Hello all,
If someone has experience with securely storing the signing key and automating the signing procedure, please share.
Some alternatives we are considering are:
- outsourcing the entire .cat signing to an HSM.
- generate a hash of the .cat file, send it to the HSM to get signed, then append the hash to the .cat
- direct signtool to go to a different machine to sign the .cat (does not seem like there are options for this)
- securely transferring the .cat to the machine that holds the key, signing it there, securely transferring the signed .cat back
Please share your solution. The problem is not limited to just signing of drivers, so perhaps Microsoft has a suggested way?
Thanks
Rachel
Michelson Rachel-CRK007 wrote:
Hello all,
If someone has experience with securely storing the signing key and automating the signing procedure, please share.
I install my certificates into the local certificate store on my
development machine. I then hand the SHA thumbprint to signtool.
However, I’m part of a small development shop, not a multinational
megacorporation.
Some alternatives we are considering are:
- outsourcing the entire .cat signing to an HSM.
HSM? Hardware Security Module?
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
It is SUPPOSED to be possible to locate the signing certificate on a Smart Card, and mark it as “not exportable.”
Now, despite the fact that the dev owner (one time, years back) told me this works, I was personally never able to get it to work with the one programmable smart card to which I had access.
But I would say that’s a good option, if you want security and can physically secure the signing machine while the smart card is present.
Hmmm… Hierarchical Storage Manager?
Peter
OSR