Source: devops.com
Securely Streamline Code Signing for DevOps and DevSecOpsCategory: Business, Microsoft, Docker, automation
By Connor Smith on November 23, 20201 CommentIntroducing code-signing provides security within the application, but teams should take care to understand and implement the process effectivelyDigital certificate management, with hundreds or thousands of certificates required to support IT infrastructure, can easily lead to degradation of application integrity and unnecessary risk to the business.
Based on the complexity of their pipeline, DevOps and DevSecOps teams may issue certificates signed by an untrusted source and stored insecurely to speed up the build and deployment stages of CI/CD workflows to avoid a lengthy certificate request process, which could take weeks or even months.
Now that the code-signing certificate is ready for use, any executable can be signed and deployed unless further code testing or QA needs to occur.
In addition to hardened storage, a KMS with proper cryptographic features and functionality can be utilized to help automate the entire code-signing and certificate management life cycle.
This workflow typically consists of a CI/CD system that is managing the build and signing request process, a centralized and secure key management server to manage all code-signing keys and perform the signing process, and an approval entity to govern the process by which code is signed in an authorized manner.
Based on the complexity of their pipeline, DevOps and DevSecOps teams may issue certificates signed by an untrusted source and stored insecurely to speed up the build and deployment stages of CI/CD workflows to avoid a lengthy certificate request process, which could take weeks or even months.
Now that the code-signing certificate is ready for use, any executable can be signed and deployed unless further code testing or QA needs to occur.
In addition to hardened storage, a KMS with proper cryptographic features and functionality can be utilized to help automate the entire code-signing and certificate management life cycle.
This workflow typically consists of a CI/CD system that is managing the build and signing request process, a centralized and secure key management server to manage all code-signing keys and perform the signing process, and an approval entity to govern the process by which code is signed in an authorized manner.
Related Articles
Community Partners
DevOps Careers