Code Signing 01-15-2021

SolarWinds Attack: Is Code Signing to Blame?

Mike Nelson

All of the current chatter about the SolarWinds attack is regarding the magnitude of this attack: who has been compromised? What level of access was gained? What to do if you’ve been compromised?

All of these are good questions that need answers — quickly. However, as a security professional who has helped many organizations with code signing, I can’t help but raise a flag of warning about the simple mistakes that were made that led to this widespread compromise.

Having worked with and seen the ugly truths about how many organizations practice code signing, I am confident in saying what happened to SolarWinds could happen to many other large organizations that sell products requiring regular updates.

I’ve seen code signing practices that I dare not repeat for fear that someone else will think it’s a good idea and run with it. The following is a short list of common code signing cardinal sins:

  • Loading a signing key on a thumb drive and distributing it with no controls
  • Using THE SAME signing key to sign all files
  • Using THE SAME signing key across different product lines and businesses
  • Having no mechanism to control who can sign what
  • Having no reporting capability to show who signed what and when

Code signing works. Poorly implemented code signing puts your business at greater risk. In the case of SolarWinds, they were using a code signing certificate to sign the files. The problem wasn’t the code signing certificate, the problem was the way they were practicing code signing.

The following are some suggestions that will help you prevent a code signing compromise. Protecting and controlling the use of the signing keys is the most critical starting point for secure code signing. If you’re not willing to do that, you may as well stop reading right here.

You're still here? Great. The next important step is having a key rotation strategy. Using the same key to sign everything sets you up for massive disruption. If your key becomes compromised, everything you’ve signed is at risk. Having a strong and frequent key rotation strategy, unique keys and on-demand keys limits the damage of a compromise.

Another code signing best practice is to perform a virus scan on your code before it is signed. You never want to sign code without having assurance that nothing malicious is lurking in the package.

Finally, successful code signing is about control and transparency. Being able to dictate, control and enforce signing rights will allow you to rest easy, knowing your signing keys aren’t being handed around. Additionally, having the ability to generate reports to show who has signed what and to see when things were signed gives you the ability to mitigate problems when they arise.

I’ll say it again: code signing wasn’t the problem for SolarWinds; a poorly managed code signing process was. To simplify code signing management, DigiCert has a comprehensive solution, DigiCert® Software Trust Manager, as part of the DigiCert ONE™ platform. Remember the cardinal code signing sins I mentioned earlier? DigiCert Software Trust Manager was designed to help organizations avoid these mistakes.

For those of you who may be down the road with some of these bad practices — stop. Get control of what you’re doing and minimize the risk for your business. SolarWinds isn’t the only organization with bad code signing practices — let’s use this compromise to improve the way we operate and keep our businesses safe.

About DigiCert Software Trust Manager
DigiCert Software Trust Manager is a modern way of managing code signing by enabling automated security across Continuous Integration/Continuous Delivery (CI/CD) pipelines with portable, flexible deployment models and secure key management.

Sign code binaries rapidly, easily and at scale with DigiCert Software Trust Manager. Additionally, keys are generated in the cloud, so when not in use they are in offline mode to ensure that they do not get shared, lost or stolen. DigiCert Software Trust Manager supports code signing best practices like unique key and certificate per signing for private signing, on-demand keys and rotating keys.

DigiCert Software Trust Manager is compatible with most popular platforms and libraries, including:

Using DigiCert Software Trust Manager, enterprises integrate code into their product development processes easily while delegating cryptographic operations, signing activities and management in a controlled, auditable way. With tracking, reporting and audit trails for forensics and accountability, DigiCert Software Trust Manager enables enterprise to comply with corporate and industry security policies.

DigiCert Software Trust Manager, built on DigiCert ONE
DigiCert Software Trust Manager is built on DigiCert ONE, the most modern PKI management platform on the market. DigiCert ONE was developed with cloud-native architecture and technology as the PKI infrastructure service for today's security challenges.

Released in 2020, DigiCert ONE offers multiple management solutions and is designed for all PKI use cases. Its flexibility allows it to be deployed on-premises, in-country or in the cloud to meet stringent requirements, custom integrations and airgap needs. It also deploys extremely high volumes of certificates quickly using robust and highly scalable infrastructure. DigiCert ONE delivers end-to-end centralized user and device certificate management, a modern approach to PKI to provide trust across Kubernetes clusters and dynamic IT architectures.

For more information on DigiCert Software Trust Manager, visit and follow the DigiCert blog for more ways DigiCert Software Trust Manager can simplify code signing for your company.


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories


Pioneering the next wave of secure digital solutions 


4 best practices for bulk email senders



Driving digital trust with SOC 2-compliant DNS