(DC) Code Signing Certificate
- Greg Jewett
Description
Code Signing Certificates are used to digitally sign software or files that are downloaded over the internet. The files are signed by the developer/publisher of the software. Their purpose is to guarantee that the software or file is genuine and comes from the publisher it claims to belong. They’re especially useful for publishers who distribute their software for download through third-party sites. Code signing certificates also act as a proof that the file hasn’t been tampered with since download.
Table of Contents
How to Request
All requests must be sent to the UT Information Security Office via a ticket. You need to include the following information in your ticket to be approved and have a code-signing certificate issued to you.
Code signing certificates used for the wrong purposes could facilitate malicious or broken code that would be officially signed by the University and trusted and allowed to propagate through initial protections and trusts. This is why intent and trust must be assured first before it can be issued.
Generate and send an email addressed to: Information Security Office. Within the email, please provide the following information:
Your name, department name or university affiliated group.
Provide a group email address that will be associated with the certificate (included in the certificate).
UTLists Group email address (
___@utlists.utexas.edu)Active Directory Distribution Group (
___@austin.utexas.edu or ____@dept.utexas.edu).
Describe in the email what code the certificate will sign. Describe the function of the code and where unsigned and the signed version will be live (GitHub Repository, Department Server, etc..)
Describe the audience of the signed code (who will use it).
The ISO team will get back to you with possible follow-up questions or a code-signing certificate in Stache.
As of June 1, 2023, the CA/Browser Forum updated its regulations for code signing certificates and services, including those issued by Sectigo. Under these new rules, clients can no longer determine how and where the private key for the certificate is stored. Instead, Sectigo code signing certificates must be installed on a Hardware Security Module (HSM).
To proceed, you have a couple of options:
You can provide your own supported HSM, including Yubikey, Marvell, Fortanix, or Google Cloud Platform (GCP).
Alternatively, we can ship one of our Thales eTokens directly to you.
All code signing certificates must comply with this HSM requirement.
UT ISO would recommend users purchase a YubiHSM from YubiKey for this use case.
Other options: Key Generation and Attestation with YubiKey