Future changes to code signing certificate issuance

https://www.entrust.com/blog/2022/05/ca-browser-forum-updates-requirements-for-code-signing-certificate-private-keys/

Not a driver development issue per se, but just a heads-up for changes we can expect to see in the not-too-distant future regarding the signing we do for drivers.

This latest Ballot CSC-13 is advancing that the HSM (hardware security module) requirement will now be for “all” code signing certificates, starting with new certificates issued after November 15, 2022, and no longer limited to just EV certificates.

Currently on the Microsoft Partner Portal we’re allowed to associate “normal code signing certificates” in addition to “EV code-signing certificates”. Several of us had leveraged this “normal code signing certificate” association capability in order to continue using them as part of our actual product build and signing automation. Due to there being less limitations in making the private key available to the signing automation, as compared to the EV certificate which required physical attachment or other secured access to the HSM-stored certificate keys.

So if you hadn’t already started designing your build or signing automation to depend on pulling the code signing certificate from an HSM, now might be the time to start.

Meaning, if you are already signing your submissions and/or product using your EV certificate, presumably “no further change needed.” Since EV certificates are already required to be on an HSM, and your signing process is already dealing with those limitations.

But if you had been continuing to leverage a non-EV-based signing process which used software-only private key storage, that approach likely isn’t going to continue working after your next certificate renewal. Because even non-EV code signing certificates will be required to issue and access through HSM-based devices.

Note this is not a statement of “you must begin using EV certificates for code signing.” This is just saying that one of the current practical differences between an EV code signing certificate and a non-EV code signing certificate will be going away, and both types will be “just as difficult to use” as part of your signing process. For reasons which are intended to protect your code-signing certificate from compromise, of course.

Thank you, Mr. @Alan_Adams … That’s very helpful.

It’s difficult for me to understand why the HSM requirement would be applied to “all” code signing certificates. This creates a really major hardship for distributed development organizations. It’s just mind-boggling to me… don’t folks who are approving this know anybody who works at a large, distributed, corporation where sending your eToken around via UPS isn’t a very workable plan?

Or maybe I don’t understand the fullness of how an HSM can be leveraged remotely.

Regardless… thanks Mr. Adams.

Peter

Big companies have remotd HSM use worked in long time ago.
I had to implement one such in a company that barely uses signing.
But it was minimalistic! It just had to satisfy Security dpt, not much in
terms of usability at all.

Current company has remote signing automated already, for a decade I reckon.

Agreed, and we too have had “remote signing” automated for quite some time, too. But it had never involved or required an HSM to do it, until now in the near future.

We could have been using an HSM all this time, but since it wasn’t required, we didn’t take the extra step. Our need to sign with the EV certificate has been minimal, and was simply performed manually whenever UEFI signing, LSA shim signing or an updated SignableFile.bin was needed for the portal.

Now we essentially just have to decide whether to plug stand-alone HSMs locally into each of the cluster nodes backing our remote signing services, versus standing up a networked HSM in several geographic locations for those nodes to utilize instead. But no change for the end-users of those remote signing services, either way.

Addition of HSM token for issuance of code signing certificate has beefed up data security measures.
Check out key points of new code signing changes in a compact guide:
https://signmycode.com/resources/changes-issuing-ov-code-signing-certifificate-from-june-2023