You can now sign Microsoft Windows artifacts with keys protected by Cloud HSM
Erlander Lo
Senior Cloud Security Product Manager
Lanre Ogunmola
Cloud Security Architect
To build trust in the software world, developers need to be able to digitally sign their code and attest that the software their customers are downloading is legitimate and hasn’t been maliciously altered. Keys used to sign code are the cryptographic equivalent of crown jewels for many organizations, and protecting them is of utmost importance.
Google Cloud’s Cloud Key Management System (KMS) provides capabilities for securely generating, managing, and controlling access to cryptographic keys. Cloud KMS offers a user-friendly interface that allows you to create, store, and perform cryptographic operations such as code signing with keys in our tamper-resistant Cloud hardware security modules (Cloud HSM).
We recently introduced Cloud KMS signing support for Microsoft’s Cryptography API: Next Generation (CNG) provider. With this capability, you can perform code signing on Microsoft artifacts using SignTool, while protecting your keys with Cloud HSM.
Hardware security modules store keys in segmented and isolated systems, and are widely considered a best practice for cloud security according to the U.S. government’s Cyber Safety Review Board. When HSMs and other best practices are not used, we have seen threat actors compromise and use valid signing keys to access information and systems in that key’s domain.
In Cloud HSM, the signing keys are marked as non-extractable, the hardware is not directly exposed to any network, and the servers that host HSM hardware are prevented from running unauthorized processes. These security hardening techniques make the signing keys more difficult to accidentally expose or steal.
Previously, keys for your Windows artifacts would need to be secured with specialized hardware deployed outside of Google Cloud. Cloud HSM protects your signing keys with FIPS 140-2 Level 3 assurances, and it can help reduce your infrastructure and operations costs because you pay only for the keys you need. Cloud HSM is available in many locations to meet your workload’s needs.
Using our Cloud KMS CNG provider can help you save valuable time in the signing process, enabling you to get your software released to your customers faster.
How to get started with Cloud KMS CNG provider
There are four main uses for our Cloud KMS CNG provider. Use it when you need to:
-
Sign firmware with a private key protected by a FIPS 140-2 Level 3 HSM;
-
Sign Microsoft Windows artifacts using the Windows standard SignTool executable;
-
Offload the complexities of key management, including key generation, rotation, and access control;
-
Gain visibility and attribution via auditing and logging capability.
The following steps show you how to achieve these important outcomes:
-
Install the CNG provider
-
Create your signing key
-
Get your certificate
-
Sign your artifact
Install the CNG provider
We’ve provided released binaries for our CNG provider in our GitHub repository. These can be installed in your Windows system using the provided .msi
installer. Then, follow the user guide to configure your provider.
Download Cloud KMS CNG Provider binaries from Google managed repository.
Create your signing key in Cloud HSM
After you create your key ring, create a signing key that’s hardware protected by Cloud HSM. Select the asymmetric signing algorithm that meets your security requirements.
Create a signing key with CloudHSM generated key material.
Install your signing certificate
Import your signing certificate into Cloud HSM. This helps ensure your signing key has strong hardware based protection.
If you don’t have an existing signing key, you can create a signing key protected by Cloud HSM and generate a certificate signing request (CSR). Then, provide the CSR to your certificate authority in order to receive a new certificate for code signing.
Sign your artifacts
Now that you have installed your CNG provider, created a key in Cloud HSM, and have your certificate, use SignTool to cryptographically sign your artifact. Be sure to provide the correct flags such as the provider name Google Cloud KMS Provider
and key URI from Cloud HSM.
Use Signtool to sign Windows artifacts with Cloud HSM backed key.
Get started today
Our Cloud KMS CNG provider is available to help protect your keys with Cloud HSM. Get started by using our CNG provider Terraform solution.
Learn more about signing by reading our signing Windows artifacts guide. Besides using the new CNG provider, you can still use Jsign and PKCS#11 to sign Windows artifacts.
Since code signing is an important part of securing your software supply chain, learn more about Google Cloud’s approach to building safer software.