Entrust Code Signing Gateway

Code signing is the process of digitally signing software or source code using a digital signature to confirm the code’s authenticity and integrity. This ensures that the code originates from a verified software publisher or developer and has not been altered or corrupted since it was signed.

Code signing is critical for maintaining trust and security in software distribution. Its key benefits include:

• Ensuring code integrity: Code signing verifies that the code has not been tampered with, ensuring its integrity throughout the distribution process.
• Authenticating the publisher: It uses digital certificates to confirm the software’s origin and validate the identity of the software publisher or developer.
• Protecting against malicious code: It prevents unauthorized modifications or malware insertion, safeguarding users from potential threats.
• Maintaining compliance and trust: Many platforms, such as operating systems and browsers, require signed code for installation or execution, ensuring compliance and building end-user trust.

The process works as follows:

• Key generation: The software developer or publisher generates cryptographic keys — one private and one public. The organization submits the public key to a certificate authority (CA) and requests a code signing certificate.
• Certificate acquisition: The certificate authority verifies the developer’s identity and authenticates their digitally signed certificate request.
• Digital signing: Using a signing tool, the developer applies their private code signing key to the software or source code. This creates a digital signature that links the software to the developer’s identity.
• Distribution: When the signed code is distributed, end-users or systems can verify its authenticity and integrity using the public key embedded in the digital certificate. This confirms it hasn’t been altered or injected with malicious code.

A code signing certificate is a type of digital certificate issued by a certification authority that verifies the identity of a software publisher or developer. It plays a crucial role in the code signing process by confirming the signed code originates from a trusted source, preventing impersonation by malicious actors.

OV and EV code signing are two types of certificates that differ in their validation processes, security features, and trust levels.

• Organization Validation (OV): An OV certificate validates the organization’s identity with standard checks and allows private key storage on the developer’s system. It’s suitable for smaller organizations or internal applications, providing a basic level of trust.
• Extended Validation (EV): An EV code signing certificate requires rigorous validation, including physical and operational checks, with private keys stored on tamper-proof devices like a USB token. It offers higher trust levels, bypasses SmartScreen warnings, and is ideal for widely distributed or high-profile software.

A code signing service simplifies the digital signing process by providing organizations with secure infrastructure and tools for signing their code. This service is particularly beneficial for software publishers and developers who need to protect their signed code while ensuring compliance and scalability.

The Entrust Code Signing Gateway is a secure, scalable solution designed to simplify and safeguard the code signing process for organizations. It helps software publishers and developers manage their signing keys and certificates in a centralized, tamper-resistant environment.

Key features include:

• Centralized key management: Protects signing keys in a secure hardware security module (HSM), ensuring that cryptographic keys remain secure and under the organization’s control. 
• Streamlined code signing operations: Automates the signing process with policies and workflows to ensure consistency and efficiency in software development.
• Enhanced security and compliance: Ensures code signing practices comply with security standards and regulatory requirements, such as protecting against malicious code injection. 
• Integration with DevOps pipelines: Supports seamless integration into modern software development workflows, enabling secure code signing without disrupting operations.

With the Entrust Code Signing Gateway, organizations can protect their signing keys, ensure the integrity of their signed code, and build trust with end-users through authenticated and verified software.