Access Secured Code Signing (ASCS)

Sign code files with a FIPS/CC certified cryptographic hardware that secures the encryption keys and integrates with a smart access management system for code signing certificates.

What is Code Signing?

Code signing is a procedure that authenticates the origin and integrity of the code and the identity of the developing organization by digitally signing it, thus preventing tampering files from malicious coding from unreliable sources.
Code signing can provide a number of important specifications. The most common use of code signing is to provide security during the deployment of the code.
Almost every code signing application will provide sort of a digital signing mechanism to authenticate the identity of the code developer and a code authentication test to ensure that the code wasn’t changed or tampered from the moment it was signed.

Comsign and Code Signing

Comsign a leading digital CA and is internationally trusted . Comsign’s certificates are recognized in Microsoft, Google, Adobe, Apple and others.Comsign is providing code signing capabilities using certificates that include time stamping, CRLs and OCSP.

Comsign, as a domestic and international trusted CA, takes full responsibility over code signing certificates and the digital signing procedures.

Signing a code with Comsign’s certificates safeguards any code that is being distributed. Code signing verifies the publisher of a specific code and testifies that the code wasn’t changed from the moment it was signed.

The code signing certificate is passed alongside the signed programs and constitute as an official approval before the programs are installed that the origin of the programs is legitimate.

Comsign’s code signing solution can be Integrated through an easy and comfortable API process.

For further details, please contact us:

Comsign is a eIDAS QTSP (Qualified Trust Service Provider)
eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market.

The Efficiency of Code Signing

The efficiency of code signing as a software authentication mechanism depends on the security of the signature process using a private encryption keys used by the software developers.

A series of malicious attacks committed by malware signed with legitimate authorizations, shows that there were organizations that didn’t act in sufficient care and didn’t store the encryption keys as required (by FIPS or CC certified cryptographic devices like an HSM for example).

Like other PKI based technologies, the system integrity relies on Certificate Authorities (CAs) that secure their private keys from unauthorized access.

Reliable Identification Through a Certificate Authority (CA)

The public key which is used to authenticate the code signing needs to be trackable by a trusted root certificate based on secured public key.

A certificate authority provides a trusted root certificate, and is capable to chain other certificates to the trusted root. If a user relies on known certificates, it can be assumed that the user can rely on the legitimacy of a code that was signed by a key that was generated by the same known certificate. Operating systems and other frames include trusted root for agreed factors. It is acceptable that enterprises implement an internal private certificate authority, which provides the same features such as publicly known certificates, yet it is only reliable within the organization, therefore it is recommended to rely on known international certificates.

Time Stamp

Time stamp allows to extend the signed code’s validity beyond the certificate’s expiration date. In case that a certificate needs to be revoked, a specific date and time will become a part of the CRL list. In such a case, the time stamp assist to determine whether the code was signed before or after the certificate was revoked.

Code Signing Process

Code signing process uses a PKI infrastructure which contains a public key and a private key to create a digital signature.

A code signing certificate is a certificate that contains special fields and special options to generate the code signing.

Integrated development environments, automatically activates the code signing tool as part of the code writing process. After initial settings, the code signing is simple and conducted automatically.

In most development environments, the code signing is generated through an API process (Comsign enables a web service for the process).

Description of Access Process to the Code Signing Certificates

The organization defines which users have access to the code signing certificate and who can sign the code using that specific certificate.

In addition to “whom”, the organization also defines the authentication method that is required to activate the code signing process (such as 2FA using an OTP). Only after the authorized user is properly authenticated, the request is approved and the code signing certificate can be activated.

In order to increase security and efficient access management, the request to activate the code signing certificate consists of two parts:

  1. Initial request from an authorized user through the organizationally defined authentication method which turns to our Strong Authentication Gateway
  2. Only after the initial request was authorized, the gateway turns directly to the cryptographic device and conducts the code signing in practice

System Components

  • A FIPS/CC certified cryptographic device that generates and secures key pairs
  • A code signing system capable of handling tens of thousands of requests simultaneously – a server that contains the cryptographic device
  • A code signing certificates access management system which synchronizes and priorities execution and reports on the completion of signing processes
  • Strong Authentication Gateway – a part of the access management system is a strong authentication component which secures the critical components and determines the policy and mode of identification of users and software systems to the code signing system
code signing

System Abilities and Advantages

  • A centralized authorization management and control capability for all users who are allowed to conduct code signing
  • Ability to add a significant security layer – 2FA / MFA
  • A code development process that is fully secured from end to end
  • Code signing on cab, cos, exe, dll and more in MS Authenticode format
  • Sealing the code file from tampering or malicious damaging attempts
  • Code signing with a trusted certificate recognized by the operating systems
  • Configurable access control according to organizational policies (passcode, OTP, biometric authentication, certificates and more)
  • Detailed event log with specifications of each request – who made the request, when, regarding what etc.

Among Our Clients

Government offices, educational institutions, finance and insurance, and other various companies and industries such as: energy, high-tech, communications, real-estate, pharmaceutical, flight and tourism, security, service providers, automobile and more.