Source URL: https://cloud.google.com/blog/products/identity-security/you-can-now-sign-microsoft-windows-artifacts-with-keys-protected-by-cloud-hsm/
Source: Cloud Blog
Title: You can now sign Microsoft Windows artifacts with keys protected by Cloud HSM
Feedly Summary: To build trust in the software world, developers need to be able to digitally sign their code and attest that the software their customers are downloading is legitimate and hasn’t been maliciously altered. Keys used to sign code are the cryptographic equivalent of crown jewels for many organizations, and protecting them is of utmost importance.
Google Cloud’s Cloud Key Management System (KMS) provides capabilities for securely generating, managing, and controlling access to cryptographic keys. Cloud KMS offers a user-friendly interface that allows you to create, store, and perform cryptographic operations such as code signing with keys in our tamper-resistant Cloud hardware security modules (Cloud HSM).
We recently introduced Cloud KMS signing support for Microsoft’s Cryptography API: Next Generation (CNG) provider. With this capability, you can perform code signing on Microsoft artifacts using SignTool, while protecting your keys with Cloud HSM.
Hardware security modules store keys in segmented and isolated systems, and are widely considered a best practice for cloud security according to the U.S. government’s Cyber Safety Review Board. When HSMs and other best practices are not used, we have seen threat actors compromise and use valid signing keys to access information and systems in that key’s domain.
In Cloud HSM, the signing keys are marked as non-extractable, the hardware is not directly exposed to any network, and the servers that host HSM hardware are prevented from running unauthorized processes. These security hardening techniques make the signing keys more difficult to accidentally expose or steal.
Previously, keys for your Windows artifacts would need to be secured with specialized hardware deployed outside of Google Cloud. Cloud HSM protects your signing keys with FIPS 140-2 Level 3 assurances, and it can help reduce your infrastructure and operations costs because you pay only for the keys you need. Cloud HSM is available in many locations to meet your workload’s needs.
Using our Cloud KMS CNG provider can help you save valuable time in the signing process, enabling you to get your software released to your customers faster.
How to get started with Cloud KMS CNG provider
There are four main uses for our Cloud KMS CNG provider. Use it when you need to:
Sign firmware with a private key protected by a FIPS 140-2 Level 3 HSM;
Sign Microsoft Windows artifacts using the Windows standard SignTool executable;
Offload the complexities of key management, including key generation, rotation, and access control;
Gain visibility and attribution via auditing and logging capability.
The following steps show you how to achieve these important outcomes:
Install the CNG provider
Create your signing key
Get your certificate
Sign your artifact
Install the CNG provider
We’ve provided released binaries for our CNG provider in our GitHub repository. These can be installed in your Windows system using the provided .msi installer. Then, follow the user guide to configure your provider.
Download Cloud KMS CNG Provider binaries from Google managed repository.
Create your signing key in Cloud HSM
After you create your key ring, create a signing key that’s hardware protected by Cloud HSM. Select the asymmetric signing algorithm that meets your security requirements.
Create a signing key with CloudHSM generated key material.
Install your signing certificate
Import your signing certificate into Cloud HSM. This helps ensure your signing key has strong hardware based protection.
If you don’t have an existing signing key, you can create a signing key protected by Cloud HSM and generate a certificate signing request (CSR). Then, provide the CSR to your certificate authority in order to receive a new certificate for code signing.
Sign your artifacts
Now that you have installed your CNG provider, created a key in Cloud HSM, and have your certificate, use SignTool to cryptographically sign your artifact. Be sure to provide the correct flags such as the provider name Google Cloud KMS Provider and key URI from Cloud HSM.
Use Signtool to sign Windows artifacts with Cloud HSM backed key.
Get started today
Our Cloud KMS CNG provider is available to help protect your keys with Cloud HSM. Get started by using our CNG provider Terraform solution.
Learn more about signing by reading our signing Windows artifacts guide. Besides using the new CNG provider, you can still use Jsign and PKCS#11 to sign Windows artifacts.
Since code signing is an important part of securing your software supply chain, learn more about Google Cloud’s approach to building safer software.
AI Summary and Description: Yes
Summary: The text discusses the importance of digitally signing code to ensure the legitimacy of software and highlights the capabilities of Google Cloud’s Cloud Key Management System (KMS) for secure code signing. It emphasizes the benefits of using Hardware Security Modules (HSM) for key protection and introduces the Cloud KMS CNG provider, which facilitates secure code signing for Microsoft Windows artifacts.
Detailed Description:
The text presents a comprehensive overview of the role of digital signatures in software integrity, particularly emphasizing the necessity of protecting cryptographic keys. Here are the significant points covered:
– **Trust Through Digital Signatures**:
– Digital signatures enable developers to confirm that the software being distributed is legitimate and has not been tampered with.
– Cryptographic keys used for signing are crucial assets and must be securely managed.
– **Google Cloud KMS**:
– The Cloud Key Management System (KMS) allows users to generate, manage, and control access to cryptographic keys effectively.
– It features a user-friendly interface for operations like code signing using secure, tamper-resistant Cloud HSM.
– **New Features with Support for Microsoft CNG**:
– Recent enhancements include support for Microsoft’s Cryptography API: Next Generation (CNG) provider, enabling secure code signing for Microsoft Windows artifacts using SignTool.
– **Importance of Hardware Security Modules (HSM)**:
– HSMs enhance security by storing keys in isolated environments, reducing the risk of compromise.
– The U.S. government’s Cyber Safety Review Board recommends HSMs as best practice for cloud security.
– **Security Hardening Techniques**:
– In Cloud HSM, signing keys are marked as non-extractable, with stringent controls to prevent unauthorized access.
– These measures make it harder for malicious actors to compromise keys.
– **Cost Efficiency and Assurances**:
– Cloud HSM offers FIPS 140-2 Level 3 assurances, enhancing trust and security.
– It promotes cost savings as users only pay for the keys they need.
– **Use Cases for Cloud KMS CNG Provider**:
– Sign firmware with keys secured by FIPS 140-2 Level 3 HSM.
– Sign Microsoft Windows artifacts using tools like SignTool.
– Simplify key management tasks, including generation and rotation.
– Gain insights through auditing and logging capabilities.
– **Getting Started**:
– The text outlines procedures for installing the CNG provider and creating signing keys, as well as integrating signing certificates into the process.
– Various methods to sign artifacts and secure keys are suggested, including using GitHub resources for installation.
– **Software Supply Chain Security**:
– Emphasizes the significance of code signing in the broader context of software supply chain security, advocating for a strong approach to safety in software distribution.
This detailed breakdown highlights the essential components and practical implications of using Google Cloud’s Cloud KMS for code signing, making clear its relevance for security professionals in protecting software integrity and supply chains.