Code Signing Certificates

Description

What are Code-Signing Certificates?
Code-signing certificates are used to identify the publisher of software (in this case, UC Santa Cruz) and to confirm the integrity of software by verifying that it has not been modified since it was signed.

Uses of Code Signing Certificates include:

  • Microsoft Authenticode
  • signing Java jar files
  • signing Adobe AIR applications

Code signing does not guarantee the quality or functionality of software. Digitally signed software can still contain flaws or security vulnerabilities.

Allowable Use:
UCSC code-signing certificates represent UC Santa Cruz and may only be used to sign code developed or used for University business purposes, and only where the signer can personally vouch for the signed code, i.e., the signer is responsible for all code they sign.

Security Requirements:

  • Private keys must be protected.
  • Do not share private keys or store them in an insecure or shared location. Computers storing private keys must meet UC Minimum Security Standard.
  • The private key for a code-signing certificate must be protected by a password that meets UCSC’s Password Standards.
  • Certificates must be revoked and replaced if the private key is suspected to be compromised. This includes if the computer it is stored on is stolen or compromised. Potentially compromised private keys must be reported immediately.

Additional detail about code-signing certificates [1]:
Code-signing techniques use digital signatures to provide identity and integrity for software applications. A valid digital signature:

  • Identifies the software's publisher.
  • Confirms the integrity of the software by verifying that the software has not been modified since it was signed.

Digitally signed software, distributed over the Internet, is thus no longer anonymous. By verifying the identity of the software publisher, a signature assures users that they know who provided the software that they are installing or running. Digital signatures also assure users that the software they received is in exactly the same condition as when the publisher signed it.

[1] From Microsoft’s Code Signing Best Practices

----

Requesting a code-signing certificate

Eligibility: UCSC code-signing certificates are available to UCSC staff and faculty for University business purposes. Code-signing certificates are not available to students. Students who need to sign code should contact their faculty or staff sponsor/supervisor. Only one code-signing certificate is allowed per CruzID at any given time.

All requests will be reviewed by an authorized Registration Authority Officer (RAO) or Departmental Registration Authority Officer (DRAO). You may be contacted for additional information. Request processing can take up to 10 business days.

To request, renew or revoke a code-signing certificate:
Complete the REQUEST FORM IN IT REQUEST (CruzID Gold login required). You will need to provide the following information:

  • Name, CruzID, Dept, Phone
  • Is the request for a: New code-signing cert, Renewal, or Revoke?
  • Describe how you plan to use the code-signing certificate. All use must be for University business purposes.

The request form includes an Agreement regarding rules governing the use of UCSC code-signing certificates. Violations may result in certificate revocation. Applicants must read and agree to the Agreement for requests to be processed.

----

Installing your code-signing certificate

IMPORTANT NOTE: You MUST use the same computer and browser for all steps of the certificate set-up process, and you can’t use Chrome. If your default browser is Chrome, you’ll have to copy and paste the email link from each email described below into the same non-Chrome browser for the process to work.

  1. If your request for a code-signing certificate is approved by a D/RAO, the email address you included in your request will receive an email from support@cert-manager.com with additional instructions and a link to validate your email address. This isn’t a phish even though it looks like one. Please see the phishing security warning in step 7.
  2. Upon clicking/pasting the link in the email, your email address will be validated and you will be taken to a user registration form.
  3. You need to follow the instructions on the page, accept to the subscriber agreement by reading it and selecting the 'I Agree' check box, and click the 'Generate' button.
  4. InCommon, the certificate service that issues UCSC’s code-signing certificates, will review your request. This usually happens within a few minutes, but can take up to 2 business days.
  5. After processing the request, InCommon will send you a notification email with a link to download the certificate. Click on the link (or paste it into a non-Chrome browser) to download the certificate.
    • REMINDER: You MUST use the same computer and browser to download the certificate as you did when you accepted the initial invitation, and you can’t use Chrome.
  6. You now have the only copy of the private key for your code-signing certificate. You should immediately create a password-protected backup of your certificate and keys. Most browsers will create that backup in PCKS#12 format. Store this in a safe place.
  7. Phishing Security Warning
    The InCommon certificate service relies on clickable web links in email. Since that is a phishing hazard please copy and paste the URL into a browser rather than click on the email and then review the URL prior to use. Please verify that the URL begins with https not http and uses the cert-manager.com domain. If you have any questions about the validity of an certificate-related email you receive, please contact the RAO or DRAO you are working with before proceeding.

----

Code-Signing Expiration

When your code-signing certificate expires or is revoked, all code that you signed with that certificate will also expire unless you included a valid time stamp when you signed the code. If you use a time stamp server when signing code, the time stamp when the code is signed is embedded in the signature, and the code will remain valid after the cert expires or is revoked as long as the cert was valid at the time of the time stamp.

If you do not use a time stamp during signing, you must re-sign your code whenever your code-signing certificate changes due to renewal or re-keying. You will get a warning for certain kinds of code, such as java applets, if you try to compile it without using a time stamp server.

Information about Comodo's time stamping server is available at https://support.comodo.com/index.php?/Knowledgebase/Article/View/68/0/time-stamping-server

----

Getting Help

To request, renew or revoke a code signing certificate, see "Requesting a code-signing certificate" above.

For problems with a code-signing certificate, or to report a potentially compromised private key, please open an IT request ticket for "Security (Physical, IT & Policy) > Code-Signing Certificates" or email help@ucsc.edu.

Articles on using a code-signing certificate to sign different kinds of code:
The specific method for doing so varies according to what software and environment you are using and is outside the scope of this document; however here are some links to useful starting points to learn more:
Comodo Knowledge Base: all entries for code signing certificates
Comodo Knowledge Base: "Signing JAR Files"
Comodo Knowledge Base: "Signing Adobe AIR Applications"
Microsoft Developer Network (MSDN) Article: "Introduction to Code Signing"
How to sign a Mozilla extension or theme
Signed Javascript
How to create a keystore.jks from a PKCS12 or a PFX

Internal service documentation for ITS Certificate Service Providers (Google Doc - login required)