GaraSign For Code Signing

Yes, GaraSign supports native signing tools that can be executed from any CI/CD pipeline.

Yes, GaraSign supports native signing tools that can be executed from a developer's workstation.

GaraSign can support certificates from any certificate authority via its most basic certificate processing capabilities. For automated certificate issuance, GaraSign has first class support for certain certificate authorities.

For manual production code signing (typically done as a ceremonial process), GaraSign supports multi-factor authentication, device authentication, quorum-based approval workflows, automated hash validation, IP address whitelisting, just-in-time access, audit notifications, and granular key permissions.

For automated code signing, GaraSign supports device authentication, automated hash validation, IP address whitelisting, audit notifications, and granular key permissions.

One of GaraSign's most advanced security controls is its patented Automated Hash Validation feature. This feature uses reproducible builds to ensure that what is being signed matches what is in the source control repository. By doing this, compromising the build server alone is not sufficient for an attacker to get their malware signed. The attacker must commit the malware to the source code repository. Not only is this an additional attack that the attacker must be capable of, it also leaves a permanent record of the attack that should get detected during code review or scanning.

GaraSign supports two modes of Automated Hash Validation - pre-sign and post-sign. In pre-sign mode the validation is done before the code gets signed, thereby acting as a preventative control, which provides the highest level of security but also has the highest performance penalty. In post-sign mode, the validation is done after the signature is generated, thereby acting as a detective control, which has slightly reduced security benefits but great performance. In post-sign mode, even if an attacker is able to sign their malware it will be detected relatively quickly so action can be taken. Garantir recommends using pre-sign validation for production signing and post-sign validation for non-production signing that happens in the continuous integration environment.

Yes, as part of Automated Hash Validation GaraSign can run any set of tools on the source code and/or binaries and use the result of running those tools as part of validation. For example, GaraSign can be configured to run static analysis tools, fuzzing tools, etc.

For very performance-sensitive customers, GaraSign's Automated Hash Validation feature can be used to offload processing that the build server would otherwise have to do. By doing this, tasks can be run in parallel that would otherwise run in series, thereby reducing the overall wall-clock time taken to complete a build.

There are a few reasons. The first is that all your code signing keys, including non-production, should be stored in your enterprise's HSM. Even though these keys aren't publicly trusted, they are trusted in your test environment and so they can be used to sign malware that spreads in that environment. The second is that code signing keys and build servers are high-value targets for attackers. If you are under attack you want strong protection in place and you want to be alerted to the issue as soon as possible. GaraSign provides this for you. The third reason is that you want to have a system that manages your certificates for you. Without that, it is easy to forget that a certificate will expire which results in downtime in your CI/CD pipeline.

GaraSign supports a quorum-based approval process where a quorum of approvers must approve the request before the signature is generated. If any approver rejects the request, the signature is not generated. GaraSign even supports tiers of quorums with each tier having its own quorum size. For example, you could configure it so that at least three developers must approve the request. Once that is complete, at least one tester must approve it. And so on as you see fit.