views:

16

answers:

1

I'm trying to figure out how best to set up Authenticode signing at my workplace. The security implications are stressing me out.

My initial thought is that the person who controls the key should install it to the build server and secure it so that only the build account can access it.

This seems reasonably secure, but it actually isn't. Yes, you can't steal the cert at this point, but if you can create a build you can get the build account to sign any binary.

Does anyone who is familiar with the process give me some pointers?

+1  A: 

Indeed, if the key is available for use in build account, it's available for admin's account and it can be used to sign other file. Whatever you give to others' posession is not yours anymore. If you can't secure the server from other people access, then you don't control the server fully, and this leaves a chance for misuse. Frankly speaking, I can't imagine a single way (other than move signing to some other trusted system) to protect the key from misuse. Even when the key can't be extracted or copied (say it's put to cryptotoken), it still can be used in some way.

Eugene Mayevski 'EldoS Corp
I'm at a loss then. Does your company Authenticode sign your binaries?
Will
Yes, but we are rather small company, and only two people have access to release building process (each developer can build debug version but he won't be able to sign the drivers). We've solved the problem in the following way: the key for signing resides on TrueCrypt virtual volume, which is mounted only for build time, so we can give any developer access to build system but they still won't be able to make a release signed build.
Eugene Mayevski 'EldoS Corp