Versions Compared

Version Old Version 17 New Version Current
Changes made by

Greg Jewett

Greg Jewett

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Description

Image RemovedImage Added

Code Signing Certificates are used to digitally sign software or files that are downloaded over the internet.  The files are signed by the developer/publisher of the software. Their purpose is to guarantee that the software or file is genuine and comes from the publisher it claims to belong. They’re especially useful for publishers who distribute their software for download through third-party sites. Code signing certificates also act as a proof that the file hasn’t been tampered with since download.

Table of Contents

Panel
borderColor#ccc
borderWidth1
borderStylesolid
titleTable of Content
Table of Contents

How to Request

All requests must be sent to the UT Information Security Office via a ticket.  You need to include the following information in your ticket to be approved and have a code-signing certificate issued to you. 

Note

Code signing certificates used for the wrong purposes could facilitate malicious or broken code that would be officially signed by the University and trusted and allowed to propagate through initial protections and trusts.  This is why intent and trust must be assured first before it can be issued.

Generate and send an email addressed to:

Multiexcerpt include macro
macro_uuid52ca1174-6157-44fd-bbb2-ad668507013a
nameInformation Security Office
templateDataeJyLjgUAARUAuQ==
pageLinks Page for Digital Certificates
addpanelfalse
. Within the email, please provide the following information:

  • Your name, department name or university affiliated group.

  • Provide a group email address that will be associated with the certificate (included in the certificate).

    • UTLists Group email address (___@utlists.utexas.edu)

    • Active Directory Distribution Group (___@austin.utexas.edu  or  ____@dept.utexas.edu). 

  • Describe in the email what code the certificate will sign.  Describe the function of the code and where unsigned and the signed version will be live (GitHub Repository, Department Server, etc..)

  • Describe the audience of the signed code (who will use it).

Tip

The ISO team will get back to you with possible follow-up questions or a code-signing certificate in

Multiexcerpt include macro
macro_uuid1c1f6f75-3e3f-4b49-936e-9b8e95bb77b2
nameStache
templateDataeJyLjgUAARUAuQ==
pageLinks Page for Digital Certificates
addpanelfalse
.

Note

As of June 1, 2023, the CA/Browser Forum updated its regulations for code signing certificates and services, including those issued by Sectigo. Under these new rules, clients can no longer determine how and where the private key for the certificate is stored. Instead, Sectigo code signing certificates must be installed on a Hardware Security Module (HSM).

To proceed, you have a couple of options:

  • You can provide your own supported HSM, including Yubikey, Marvell, Fortanix, or Google Cloud Platform (GCP).

  • Alternatively, we can ship one of our Thales eTokens directly to you.

All code signing certificates must comply with this HSM requirement. 

UT ISO would recommend users purchase a YubiHSM from YubiKey for this use case.

Other options: Key Generation and Attestation with YubiKey