020

Robert Masterson Robert Masterson | Senior Partner Marketing Manager More About This Author >

This blog is co-written with Shian Sung from Keyfactor

In today’s development environment, it’s important for every organization to utilize code signing as a way to ensure that the applications and updates they deliver are trusted. This starts from the build process and goes all the way through to the release in order to develop code that maintains a strong root of trust, and with a high degree of authenticity and integrity.

However, as development has become more agile and, at the same time, more complex, implementing code signing practices at scale now has significant security implications. If you’re building code, spinning up containers, or running applications in the cloud, you need to seriously consider the risks involved in code signing, and how to respond if an incident occurs.

Secrets are your most critical security asset in any development environment, particularly your code signing keys. If private keys used to sign code find their way into the hands of an attacker, whether by accidental disclosure or a breach in the network, they can inflict serious damage on the business. The root of trust is broken, the digital signatures using these keys are suspect and the integrity of the code they sign cannot be assured. IT and security teams can take hours or even days to remediate the issue, putting a drain on resources and creating unintended downtime.

Along with the security issues that come with agile development, the developers themselves need ways to obtain code signing certificates with a process that doesn’t hinder their workflows or toolsets. Often certificate administrators and infosec operations can find themselves at odds with a development philosophy, where the focus is on continuous delivery and integration, not mitigating risk.

Here are a few of the issues that we see modern IT organizations run into as they implement code signing at scale:

  • Not utilizing hardware to secure sensitive private keys tied to code signing certificates. Too often, developers store code-signing certificates in file systems, on workstations or build servers, or even emailed between developers, rather than stored securely in an HSM.
  • Approval processes and role-based access controls around the use of code signing certificates are not enforced. As personnel shift and change, it can be very hard to keep track of where code signing certificates live and who has access.
  • Geographically dispersed development teams add another level of difficulty for securely accessing code signing certificates. This wide corporate perimeter makes it more difficult to enable code signing without exposing the private key and risking the assurance level of the digital signature that accompanies the software code.
  • When it comes to efficiency, keeping code-signing certificates secure can also create extra steps for developers, causing delays in the build pipeline or release cycle. These delays often result from the time it takes to access code signing certificates or perform the signing operation itself.
  • Finally, and perhaps most importantly, it is incredibly difficult to track and log everything that occurs with code signing certificates for auditing and compliance.

After speaking with dozens of enterprises, we realized the need to build a solution that could solve these significant roadblocks facing application and security teams. Keyfactor and Thales teamed up to build a solution – Keyfactor Code Assure integrated with Thales HSMs – that enables developers to move fast, without sacrificing the security of code signing certificates.

Using Keyfactor Code Assure, integrated with Thales on-premises Luna HSM or Data Protection on Demand (DPoD) cloud-based HSM, development teams can get access to code signing certificates from wherever they are, and use them to sign virtually anything – from container images and binaries to artifacts and software builds. Meanwhile, the private keys remain locked down in the Thales HSM, while developers can do their job efficiently and securely.

The Keyfactor Code Assure platform allows enterprises to:

  • Integrate directly with a Thales HSM for the highest level of protection for private keys, ensuring that they never leave the confines of the HSM.
  • Enable code-signing operations at scale without sacrificing speed or efficiency in your software development lifecycle (SDLC)
  • Leverage an identity provider to enable designated owners of code signing certificates to unlock access based on specific criteria such as location, time or number of signing operations.
  • Allow developers multiple interfaces to use code-signing certificates, including a web portal, a robust API suite, and a remote CSP/KSP interface.
  • Log every code signing activity that takes place, allowing you to know who signed what, when, and with which code signing certificate.
  • Using existing signing tools such as Microsoft SignTool and JarSigner to build additional assurance into your signing operations.

Being able to control the usage of your code signing certificates and securing the private keys in an HSM will empower your organization to digitally sign with high assurance and confidence. Keyfactor Code Assure, combined with either a cloud-based Thales Data Protection On Demand (DPoD) HSM or on-premises Thales Luna HSM, will help you truly unlock your code signing operations and sign your code at scale.

If you would like more information about Keyfactor Code Assure

If you would like more information about Thales Data Protection on Demand (DPoD) HSM or Thales Luna HSM

For more information on the joint Keyfactor-Thales solution for DevOps, please check out and download our recent webinar on “Unlocking DevOps Security with PKI Automation”.