Understanding the CA/Browser Forum Code Signing Requirements

In June 2023, the CA/Browser Forum rolled out a significant update to their code signing requirements, directly impacting developers, DevOps teams, and businesses that rely on publicly trusted Certificate Authorities (CAs) to sign and secure their software. These updates, which came into effect on June 1, 2023, mandate that code signing private keys be securely stored and protected in a certified Hardware Security Module (HSM). This change affects both Extended Validation (EV) and non-EV certificates.
This blog will dive into the technical aspects of the new code signing requirements, outline the challenges organizations may face, and explain the necessary steps to comply with the updated standards.
The new requirements stem from the need for stronger security practices in software development. With cyberattacks becoming increasingly sophisticated, it is crucial to ensure the integrity of software from the moment it is signed. Protecting the code signing private keys in an HSM drastically reduces the risk of key compromise, as HSMs are designed to be tamper-resistant and provide a secure environment for cryptographic operations.
Effective June 1, 2023, all certificate requesters must use an HSM that meets the following standards:
These certifications are widely recognized as industry standards for secure cryptographic modules, ensuring that private keys are protected in a hardware environment that cannot be bypassed or tampered with.
While the shift to using HSMs for code signing is a positive move for security, it introduces several technical challenges that need to be addressed:
The first hurdle for organizations is proving that their private keys are securely stored within an HSM. This proof is necessary for obtaining code signing certificates from CAs. While many CAs offer USB-based HSMs as a solution, this can be cumbersome for businesses operating in the cloud or with large-scale code signing requirements. USB HSMs are not ideal for teams spread across different regions or those who require rapid, large-scale signing operations.
A more scalable option is to use network-based HSMs, which can either be on-premises or rented from cloud providers. Solutions like AWS CloudHSM, Azure Dedicated HSM, Google Cloud HSM, and nShield as a Service are all viable options. However, it’s essential to ensure that the HSM you choose supports the verification methods required by your CA, such as key attestation (i.e., confirming that the private key resides within the HSM).
Once your private keys are secured in an HSM, managing them becomes more complex. HSMs are designed to keep private keys within their secure environment, meaning that you cannot directly export keys for use in software. Instead, you need to interact with the HSM through an intermediary layer, such as:
These operations require specialized software and cryptographic tools. Additionally, you need to ensure that access permissions for the keys are tightly controlled. Each action performed on the HSM (e.g., key usage, certificate issuance) must be logged and audited to comply with security best practices.
One of the most technical challenges is integrating HSMs with the various code signing tools used across platforms. Most organizations use third-party tools for code signing, such as:
When using an HSM, integrating these tools requires the use of platform-specific cryptographic service providers (CSPs). For example:
These integrations can be tricky, as the signing tools need to be configured to interact with the HSM via the appropriate service provider. This often requires custom configuration and testing to ensure seamless operation.
For modern DevOps environments, speed and efficiency are paramount. Introducing an HSM into your code signing process can slow down the pipeline if not properly configured. A common approach many teams initially adopt is to upload the data to be signed, perform the signing operation, and then download the signed result. However, this method can be inefficient, consuming considerable bandwidth and causing delays.
To optimize this process, many organizations switch to client-side hashing. With client-side hashing, the code is hashed on the client side before being sent to the HSM for signing, reducing the amount of data transferred and speeding up the signing process. However, this method requires that both your cryptographic service provider and signing infrastructure support this feature.
At Encryption Consulting, we specialize in helping organizations meet the CA/Browser Forum code signing requirements. Here’s how we can support you through this transition:
To make your code signing process even more secure and efficient, we recommend CodeSign Secure. Our solution offers a seamless and automated approach to code signing that fully integrates with HSMs, helping you meet the latest CA/Browser Forum requirements without the complexity. CodeSign Secure simplifies key management, improves compliance, and ensures that your signing operations remain fast and efficient, even in large-scale DevOps environments.
With CodeSign Secure, you get:
Let us help you keep your software secure, compliant, and fast with CodeSign Secure. Reach out to Encryption Consulting today to learn how we can optimize your code signing process.
The updated CA/Browser Forum code signing requirements mark a crucial shift towards stronger security practices within the software development lifecycle. While transitioning to HSM-based code signing comes with technical challenges, the benefits in terms of improved security and integrity are undeniable. By effectively managing HSM integration, optimizing key management workflows, and ensuring streamlined performance in your CI/CD pipeline, you can meet the new standards while maintaining development efficiency.
Encryption Consulting is here to guide you through every step of the process, ensuring your code signing practices are secure and fully compliant with the latest industry standards.