On Jan. 31, the popular code hosting platform GitHub reported that an unauthorized user gained access to its systems on Dec. 6, 2022, and stole three encrypted code signing certificates (one Apple Developer ID certificate and two DigiCert-issued certificates). Once detected, GitHub immediately revoked the unauthorized credentials. This week the company announced that it would, as an added precaution, revoke the certificates on February 2. 

Code signing certificates are a proven way for developers of software applications to “sign” their code to assert its origin and are critical for building trust into the software supply chain. We’ve shared recently that code signing attacks have been increasing in severity and frequency, as demonstrated with the Nividia incident, and listed best practices to ensure the security of code signing. As a leading provider of digital trust, DigiCert would like to shed some light on the matter and provide guidance on how to keep digital code signing keys secure to help prevent this from happening again.

What went wrong with GitHub's stolen code signing keys

According to GitHub, “on December 6, 2022, repositories from our atom, desktop, and other deprecated GitHub-owned organizations were cloned by a compromised Personal Access Token (PAT) associated with a machine account.” The company revoked access to the unauthorized user on Dec. 7 and then discovered that three GitHub code signing certificates were stolen; however, there is no evidence that the attacker was able to decrypt and use the certificates. The first DigiCert certificate expired on Jan. 4, and the second expired on Feb. 1. The Apple Developer ID certificate, however, was valid until 2027 and as such Apple is monitoring for any executable files signed with the certificate.

For more information, read the GitHub blog.

The consequence of stolen code signing keys can be extremely damaging

The consequences of a stolen code signing key can extremely damaging to your company’s reputation and bottom line. Malicious software signed with a stolen key can spread quickly and easily, as users are more likely to trust software that is signed with a reputable key. This can lead to widespread security breaches, data theft and even damage to critical infrastructure. The consequences of stolen code signing keys mean real-world problems; thus, when the United States recently issued an executive order on improving the nation’s cybersecurity, one of the key steps included was the use of code signing to assure code integrity.

In this case, GitHub’s investigation found that there was “no risk to GitHub.com services as a result of this unauthorized access and no unauthorized changes were made to these projects”. Furthermore, “the certificates were password-protected and we have no evidence of malicious use.” GitHub says that revoking the certificates is a preventative measure, but the damage could have been much worse if the certificates weren’t password protected.

How to protect a code signing certificate and code signing keys

Fortunately, there are steps you can take to prevent a similar incident from happening to you. First, it’s critical that organizations protect and control the use of their code signing keys. Thus, control and visibility are key to protecting code signing keys (pun intended). The ability to enforce signing rights, control who has access to signing keys, and generate reports that show who signed what, when, and where, provides a high level of visibility and allows you to quickly address any issues that may arise. Furthermore, keys need to be stored securely to reduce the ability for threat actors to steal them. In GitHub’s case, their keys were encrypted which is a best practice. However, we also recommend storing keys offline and only bringing them online for signing.  

Furthermore, a key rotation strategy is crucial for code signing security. Relying on a single key to sign everything can lead to major disruptions if the key is compromised. By implementing a strong and frequent key rotation strategy, using unique keys, and having access to on-demand keys, you can limit the damage from a security breach.

Finally, although not directly linked to key protection itself, before signing code it is important to perform a virus scan to ensure the code is free from malicious content. This will provide peace of mind and help prevent security threats. Scanning can be done at source code level (Static Application Security Testing, or SAST) and on the compiled software (Dynamic Application Security Testing, or DAST), and both are best practices. These measures complement code signing to help secure the software supply chain.

A managed software signing solution can help you detect and protect against incidents

A managed signing solution provides secure code signing practices and helps to prevent the risk of stolen keys. DigiCert has a comprehensive solution, DigiCert^® Software Trust Manager, as part of the DigiCert^® ONE platform, designed to help organizations follow code signing best practices and simplify trust management. Software Trust Manager enables companies to perform cloud signing so that their keys are stored in offline HSMs and only brought online at the time of signing, minimizing the possibility that they can be stolen. DigiCert also offers support for keys associated with both public and private trust, regardless of issuer, thus we can support keys that are used to sign Apple binaries and certificates from the Apple Root.

In addition, Software Trust Manager helps to maintain compliance with changing regulations, such as the improved requirements for code signing key protection set by the Code Signing Working Group of the CA/B Forum. With a managed solution, like DigiCert Software Trust Manager, you can ensure that your keys are secure, manage them centrally, enforce policy, integrate with CI/CD, and choose from flexible deployment options.

In conclusion, the incident with GitHub’s stolen code signing key serves as a reminder of the importance of keeping digital code signing keys secure. By taking the necessary steps to protect your keys, you can prevent similar incidents from happening and ensure the security and trust of your software. As a trusted provider of digital trust, DigiCert is committed to helping our customers keep their code signing keys secure. That’s why we’ve developed Software Trust Manager; to make it easier to ensure code signing best practices. Contact us to learn more about our code signing solutions.

About DigiCert^® Software Trust Manager

DigiCert^® Software Trust Manager is a digital trust solution that protects the integrity of software across the software supply chain, reducing risk of code compromise, enforcing corporate and regulatory policy, and delivering fine-grained key usage and access controls in code signing. With increasing software supply chain attacks and government regulations, companies need to invest in a solution that can minimize the risks of security breach and malware propagation in the development, build and release of software.

Software Trust Manager supports code signing best practices like unique key and certificate per signing for private signing, on-demand keys and rotating keys. It is compatible with major platforms and libraries like Apple, Docker, Microsoft, Java, Android, connected device software/firmware signing and more.

Using Software Trust Manager, enterprises can reduce risk, enforce corporate policy and regulatory compliance and centralize control of key usage and signing access. As a part of DigiCert^® ONE, Software Trust Manager offers a quick deployment of high volumes of certificates within minutes, plus the flexibility to deploy on-premises, in-country or in the cloud.