How to Keep Your Digital Signature Credentials Safe with YubiKey?
In our previous post, we explained what YubiKey is. How to use it for code signing?
Now let us discuss the importance of securely storing credentials and introduce the concept of using a dedicated removable device. We will specifically focus on the YubiKey from Yubico.
Secure your Code Signing Certificate with YubiKey
Code Signing Certificates ensure the software’s integrity and authenticity. Whereas YubiKey is a hardware-based authentication device for code signing certificate security.
Here are a few key points:
Point 1:
Storing credentials on disk, even on a removable USB flash drive that is only plugged in when signing binaries (executables), is considered a bad idea. This approach is vulnerable to security risks, as the credentials can be accessed or compromised if the device or disk is lost, stolen, or compromised.
Point 2:
Storing credentials in the Windows certificate store as an alternative is also not considered a robust security solution. The text implies that more than relying solely on the built-in security measures provided by Windows is required. Using a metaphor suggests it’s as effective as throwing a chair with Steve Ballmer (former CEO of Microsoft) sitting on it. In other words, it could be more secure.
Point 3:
Instead, the text suggests using a dedicated removable device explicitly designed to protect sensitive credentials. It introduces the concept of FIPS 201 Personal Identity Verification (PIV) devices, which comply with a U.S. government standard for secure credentials.
Point 4:
The YubiKey from Yubico is highlighted as an example of a convenient and relatively affordable PIV device. The author mentions that they will focus on explaining the usage of YubiKeys specifically, although the general process may also apply to other FIPS 201 PIV devices.
Now we know the importance of securely storing credentials and using dedicated PIV devices like the YubiKey as a secure solution for protecting sensitive information. It discourages relying solely on disk storage or the Windows certificate store for storing such credentials.
Storing your Code Signing Credential into a YubiKey
This section provides instructions on how to store your code signing credential into a YubiKey, a hardware security device.
Here’s a breakdown of the steps:
Step 1: Open PIV Manager (pivman.exe) is the software used to manage YubiKey’s Personal Identity Verification (PIV) functionality.
Step 2: Plug in your YubiKey. If it’s your first time using it, you’ll be asked to set a PIN (Personal Identification Number) for the device.
Step 3: On the PIN setup screen, keep the “Use PIN as key” option checked under “Management Key“. This option relates to how the PIN is used to authenticate and unlock the YubiKey.
Step 4: For code signing on Windows, you can overlook the recommendation for cross-platform compatibility regarding the PIN. Windows doesn’t have issues using a PIN that includes extended alphanumeric characters. The PIN is already short enough at eight characters.
Note: It’s important to note that the YubiKey, like a credit card, allows only three attempts to enter the correct PIN before locking itself—such a security measure to protect the data stored on the device. If the YubiKey gets locked, it can be reset, but the credentials stored on it will be lost.
Step 5: After setting the PIN, you should see a screen where you have to click the “Certificates” tab in the PIV Manager.
Step 6: Select the “Digital Signature” section in the Certificates screen. This is the type of certificate you’ll require for code signing.
Step 7: Click “Import from file” and select your .p12 code to sign the credential file. You will be prompted to enter a password for the private key within the .p12 file, not the PIN you set for the YubiKey.
Step 8: If the import process is successful, you will see a notice indicating so. At this point, you can unplug your YubiKey.
Step 9: Plug the YubiKey back in, and return to the “Digital Signature” certificate in the PIV Manager. You should now see details about the installed credential, indicating that it is ready to be used for code signing.
Following these steps should allow you to store your code signing credential on the YubiKey and use it for digital signing.
Cheap Code Signing Certificates
Prevent Code Tampering and Authenticate Code Integrity by Digitally Sign your Code with Trusted Code Signing Certificates.
Starting at Just $215.99/Year