December 22, 2020

How To Streamline Hardened Code Signing in DevSecOps Pipelines

By Shanice Jones | 4 min read

How To Streamline Hardened Code Signing in DevOps and DevSecOps Pipelines

Digital certificate management, while promoting cybersecurity, can still lead to a variety of different issues and frustrations among DevSecOps teams. Managing potentially thousands of different digital certificates to secure and support your IT infrastructure can negatively affect the integrity of your application.

The time-consuming process of manually managing digital certificates can result in your team bypassing PKI policies in order to work more efficiently. This, in turn, can lead to unnecessary security risks to your organization. Your DevSecOps team in particular already has a variety of complex responsibilities that they face every day to keep your company running.

Teams that are particularly busy may resort to issuing certificates that have been signed by an unverified source or stored in an insecure manner in order to keep on top of their timeline during the deployment process of their CI/CD (continuous integration and continuous delivery) workflow. After all, a certificate request process can sometimes take several months to complete. The best solution for this is to use centralized code signing and certification via cryptographic hardware.

In this article, we will discuss hardened code signing and dive into deploying code signing among your DevOps and DevSecOps teams. We’ll then touch upon PKIs and how to manage them via hardware security modules when signing development pipelines.

What is a Hardware Security Module?

A hardware security model, or HSM, is a physical computing device that securely manages, encrypts, and decrypts digital keys and digital signatures via cryptographic functions and other authentication procedures. They are generally devices that can be plugged into network services or PCs and contain at least one secure cryptoprocessor chip. HSMs can also be an important part of your organization’s Public Key Infrastructure (PKI).

In Continuous Integration/Continuous Delivery (CI/CD) environments, both of which work together to deliver software products faster to consumers, HSMs can be used as a tool by Issuing Certification Authorities (CAs) to create, secure, and manage key pairs.

How can you use hardened code for signing?

Step 1: Have unsigned code prepared for distribution

The publisher of the code needs to create a private and public key pair. This is a necessary step for most runtime applications, including Java, Windows, Anypoint Enterprise, and others. Generating the most secure keys possible will require you to use a FIPS 140-2 Level 3 validated HSM.

Step 2: Contact the issuing certificate authority by submitting a public key

Your Certificate Signing Request (CSR) will contain data regarding the published signature algorithm. It will also contain a digital signature. With this information, the issuing certificate authority can sign off on the certificate. In certain application situations, some organizations may act as their own CA.

Step 3: Identify the publisher and authenticate the CSR

After verifying the identity of the code publisher, the CSR is authenticated by the issuing CA, resulting in a digital signature from the publisher. If both the authentication and the identification match, the issuing CA condenses the identity of the publisher into a public key and creates the code-signing certificate.

Step 4: Secure and sign

At this stage, it is time to sign the certificate. Depending on the situation, further QA or code-testing may be necessary. Your Public Key Infrastructure (PKI) company policy should require employees to avoid having their code-signing keys stored on local servers, as this could be a huge security concern.

Consider the fact that, according to a recent study by Verizon, 35% of data breaches involve internal actors. Local machines can easily be hacked into, or subject to theft, and unauthorized code can potentially be signed and deployed by a vengeful former employee.

It’s worthwhile to consider investing in a separate Key Management Server, or KMS, which will secure your certificates with the power of a FIPS 140-2 Level physical boundary. It’s important to ensure that your KMS has the appropriate cryptographic functions such as symmetric and asymmetric encryption and hash functions to automate the code-signing and certificate process.

Your DevSecOps team will thank you when they can work more efficiently without wasting precious time manually managing their digital certificates. Furthermore, your whole company will be more productive as codes and applications can be deployed faster and in compliance with best practices for functionality and security.

Streamline CI/CD Integration

Without the time-consuming procedures that come with traditional continuous integration code builds, DevOps and DevSecOps teams can work on more of the manual tasks that can’t be automated. Even if your build requires a clear workflow for digital certificates, code signing with integration in CI and CD can offer great perks for your workplace.

For example, let’s say you have a CI/CD system that is controlling the signing request, along with a central KMS and an approval entity to ensure authorized signatures. With this type of workflow, strengthened by a FIPS 140-2 Level 3-validated HSM, companies can still include automation for certain tasks.

Automated code signing can be natively incorporated into the code and deployment workflow, meaning this is one area that your employees don’t have to worry about manually managing.

Code-Signing Technology Integration

One of the many benefits of using HSM and KSM within your PKI is that they can easily integrate with most of the commonly used code-signing tools, such as SignTool.exe with Microsoft Authenticode, Docker, and Java Jar Signer.

Integrating HSMs in a DevSecOps pipeline at the same time will streamline workflows and also support other cryptographic operations your organization may use now or in the future.


Digital certificate management can easily become overwhelming for complex organizations.

In order to ensure adherence to your PKI policies and promote both security and efficiency in your workplace, you should consider using centralized code signing and certification powered by cryptographic hardware.

Hard code, while it comes with many benefits, should be managed and stored with an HSM to further enhance security.

Shanice JonesShanice Jones is a tech writer from Chicago. For the last five years, she has helped over 20 startups build B2C and B2B content strategies that have allowed to scale their businesses around the world.
View All Posts

Subscribe to our weekly newsletter

Learn more about new security threats and technologies.

I agree to receive these emails and accept the Privacy Policy.
Projeto Co-Financiado por (Mais info)Norte 2020, Portugal 2020, FEDR