Fortanix Self-Defending Key Management Service has state-of-the-art code signing solution that offers the following capabilities:
- FIPS 140-2 level 3 assurance for private key protection.
- Supports all types of asymmetric keys, signing, and hashing algorithms used for code signing. It also supports signing just the hash.
- Code signing in large enterprises often requires verification of metadata associated with the data being signed as well as access control around the use of keys. These checks can easily be performed in a secure environment using plugins in Fortanix Self-Defending KMS.
- Code signing keys are very sensitive, and their use should be tightly controlled. Fortanix Self-Defending KMS provides elaborate quorum-based policies to be configured for these keys which require approval from M of N administrators before the signing operation is performed. These approvals can be obtained in an asynchronous and distributed fashion.
- Strict role-based-access-control, quorum-based approval workflows, automation, and audit logs for all code signing operations.
- Support of 100% for REST APIs, KMIP, PKCS11, JCE, Microsoft CAPI, and CNG for easy integration with your existing DevOps tooling.
- Code signing is future proof in Fortanix Self-Defending KMS. Post-quantum algorithms, such as LMS, are already supported and can be used for code signing.
Figure 1: Code signing solution
Microsoft’s SignTool is a prominent tool used in a Microsoft environment to sign and verify the authenticity of code developed for the Microsoft platforms. Fortanix KMS CNG Provider makes it easy to securely store sensitive objects/keys required during the sign and verify processes, a native feature provided by Fortanix Self-Defending KMS for enterprise-level code-signing capabilities.
Preparing the Build Server/Code-Signing Workstation
The Server/Workstation that will be running the SignTool must have the following installed:
- Fortanix KMS CNG Provider:
- Link: https://support.fortanix.com/hc/en-us/articles/360018084132-CNG-EKM
- Once installed, validate that the provider has been correctly registered:
Figure 2: Validation
- SignTool is now part of Windows SDK and is required.
- Link: https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk /
Fortanix Self-Defending KMS Configuration
Fortanix Self-Defending KMS will require appropriate groups and apps to be pre-created before Microsoft CNG and SignTool code-signing integration may begin.
- Create an appropriate group that will be managing the security objects within the account:
Figure 3: Create group
- Create a new App in Fortanix Self-Defending KMS that will provide an API Key that will be used to authenticate when communicating using CNG provider (take note of the API Key):
Figure 4: Create app and copy API key
- On the Build Server/Code-Signing Workstation, Fortanix KMS CNG Provider requires couple of configuration variables, which will be stored in the registry:
- Fortanix Self-Defending KMS Endpoint
- Fortanix Self-Defending KMS API Key
Figure 5: Configuration Variables
- Check if these values are correctly set in the registry:
Figure 6: Check the registry
- Confirm Fortanix KMS CNG Provider can communicate properly with Fortanix Self-Defending KMS:
Figure 7: Confirm the communication
Generate or Import the Private Key and Certificate
Securing the Private Keys and Certificates are the most critical tasks to ensure codes cannot be maliciously signed by offending parties. Fortanix supports two main methods in generating/importing and securing the appropriate Security Objects:
- Generate the Private Key securely through Fortanix Self-Defending KMS, create a Certificate Sign Request from SignTool and then import the Certificate into Fortanix Self-Defending KMS once signed by a trusted Certificate Authority.
- Generate the Private Key, Certificate Sign Request, and receive the requested Certificate externally, and then import the Private Key and Certificate securely into Fortanix Self-Defending KMS
This guide will use a self-signed certificate as an example and will only be showing how to generate the private key through Fortanix Self-Defending KMS.
Method 1 - Generate Through Fortanix Self-Defending KMS
This method will generate the Private Key and Certificate sign request from Fortanix Self-Defending KMS. Upon receiving a signed certificate from the trusted Certificate Authority, the certificate will then be imported into Fortanix Self-Defending KMS
- Create a new security object that will be the Private Key and assign to the appropriate group (in this example, we will call the security object - wincryptoapp):
Figure 8: Create new security object
- Generate the Certificate Sign Request using the private key using the SignTool:
- Create a new file called inf in a temporary directory.
- Replace the following content into the file:
- KeyContainer: Name of the security object created previously/Private Key.
- ProviderName: Based on the provider name when installing the Fortanix CNG Provider.
Figure 9: Modify request.inf file
- Type the following command to generate the Certificate Sign Request:
- This will command will now generate a request.csr Certificate Sign Request file and should be sent to the trusted Certificate Authority to receive a signed Certificate.
- Once the signed Certificate is received, you can import the certificate into Fortanix Self-Defending KMS.
Figure 10: Import signed certificate
- Keep a copy of the certificate on the server where the SignTool will be run from (the certificate can be exported from Fortanix Self-Defending KMS at any time).
Method 2 - Generate Locally and Import into Fortanix Self-Defending KMS
Code-Signing Integration (Directly from Workstation)
- Verify no other signatures are present on the file that will be signed:
Figure 11: Verify signature
- Open a command prompt. Locate the file SignTool that is appropriate for your code (for example: x64, x86, and so on).
Figure 12: Locate SignTool
- Verify that the key you wish to use to sign the code is available in the remote CNG provider: Fortanix Self-Defending KMS.
Figure 13: Verify the key
- The following command will sign the code specified in the SignTool and require the following parameters at a minimum to successfully run the SignTool:
- CSP: The CNG provider you wish to use for the sign operation.
- KC: Key Container (also known as alias) that will be used for the sign operation.
- File: Certificate generated from the Private Key stored in Fortanix Self-Defending KMS
- Code to sign.
Figure 14: Sign the code
- Once the file has been signed, Fortanix Self-Defending KMS will log an event within the audit log to signify the private key was used to sign the code:
Figure 15: Event log
Figure 16: Signature details
Verify Signed Code
The signed Code can also be verified using SignTool.
If a self-signed certificate is used, then it must be installed on the Server / Workstation you wish to verify from as it will not have a trusted root CA chain in the certificate. The use of a self-signed certificate should only be used in a test environment. The procedure to test is as follows:
- If you do not have the certificate readily available, download the certificate from Fortanix Self-Defending KMS.
- Right-click the downloaded/existing certificate file and install the Certificate. Ensure it is imported into the Trusted Root Certification Authority (in this example certificate fyoo was used):
Figure 17: Self-signed certificate
- The following command will verify the code using SignTool and require the following parameters at a minimum to successfully run the SignTool:
Figure 18: Verify the code and run SignTool
Frequently Asked Questions
- How do I validate the supported algorithms and modes using Fortanix KMS CNG Provider?
- You can view all of the supported methods, algorithms, and modes with Fortanix Self-Defending KMS using the CNG provider by running a csptest:
Figure 19: Validate supported algorithms