TryTRY
BuyBUY
  • newsletter
  • contact
  • corporate
  • careers
Utimaco
de
TRYour free HSM simulator
BUYget a quote
  • home
  • solutions
  • products
  • services
  • blog
  • downloads
  • partners
  • company

Utimaco Portal

Here you will find everything you need as a partner and customerLogin required

  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • key management
      • Enterprise Key Management
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • key management
      • Enterprise Key Management
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research

Home / solutions / applications / code signing

code signing

Make sure to store your code signing certificate in an HSM to ensure the integrity and authenticity of your software and subsequent updates.

Utimaco HSMs code signing

Code Signing to secure software and updates must use an HSM

Why Code Signing – a fundamental way to secure innovation

We increasingly trust important parts of our business and lives to software-enabled (cyber-physical) systems or services, such as increasingly connected cars, smart energy distribution grids, or electronic payment infrastructures.

The potential for abuse cannot be understated. Criminal groups use malicious software to steal and monitor data, to capture intellectual property, to extort money. Blocking malicious software has to happen at every level – one should not assume that “it won’t get as far as that”. Cryptographically secure “over-the-air” software update procedures are required, as they ensure code arrives at the point of use, intact and unaltered. It is fundamentally important, however, to allow the operating system to know the provenance of its code libraries, and to reject or disable unrecognized software when it is detected. This way assets and information are protected.

The most common technique used to guarantee the provenance of software is known as the digital signature, or more specifically, code signing. Code signing is important, both

  • for first-time deployment of a cyber-physical system, and
  • for an update, be it for bug fixing or feature enhancement (i.e. over-the-air updating).

Code signing – How is it done?

In order to prevent compromise, the private key is kept in a well-controlled environment by the software publisher, e.g. in an HSM. For cyber-physical systems, the public key is injected upon initial manufacturing and deployed with the device. When a piece of software is ready for deployment, it is digitally signed with the publisher’s private code signing key and the signature is distributed along with the software. Any receiving party can now verify the integrity and the authenticity of the software, by means of the matching public key and the provided digital signature. Cyber-physical systems – the ‘thing’ in the Internet of Things – should reject any code whereof the digital signature cannot be positively verified.

Code signing is a powerful tool to assure system integrity and to prevent tampering. To be effective, it is critically important that unauthorized parties have no access to the (private) code signing key of a software publisher. A software publishing company must treat this key as restrictively as access to their financial accounts. In case of a suspected leakage of this certificate, it should be immediately revoked and refreshed. Old code can no longer be trusted in and must be re-signed in such case – which in the case of embedded devices may not be practical at all. All of this can have tremendous impact on a company’s reputation and economic situation. Utimaco HSMs are particularly well suited for this purpose as they come with RSA and ECDSA signing capabilities, both out of the box, and for all practical key sizes and curves.

  • It is therefore best practice for a software publisher to always keep the code signing private key/certificate in an HSM so it cannot be copied, stolen or otherwise compromised.
  • Deployed devices “are owned” by the holder of the private key used to sign its code libraries. This can be the owner of the private key, or the individual, team or nation-state that compromised the key.

Why use an HSM?

  • Web browsers and operating systems tend to do this verification automatically – in case it succeeds, the software is silently installed and run. In case it fails a warning will be issued to the user, discouraging her/him from using the software. In PC environments, users may be allowed to overrule this warning and still use the software.
  • Mobile devices usually require software developers to submit their apps or updates to the owner of the App store (Apple, Google, Microsoft) for signature before being published in the respective store. In such cases, the device (e.g. the iPhone or Android phone) is being rolled-out with the App store’s public key. During this process, the corresponding signing certificate, including the private key, is administered by the store owner. The App store provider then requires that software be signed by the publisher, using the publisher’s private key. This way, a complete chain of trust can be built between the publisher and the App store, and the App store and the device.
  • The corresponding public key is made available to the user of the software. For PC software or browser applications, this is typically done by means of a digital certificate, signed by a reputable Certificate Authority (CA).
  • In a first step, a software publisher needs to obtain (generate, or buy) a key pair for performing a digital signature operation. This key must be protected from compromise, because its misuse can provide third-parties with the ability to sign counterfeit software, and have the signature be validated by the devices in the field as “legitimate”.
  • Deployed systems may come with the ability to update themselves in an unattended way, “over the air”. Here, it is important to automatically assure integrity and authenticity of the update, as there are few human cross-checks possible in such scenarios.

Ready to take off?

Download our HSM simulator!

Register for free
Take me there

Future proof code signing

Quantum computers will defeat the security features of code signing, as they will be able to break the asymmetric cryptographic algorithms used today for signing code, i.e. RSA and ECDSA. Especially for long-lived devices which are deployed today or in the near future, and will stay in the field for several years like in-car entertainment systems and onboard units, or IOT devices like smart meters, it is of utmost importance to introduce post-quantum cryptography before the advent of quantum computers, to ensure continuous software authenticity and integrity protection.

PQC_for_Dummies_Books

Try for FREE!

Need to implement quantum-safe algorithms?

Get in touch and try our Q-safe HSM simulator!

Stay on top of our news
Don’t miss out on any Utimaco updates

Subscribe to Utimaco Newsletter

We will keep you posted with news from Utimaco and the industries we protect, as well as information on upcoming events and webinars.

Subscribe now

Partners

Nexus - Utimaco Hardware Security Modules Partner CewTec S.A. Primekey Solutions AB Synergy Computers (Pvt.) Ltd. - Utimaco Hardware Security Modules Partner CREAplus Italia S.r.l Cryptomathic Inc. Altacom UAB Safesoft Kft. MIcrosec CREA plus d.o.o. Nexus - Utimaco Hardware Security Modules Partner PrimeKey Labs GmbH Komar Consulting Inc. - Utimaco Hardware Security Modules Partner Abrantix AG ESYSCO Sp. z o.o. Secure Source Distribution (M) Sdn Bhd - Utimaco Hardware Security Modules Partner VAR Group SpA - Utimaco Hardware Security Modules Partner Telegrupp AS cv cryptovision GmbH AKEA S.A. - Utimaco Hardware Security Modules Partner Cyber Armor Pte Ltd EUROPEAN DYNAMICS SA. Astel (UK) Ltd. - Utimaco Hardware Security Modules Partner Ascertia - Utimaco Hardware Security Modules Partner Utimaco HSM - QuintessenceLabs Nexus Technology GmbH IQuantics Corp Cryptomathic GmbH Compumatica secure networks B.V. Fornetix - Utimaco Hardware Security Modules Partner Envoy Data Corporation - Utimaco Hardware Security Modules Partner Fortiedge Pte Ltd. Baas Control s.r.o. Versasec SecureMetric Technology Sdn. Bhd. CertiSur S.A. Perceptus-sp.-z-o.-o. CEGA Security Microexpert Limited JJNet International Co., Limited - Utimaco Hardware Security Modules Partner intarsys AG Encryption Consulting LLC PETA (Thailand) Co., Ltd. Throughwave (Thailand) Co.,Ltd - Utimaco Hardware Security Modules Partner Softline Solutions GmbH MTG - Utimaco Hardware Security Modules Partner Macroseguridad PKI Solutions Inc. Thomas-Krenn.AG Skytech Computing Solutions Limited. - Utimaco Hardware Security Modules Partner Compumatica secure networks GmbH Utimaco HSM - PTESA_profesionales en transacciones electronicas Real security d.o.o. Cryptomathic A/S Cogito Group Pty Ltd MALKOM D.Malińska i Wspólnicy s.j. Rohde & Schwarz Cybersecurity GmbH E-Sign S.A. Utimaco HSM - InfoGuard Swiss Cyber Security Clearkey Consulting - Utimaco Hardware Security Modules Partner
Find a partner

Share this page

EMEA

Utimaco IS GmbH
Germanusstraße 4
52080 Aachen
Germany
Phone: + 49 241 1696 200

Americas

Utimaco Inc.
900 E Hamilton Ave., Suite 400
Campbell, CA 95008
USA
Phone: +1 844 UTIMACO

APAC

Utimaco IS Pte Limited
80 Raffles Place,
#32-01, UOB Plaza
Singapore 048624
Phone: +65 6622 5347

Utimaco

  • support
  • corporate
  • careers
  • legal
  • terms & conditions
  • privacy
  • cookie-policy
© 2021
to top
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • key management
      • Enterprise Key Management
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research