How to Use Google Cloud KMS with Sectigo Code Signing Certificates?

1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 5.00 out of 5)
Loading...
Google Cloud KMS Instruction Sectigo

Code signing is an essential method of ensuring software authenticity and trust. By using a secure Cloud HSM, such as Google Cloud KMS, the risk of private key exposure is non-existent.

This article will guide you in using Google Cloud Key Management Service (KMS) to issue and maintain a Sectigo Code Signing Certificate to achieve the best possible security posture throughout the software development lifecycle.

Why Use Google Cloud KMS with Sectigo?

When combining Google Cloud Key Management Service (KMS) with a Sectigo Code Signing Certificate, a scalable and highly secure solution is realized.

For secure organizations with DevOps teams, this is an excellent path to protecting private keys, automating signing solutions, and automating compliance with security constructs.

Discover below a more comprehensive outline of the benefits of using Google Cloud KMS with Sectigo:

FIPS 140-2 Level 3 Compliance

Google Cloud KMS with Cloud HSM achieves FIPS 140-2 Level 3 compliance as one of the most stringent standards for cryptographic protection. This certification guarantees that private keys are safe inside tamper-resistant hardware where they cannot be extracted.

Many regulated industries including finance, healthcare or governments will require this form of compliance.

Sectigo can provide this level of trust by issuing certificates for keys generated and stored inside FIPS compliant HSMs thereby ensuring your code signing process will have the utmost security and satisfy the requirements of auditors and regulations like HIPAA, SOC 2 and GDPR.

Private Key Never Leaves the HSM

One of the greatest benefits of using Google Cloud KMS with Sectigo is that your private key never leaves the secure environment of the HSM. The key is generated in the HSM and locked from export or access to any user or application.

All of the cryptographic uses of the keys including signing executables are performed within the HSM. 

Having this architecture eliminates some of the major attacks such as key theft from compromised machines or leaked .pfx files that are the norm when using traditional code signing solutions.

Sectigo improves on this security posture by only issuing certificates after validating that the private key is stored securely inside the HSM.

Centralized Key Management

Google Cloud KMS provides a single service for managing all of your cryptographic keys, including those for code signing. You can define IAM-based policies to limit access to keys, operations, and logging frequency on those operations.

With integrated audit logging you can trace every use of your code signing key, creating a high-quality chain of custody. Sectigo’s certificates work perfectly in this model, providing you with a fully traceable and managed solution for secure software publishing.

Scalable Signing for DevOps & CI/CD

Modern software development increasingly relies on automation, even in CI/CD pipelines. Automation is where Google Cloud KMS and Sectigo certificates can help by simplifying the signing process while keeping the keys secure.

Google Cloud KMS holds the private keys, and the keys can be accessed programmatically by trusted workloads to perform signing of files during build or deployment.

You can sign applications, drivers, and containers securely, all directly from GitHub Actions, Jenkins, GitLab CI, or other CI tools with an automated signing workflow—without many physical USB tokens or smartcards required.

Additionally, Sectigo supports the use of keys that reside in an HSM for key usage, which allows you to continue to scale code signing as part of your DevOps process.

Prerequisites

To use Google Cloud Key Management Service (KMS) securely with Sectigo Code Signing Certificates, there are certain prerequisites you need to ensure you have in place.

These prerequisites will ensure you meet Google’s technical requirements, and Sectigo’s validation and issuance requirements for an issuing secure code signing.

Below is a more expanded explanation for what you need to have before proceeding with getting started:

Google Cloud Platform (GCP) Account

You need to have an active Google Cloud Platform (GCP) account that has billing enabled. Many Google Cloud services including Cloud KMS and CloudHSM will not function unless they are used as a billing-enabled project.

If your project is not billing-enabled you will be unable to create the keys, generate the CSR, or do anything with the issued certificate.

In addition, your account may need administrative rights to manage the Identity and Access Management (IAM) policies, create keys, configure APIs as needed, etc.

Enabled APIs

In order to start using Google Cloud KMS and HSM you must first make sure that both Cloud Key Management Service(KMS) and Cloud HSM APIs are enabled in your GCP project.

These APIs must be enabled for provisioning and working with the cryptographic key materials associated with the APIs.

Again, you can enable the APIs, via the Google Cloud console, or using  gcloud command-line interface (CLI) via calls like  gcloud services enable cloudkms.googleapis.com.

Cloud HSM Setup

For organizations needing additional compliance controls, or for organizations needing higher security on keys, such as for Extended Validation (EV) code signing, using Cloud HSM is recommended over software-backed keys.

Cloud HSM will be built with FIPS 140-2 Level 3 validated security modules, and meet Sectigo’s code signing requirements for high assurance.

When you are setting up your CloudHSM you will need to choose a region that is supported  (e.g., us-central1, europe-west1) and configure HSM-backed key rings and keys in the way that Sectigo expects for secure key storage.

IAM Permissions

Proper IAM roles and permissions are necessary to effectively manage key creation, key access, and key usage.

At minimum your user or service account should be assigned roles/cloudkms.admin to create and manage KMS keys, and roles/iam.serviceAccountUser to allow the signing process to use keys by invoking them through the service accounts you created.

These permissions will allow you to interact and conduct business with Cloud KMS in the way you need to, having the utmost control over access to your resources.

Key Usage Policy in Cloud KMS

When you create your key in Google Cloud KMS, it is important that you select the correct usage policy and algorithm. 

Your key usage policy should be set to Asymmetric Sign with a compatible algorithm such as RSA_SIGN_PKCS1_3072_SHA256 or RSA_SIGN_PKCS1_4096_SHA256

These types of configurations will help ensure the key you are creating is able to sign binaries and software, which is required to create the Code Signing Certificates.

Step-by-Step Guide to Using Google Cloud KMS with Sectigo Code Signing Certificates

Step 1: Create Key Ring and RSA Key in Google Cloud KMS

1. Making a Key Ring

    Go to the Google KMS Console and create a new key ring.

    2. Create a New Key

      Make sure that you apply this guide using the exact same settings outlined within it:

      • Security Level: HSM
      • Key Type: Asymmetric signing
      • Algorithm: RSA 3072-bit, PKCS#1 v1.5 padding – SHA256 Digest

      3. Download Attestation Bundle

        After the key has been created and brought into being:

        • Press Actions > Validate Attestation
        • You are welcome to download the .zip file, as it will be required for the certificate enrollment process you are about to undertake.

        Step 2: Create a CSR using OpenSSL and Google KMS PKCS#11

        You will now generate the Certificate Signing Request (CSR) for your HSM-protected key.

        1. Start installing and configuring your Linux system to its maximum potential. Install needed packages:

        sudo apt-get update

sudo apt-get install libengine-pkcs11-openssl opensc

        2. Download Google PKCS#11 Library

        Download and unzip the Google PKCS#11 library: Google Cloud PKCS #11 Documentation

        No need to install—simply point to the .so file directly.

        3. Configure OpenSSL

        Set the environment variables as appropriate:

        export PKCS11_MODULE_PATH="/path/to/libkmsp11.so"

        To generate a YAML configuration file for your particular key and set, do the following:

        export KMS_PKCS11_CONFIG="/path/to/your_config.yaml"

        In order to specify the key_ring, location, and other interesting elements, Follow Google’s YAML config guide to define key_ring, location, etc.

        4. Setting Up Authentication Procedures

        Option 1: A Service Account

        Assign and construct:

        • Cloud KMS Admin
        • Cloud KMS Crypto Operator positions

        Then go ahead and download the JSON key file and make sure to specify:

        export GOOGLE_APPLICATION_CREDENTIALS="/path/to/keyfile.json"

        Option 2: The Workload Identity Federation

        Use this approach to achieve a more secure identity-based access, which will eliminate the use of service account keys in the process.

        5. Confirm the Link

        Run this particular command to check your access to the keys:

        pkcs11-tool --module /path/to/libkmsp11.so --list-objects

        6. Create the CSR

        Execute the following command to generate the CSR:

        openssl req -new -subj '/CN=Your Company Name, LLC/' \

 -sha256 -engine pkcs11 -keyform engine \

 -key pkcs11:object=your_key_name \

 > code_signing_request.csr

        Note: Insert  your_key_name with the name of your key (e.g., mycskey). You should not use the full resource path because of length restrictions.

        Step 3: Submit CSR and Attestation to Sectigo

        When enrolling:

        • Upload the code_signing_request.csr file
        • Upload the attestation ZIP file downloaded from Google KMS

        Step 4: Sign Your Code on Windows with SignTool

        Once you have the issued certificate, you can use it to sign your code.

        1. Install Required Tools

        • Google Cloud KMS CNG Provider (install using .msi)
        • Microsoft SignTool (available in Windows SDK)

        2. Authenticate to Google Cloud

        gcloud auth application-default login

        3. Run SignTool

        signtool sign /v /debug /fd sha256 /t http://timestamp.sectigo.com \

 /f path/to/mycertificate.crt \

 /csp "Google Cloud KMS Provider" \

 /kc projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME/cryptoKeyVersions/1 \

 path/to/yourapp.exe

        Replace PROJECT_ID, LOCATION, etc., with your actual key path.

        Conclusion

        Are you ready to elevate your code security? Certera makes it easy to integrate smoothly with Google Cloud KMS to prove your software is trustworthy, tamper-proof and conforms to modern security standards.

        Trusted Code Signing Certificates

        Obtain Code Signing Certificate and Add Digital Signature on a File, Script, or Software to Prevent Tampering!

        Starts at Just $215.99/Year