Understanding CodeSign Protect

One of the primary challenges in code signing is protecting and monitoring the use of private code signing keys. A software publisher’s reputation and business depend on its customers’ ability to trust that the code it is distributing is authentic and safe to use. If the publisher’s private code signing keys are compromised, it opens the door for third parties to sign software as if it is from the software publisher itself.

In such a scenario, the software publisher must have the certificate revoked. While this will help correct the issue of unauthorized software being passed off as authentic, it also invalidates the digital signature of all authorized software that the publisher signed with that certificate.

A compromised code signing key exposes a software publisher to business disruptions and a damaged reputation in the marketplace.

The purpose of CodeSign Protect is to protect private code signing keys and govern the use of the keys it protects. CodeSign Protect mitigates the risk of unauthorized use of private code signing keys. Using the CodeSign Protect solution, you can do the following:

• Protect code signing keys, either in the Trust Protection Platform Secret Store or on an HSM
• Restrict the use of keys only for specific purposes
• Allow keys to be used only by specific users
• Allow keys to be used only from specific IP addresses.
• Provide approval flows around the use of keys
• Audit the use of keys over time

This section introduces the concepts and provides an overview of how the CodeSign Protect solution works.