Independence, OH – 11 October 2022 – Keyfactor, the machine and IoT identity platform for modern enterprises, has announced the launch of Keyfactor Signum, a new code signing as-a-service platform that makes it easy for developers to sign code and containers in a secure way, without disrupting productivity.
Organisations face persistent software supply chain attacks that compromise application development pipelines, IT scripts, macros, and more. Code signing keys are high-value targets for attackers that seek to steal and compromise keys to sign malicious code disguised as trusted software. Shortcuts in the signing process often lead to sensitive keys being left exposed on build servers or developer workstations. Understanding who signed which code and in what context is critical to prevent attacks.
Keyfactor Signum solves these challenges by providing security teams with protection for code signing keys, backed by an HSM and granular signing policies while allowing developers to leverage the same native signing tools they currently use.
The CA/B Forum has issued requirements that stipulate private keys for EV code signing certificates be generated and protected in a compliant hardware crypto module. “Recent changes made by the CA/B Forum, which are scheduled to go into effect in the next 12 months, mean that organisations are required to generate and store code signing keys in a cryptographic module,” says Ben Dewberry, product manager signing & key management, Keyfactor. “Keyfactor Signum makes it easy to comply with these new requirements, without causing any disruption to developers that need to move quickly.”
Keyfactor Signum is a SaaS solution hosted and managed by Keyfactor in the cloud. Key features and benefits include:
- Integrate with Native Tools: Keyfactor Signum integrates natively with popular signing tools like Microsoft SignTool, OpenSSL, and Jarsigner via the KSP interface for Windows and PKCS11 interface for Linux, making it transparent to developers.
- Secure Key Storage: Sensitive signing keys are generated and stored in HSM to ensure the highest level of protection and comply with CA/B Forum Extended Validation code signing certificate requirements.
- Policy and Governance: A simple web interface makes it easy to define who can sign what, when, and where, with complete auditability of all signing activities.
- Authentication: Only authorised developers and admins can sign code and manage signing policies via integration with Identity Providers, making it easy to deploy rapidly throughout the organisation.
To learn more about Keyfactor Signum, click here.
Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow
