Code signing in cloud environment
-
Hello, Posting this right here as I belive that this is a generic issue. Right now if you do app development in most cases you are also code signing the app, using your favorite tool and a private key. Since February, due to Microsoft adopting a new set of standards, issuers are obliged to deliver the digital certificates on hardware mediums aka USB tokens Minimum Requirements for Code Signing While this works great for physical servers, on cloud environments supporting a USB interface is not as practical, for example Amazon does not support it, thus making the below use case unfeasible. Server receives a request for a particular client app, based on the request param's server changes the app's resources then code signs it, replying with the final result. Any opinions on this are welcomed.
-
Hello, Posting this right here as I belive that this is a generic issue. Right now if you do app development in most cases you are also code signing the app, using your favorite tool and a private key. Since February, due to Microsoft adopting a new set of standards, issuers are obliged to deliver the digital certificates on hardware mediums aka USB tokens Minimum Requirements for Code Signing While this works great for physical servers, on cloud environments supporting a USB interface is not as practical, for example Amazon does not support it, thus making the below use case unfeasible. Server receives a request for a particular client app, based on the request param's server changes the app's resources then code signs it, replying with the final result. Any opinions on this are welcomed.
Jb3void wrote:
Right now if you do app development in most cases you are also code signing the app
Not me. I figure if they have access to the server such that they can replace components then everything is already compromised. Not to mention that if they can do so in a useful manner then I would suspect an inside job as well (which the vast majority of breaches are anyways.)
Jb3void wrote:
Server receives a request for a particular client app, based on the request param's server changes the app's resources then code signs it, replying with the final result.
Not sure I understand what that scenario is suggesting. Code signing involves using a certificate when the code is built (part of the CM build process) to provide security when the application runs. It allows the application to verify resources that it loads, such as a library. That is a limited scope solution. All that is required is that a local machine (not cloud) is using for the final step of the process before delivery. Your statement above suggests you are doing something in the normal client message handling scheme. That would be outside the scope of what I laid out. Now I can see that if you are using a cloud server to do your builds then that would appear to be a problem for normal code signing. But your description would not seem to jive with that.
-
Hello, Posting this right here as I belive that this is a generic issue. Right now if you do app development in most cases you are also code signing the app, using your favorite tool and a private key. Since February, due to Microsoft adopting a new set of standards, issuers are obliged to deliver the digital certificates on hardware mediums aka USB tokens Minimum Requirements for Code Signing While this works great for physical servers, on cloud environments supporting a USB interface is not as practical, for example Amazon does not support it, thus making the below use case unfeasible. Server receives a request for a particular client app, based on the request param's server changes the app's resources then code signs it, replying with the final result. Any opinions on this are welcomed.
You'll need some form of middleware (such as ActiveIdentity) that will provide certificates from an external token and make them accessible to network connections. I'm afraid that I don't have experience with your particular use case, but I'm sure that if you follow up with the issuer or with AWS you will be able to get a product recommendation.
"There are three kinds of lies: lies, damned lies and statistics." - Benjamin Disraeli