CA/Browser Forum Code Signing Requirements – New for 2023

picture of computer with a lock for code signing

Effective June 1st of this year, the new CA/Browser Forum code signing requirements go into effect. As a result, publicly trusted Certificate Authorities (CA) will require that certificate requestors use an appropriately certified (FIPS 140-2 level 2 or Common Criteria EAL 4+) hardware security module (HSM) to protect their code signing private keys. This requirement applies to the issuance of both extended validation (EV) certificates and non-EV certificates.

While this move will certainly make the industry more secure, it will pose several challenges to those unprepared. These challenges include:

  • Satisfying the HSM requirement
  • Key and Certificate Management
  • Integrating your code signing with your HSM
  • Managing performance of your CI/CD pipeline

Satisfying the HSM Requirement

To satisfy the hardware security module (HSM) requirement you must use an HSM and prove that to your Certificate Authority (CA). Most CAs will give you an option to have them ship you a USB-based HSM. While this approach works, it poses several challenges for customers that sign code in the cloud, have large signing requirements, or need to support multiple geographically separated signing teams.

The second option is to use an HSM of your own, preferably a network-based HSM. You can either use an HSM that you have purchased or you can rent one in the cloud. HSMs in the cloud come in many forms from dedicated single tenant HSMs (e.g., AWS CloudHSM, Azure Dedicated HSM, Google Cloud HSM, IBM Cloud HSM, CryptoServer Cloud, Luna Cloud HSM as a Service, Virtucrypt Cloud HSM, and nShield as a Service) to multi-tenant key management systems (KMS) that are backed by HSMs (e.g., AWS KMS, Azure Key Vault, Azure Managed HSM, Google KMS, and IBM HPCS).

No matter which approach you take, you will need to prove to your CA that your code signing private key is protected in an HSM. Each CA may have its own approach to verify your use of an HSM ranging from key attestation, inspecting your environment, signed documents, and more. It is important to verify that the HSM you intend to use can be verified by your CA (e.g., if the CA requires key attestation you will need to use an HSM that supports it).

Key and Certificate Management

Once a hardware security module (HSM) is used, key and certificate management can become more challenging since the private keys will not leave the tamper bounds of the hardware. This means you will need software to talk to the HSM to perform operations like key generation, certificate signing request (CSR) creation, certificate import, etc. Additionally, permissions to keys will need to be controlled, key usage will need to be audited, certificates will need to be managed to avoid outages due to expirations, etc.

Integrating your code signing with your HSM

Once you have your keys in a hardware security module (HSM) with certificates issued, you will need to make use of those keys for code signing. Code signing is performed by running industry standard third party tools (e.g., signtool for Windows, jarsigner for Java, codesign and productsign for macOS, rpmsign and debsign for Linux, cosign for containers, etc.). These tools are very easy to use when your keys are in software but are much more difficult to use when your keys are in an HSM. In order to integrate with these signing tools you will need to make use of various cryptographic service providers, which are unique to the platform you are trying to integrate with. For example, Java uses JCE providers, Windows uses KSPs and CSPs, Linux uses PKCS#11, macOS uses CTK, etc.

Managing Performance in your CI/CD Pipeline

DevOps environments move quickly so your code signing solution cannot introduce significant performance penalties. The initial approach many users try when introducing a hardware security module (HSM) is to upload the data to sign, sign it, then download the signed result. However, this approach consumes a lot of bandwidth and is very slow. A better approach is to use client-side hashing, provided that your cryptographic service provider and signing infrastructure supports it.

If all of this seems overwhelming, don’t worry because solutions already exist. Our solution, GaraSign, provides cryptographic services that help customers meet the new CA/Browser Forum requirements, as well as other framework requirements such as Google’s SLSA and CNCF’s Software Supply Chain Best Practices. Check out our free Code Signing E-Book to learn more or get in touch with the Garantir team.

Share this post with your network.