What is Azure code signing, and how can it improve security

By Eyal Katz June 13, 2024

Trust is fragile in software, especially in the fast-paced complexity of cloud environments. Code signing reinforces that trust by digitally proving your software’s authenticity and integrity.

Breaches like the UnitedHealth Group incident remind us why this matters—compromised code has real-world consequences. The breach potentially exposed the sensitive health data of millions of Americans. 

Your code, all the libraries it relies on, and even the infrastructure it runs on are all potential weak spots. Azure Code Signing is how you keep the trust. 

Understanding Azure Code Signing

Azure Code Signing (ACS) provides a mechanism to guarantee software integrity and authenticity by preventing unauthorized modifications and strengthening end-user trust.

Let’s break down how it works.

Azure Code Signing (ACS) is a way to digitally “sign” your software. This confirms its authenticity and verifies that it hasn’t been altered after release.  ACS is particularly crucial in cloud environments, where the dynamic nature demands constant trust verification.

Here’s how Azure Code Signing works.

ACS relies on digital signatures and certificates, which act as a verifiable form of identification for your code. Azure Key Vault provides a secure storage and management solution for the sensitive private keys used during the signing process.

ACS incorporates timestamping for long-term trust assurance.  Even if security standards evolve or certificates expire, a trusted timestamp in your code ensures its ongoing validity.

How to Implement Azure Code Signing Process

Azure Code Signing

Here’s a quick breakdown of how Azure Code Signing is implemented in three easy steps.

1. Obtain a Code Signing Certificate

For broader trust, procure a certificate from a trusted Certificate Authority (CA) or consider self-signed certificates for internal use. Key Vault streamlines certificate management.

2. Sign Your Code

Integrate signing into your build/deployment pipelines. SignTool (for Windows) or Jarsigner (for Java) will embed the digital signature into your code.

3. Deployment

Deploy your signed code with confidence. Azure Code Signing helps verify the signature throughout the code’s lifecycle.

5 Benefits of Azure Code Signing for Enhanced Security

1. Software Integrity

Azure Code Signing helps ensure your software hasn’t been altered after release. It uses cryptographic techniques to create a unique digital “fingerprint.”  Any changes made to the code would break the fingerprint, immediately signaling that something is amiss.  However, malicious actors or exploit vulnerabilities can find subtle ways to inject harmful code or exploit vulnerabilities without directly modifying your original files.  

Advanced vulnerability detection addresses these risks, scanning your codebase for weaknesses like exposed secrets, misconfigurations, or outdated dependencies that could compromise your software’s integrity.

2. User Trust

In a world where software origins can be unclear, code signing can prove your code’s authenticity.  It relies on trusted Certificate Authorities to issue certificates that link your identity to your software. 

Think of these certificates like digital passports for your code. With its secure integration with Key Vault, Code Signing provides robust storage and management of these certificates,  strengthening the chain of trust.

3. Protection Against Supply Chain Attacks

Software today is built on a complex web of dependencies. A single compromised component can have far-reaching consequences.  Code signing helps validate the integrity of each element within your supply chain, minimizing the risk of unauthorized changes or malicious code slipping in. 

For maximum protection, consider extending code signing requirements throughout your software ecosystem, including third-party dependencies and external collaborators.

Azure Code Signing Benefits

4. Simplified Security Compliance

Demonstrating compliance with regulations like PCI DSS, HIPAA, and others often requires proving that your software is protected from tampering. Doing so contributes to a more robust cloud risk management posture.

Azure Code Signing provides a clear audit trail and timestamped signatures, simplifying compliance. Timestamping also helps maintain compliance over time, even if the cryptographic standards or certificates evolve.

5. Beyond Security

Azure Code Signing acts as a stamp of quality for your software.  Users see that you take security seriously, fostering greater trust in your products.  

A commitment to security translates into a competitive advantage and contributes to a more secure and reliable digital environment for everyone.

Implementing Azure Code Signing

As you integrate Azure Code Signing (ACS) into your workflows, let’s dive into the implementation details that maximize its effectiveness.

The Signing Process

  1. Key Management: It all starts in the Azure Key Vault. You can generate your private keys securely within the vault or import them with strict security protocols.
  2. The Code’s Fingerprint: Hashing functions create a unique digital “fingerprint” for your code – this becomes the basis for verifying integrity.
  3. Seal of Authenticity: A cryptographic signature is generated using your private key. This signature binds to your code’s fingerprint, proving it hasn’t been altered.

Certificate Considerations

  • Self-Signed vs. CA-Issued: Self-signed certificates are acceptable for internal use, but certificates from trusted Certificate Authorities (CAs) establish more comprehensive end-user trust for broader distribution.
  • Code Versatility: Azure Code Signing isn’t picky – it safeguards executables, scripts, and various other code types, offering comprehensive protection for your digital assets.

Integration Strategies for Azure Code Signing

  • CI/CD Automation: Embed ACS directly into your CI/CD pipelines (Azure DevOps, GitHub, GitLab, etc.). Every build can be automatically signed, ensuring a consistent layer of security and streamlining your development workflow.
  • Deployment Signing: ACS works well with Azure services. You can sign code as it’s deployed, adding an extra authentication layer and simplifying your processes.

Implementing Azure Code Signing isn’t just about the ‘how’; it’s a cornerstone of secure Azure deployments.  By carefully choosing certificates and automating signing, you bolster your software defenses and protect against code tampering threats.

How to implement Azure Code Signing

Prerequisites:

  • An Azure account
  • An Application registered within your Azure tenant
  • An Azure Key Vault set up to store your code signing certificates

Step 1: Create a Client Secret for Authentication

Log in to the Azure portal.

Log in to the Azure portal

Navigate to your registered application’s settings. Look for a section called “Certificates & secrets” on the left-hand menu.

Navigate to your registered application's settings

Click “New client secret”.

New client secret

Click “Add” and immediately copy the generated secret. Important: This is the only time you’ll see it in full – save it securely.

copy the generated secret

Step 2: Grant Permissions

Make sure your application has the necessary access levels to your Azure Key Vault and other pipeline resources. Go to your Key Vault and click on “Access Policies”. Click “Add Access Policy”.

Access Policies

Under these sections, enable the following permissions:

  • Key Permissions: Verify, Sign, Get, List
  • Secret Permissions: Get, List
  • Certificate Permissions: Get, List
Add Key Permissions

Under “Select principal”, find your registered application and add it. Click “Save”.

Select principal

Step 3: Configure Your Pipeline

Add an Azure CLI task to your pipeline’s configuration file (usually a YAML file in Azure DevOps).

Here’s an example YAML configuration for a pipeline:

YAML configuration for a pipeline

Step 4: Execution

Run your pipeline. It will use the provided credentials to authenticate with Azure. Verify the output for any errors. Here is an example of successful Azure Code Signing.

example of successful Azure Code Signing

Additional Considerations and Best Practices for Azure Code Signing

Prioritize security throughout your Azure Code Signing implementation. Here are the top best practices and considerations.

  • Key Management: Azure Key Vault is a robust choice, but regardless of your key storage solution, prioritize strict access controls and secure practices to protect your private keys.
  • Revocation Readiness: Plan to immediately revoke compromised certificates and reissue new ones. It minimizes the impact of breaches and maintains code integrity.
  • Server Choice: To avoid potential delays, opt for Azure regions known for optimal signing performance (currently, the EUS region).
  • Real-Time Monitoring: Consider integrating vulnerability detection tools into your signing process to notify you instantly of security issues. This allows for quick remediation and prevents the release of compromised code. Azure Code Signing alone can’t detect all potential security risks, so consider comprehensive monitoring solutions.
  • Authentication Streamlining: Use DefaultAzureCredential and tailor authentication methods to your setup. It saves time and ensures smooth processes. Data Security Posture Management (DSPM) can streamline authentication and authorization management. Beyond Azure Code Signing, implement broader security practices like Remote Privileged Access Management (RPAM) for OT environments and develop a robust IT security policy.
endpoint

Protecting your code with Azure Code Signing

Azure Code Signing is a powerful tool for ensuring code integrity, but it’s only one piece of the security puzzle.  Prioritize robust key management within Azure Key Vault.  Be prepared to revoke compromised certificates quickly, and choose Azure regions wisely for optimal signing performance.

Streamlining security into your development workflows is vital. Incorporate tools like Spectral directly into your CI/CD pipelines. With real-time alerts and comprehensive secret detection, Spectral offers a developer-friendly way to strengthen code security during the signing process.

Level up your security practices with a free Spectral account. Protect your code and streamline development with Spectral’s easy integration.

Related articles

Netz: Scan the internet while drinking coffee

Netz lets you run internet-wide misconfigurations research easily and continuously. It supports infrastructure-as-code so you can put your plan in a config file, run the CLI,

Why We Need Developer Tools for Security and Not Security Tools for Developers

The further down the line we discover a software defect – the more it costs to fix and recover from it, whether it’s a bug that

Credentials, Risk, and The Supply Chain: Lessons to Learn From The Codecov Breach

It seems like there’s a data breach disclosed every day. They come in a variety of forms and from all possible industries and verticals. However, some

Stop leaks at the source!