How to Configure Google CloudHSM to Sign Windows Executables?

Sign Executables using Google Cloud HSM

Google Cloud HSM is a popular platform for storing private key and signing multiple executable files. Primarily, it uses the Jsign tool for signing purposes. In this guide, you will also be undergoing the procedure, helping you learn to use Google Cloud HSM to sign the Windows executables.

Prerequisites to Complete before Signing through Google Cloud HSM

To begin with the signing process, you need to fulfill the below criteria:

You must use a Windows OS machine containing the unsigned executable files.

Linux-based system or Cloud Shell for generating the CSR, which will be submitted to CA for code signing certificate issuance.

Download and install the latest JSign version. To download, you can use the below PowerShell command:

wget -O jsign.jar

Run the command: gcloud auth application-default login

Steps to Configure Google Cloud HSM to Sign Windows Executable using JSign

To sign the executable with Google Cloud HSM, you should follow the steps below.

Step 1: Google Cloud KMS Configuration

Firstly, access the Cloud Shell and generate the Cloud KMS key with the help of the below command:

gcloud kms keyrings create "KEY_RING" --location "LOCATION"

You are required to replace the “KEY_RING” and “LOCATION” parameters as needed.

Further, generate a hardware signing key with “EC-P256-SHA256”.

Step 2: HSM Attestation Download

HSM attestation is for proving that the key is stored in an HSM. The CA verifies the authenticity of the attestation factor for issuing an EV Code Signing Certificate.

To download your HSM attestation, navigate to the “Key Management” page under the Google Cloud console.

gcloud kms keys create "KEY_NAME" --keyring "KEY_RING" \
  --project "PROJECT_ID" --location "LOCATION" \
  --purpose "asymmetric-signing" --default-algorithm "ec-sign-p256-sha256" \
  --protection-level "hsm"

Further, choose the ring containing your key and then choose the key. Following it, click on “More” and “Verify attestation”.

Lastly, click “Download attestation bundle” to download the zip file storing the certificate chains.

Step 3: Code Signing Certificate Issuance

Now, you need to generate a code signing request (CSR) for the key stores in Cloud HSM. To do so, run the below command on your cloud shell.

openssl req -new -subj '/CN=CERTIFICATE_NAME/' DIGEST_FLAG \
  -engine pkcs11 -keyform engine \
  -key pkcs11:id=KEY_ID > REQUEST_NAME.csr

You need to replace the below mentioned parameters per your business requirements. You can refer to the below table to add the appropriate information.

ParameterWhat To Define
CERTIFICATE_NAMEProvide a name for your certificate file, such as MyNewCertificate or anything you like.
DIGEST_FLAGHere, digest refers to the encryption algorithm. You need to define any algorithm from the following: -sha256-sha384-sha512
KEY_IDIt refers to the asymmetric signing key resource ID. Ensure that the key must be wholly qualified for this parameter.
REQUEST_NAMEIt’s a name for the CSR (Certificate Signing Request).

Step 4: Self-Signed Certificate Creation (Optional) If you use Self-Signed Cert

Using a self-signed certificate is not recommended, as it sometimes uses outdated and weak algorithms. Also, software signed with such certificates doesn’t pass operating system security and triggers warnings. But you can use it for testing purposes.

Open SSL can be used with a signing key hosted by Cloud KMS to create a self-signed certificate. You are required to open the Cloud Shell and execute the below command:

openssl req -new -x509 -days 3650 -subj '/CN=test/' -sha256 -engine pkcs11 \
  -keyform engine -key pkcs11:object=KEY_NAME > ca.cert

However, an empty file will be generated if the command fails or shows an error. Alternatively, you must purchase a code signing certificate to complete your software security procedure.

Step 5: Executable File Signing

Once the CA such as DigiCert verifies your CSR and issues an EV Code Signing Certificate, you are ready to sign the executable file. However, ensure that the certificate is available on your Windows machine. Finally, run the following command and sign the software:

java -jar PATH_TO_JSIGN.JAR --storetype GOOGLECLOUD \
  --storepass $(gcloud auth application-default print-access-token) \
  --keystore projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING \
  --alias KEY_NAME \
  --certfile PATH_TO_CA.CERT

In this command, we have “Jsign” so you must define the path to the jsign.jar file. In addition, the path to the certificate and the executable file should also be defined. 

Concluding Up

The process uses Jsign for signing the executable using the Google Cloud HSM. In the procedure, you will need a Google Cloud HSM account, a Windows machine, and a code signing certificate. Firstly, you will create the CSR and avail of a certificate. And lastly, you will use the CA-issued certificate to sign your software or other executable files.

Reputed Certificate Authority DigiCert’s Code Signing Certificate support Google CloudHSM & Cloud Key Management Service. You can Purchase DigiCert EV Code Signing Certificate from us!

Buy Now

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.