A recent article by the Microsoft malware protection center, “Be a real security pro - Keep your private keys private,” reminded me of some best practices.
There are far too many cases of illegitimate code being signed by a stolen private key for legitimately signed code-signing certificates. In these cases, the owners of the private keys have not secured the keys.The problem with code-signing is that many developers may need to sign their code.
If there is no controlled signing process, then the signing private key, password and code-signing certificate are readily distributed among developers. The thinking? “Since more than one developer is using the private key, let’s make the password simple, so that everyone remembers it.”
With this process, there is no control on how the private key and password are protected. This makes the challenge of accessing these items even easier. When managing code-signing private keys, the following is recommended:
If you’re interested in more information, Microsoft provides an extensive set of best practices to support code-signing.