Sign applications quickly and securely in the cloud
23 Jun 2022 | Jindřich Zechmeister
The Secure Software Manager component is part of the DigiCert ONE platform, which is a complete and modern PKI management solution. It allows you to sign software using the cloud and connect auto-signing to your CI/CD and agile development. Finally, you can sign anywhere, anytime, automatically and without holding the certificate and private key itself.
Learn about the Secure Software Manager
Are you tired of signing with Code Signing certificates on a token? Of sharing it with the team and constantly entering the token password? Are you paranoid about the possible theft and misuse of your Code Signing certificate? Now you can forget about these worries because Secure Software Manager comes and solves these common problems.
Benefits of signing with the Secure Software Manager
The main advantage of signing with the Secure Software Manager is the location of the keys (private key and certificate) in the DigiCert cloud, so there can be no doubt about the keys’ security and the private key will never get out.
Another great advantage is the possibility to use the Code Signing EV certificate completely freely and without a token. The token prevents you from automating (a password must be entered each time you sign), and is impractical as it needs to be shared when signing in a team. Now you can have both a Code Signing EV certificate and a private key in the cloud, and you can also decide when the certificate can be used. There are also other security elements, such as user management or release planning.
The Secure Software Manager enables you to clearly manage keys and control the rights to them. You set up key and certificate profiles according to what key lengths and algorithms you want to use. You can also schedule a release and disable the use of specific keys after it is done, or set up an automatic key rotation for greater security.
How to sign using the cloud?
The Secure Software Manager uses so-called hash signing, the principle of which is to sign a file imprint (not the file itself) which does not require a certificate with a private key to be available. You can sign the same way as before and you won't even know the difference. However, the security of certificate retention will be significantly increased and the possibility of their misuse is reduced to a minimum. You can read more about the topic of hash signing, for example, in the document Hash Signing with DigiCert Secure Software Manager.
With this method of signing, neither the signed data nor the private key with the certificate travels over the Internet. Only the hash (imprint) of the signed file, which is signed by the private key stored in the Secure Software Manager, travels. The advantage of large files is that you don't have to upload them anywhere; the file can be many gigabytes, but it depends on how quickly the hash can be calculated (fimprint), which is usually done in seconds. After the calculation, signing will be equally fast for all files, because the hash (imprint) will always be the same length (if we use the same function).
The installed DigiCert libraries will create a new key storage provider (KSP - key storage provider) on your computer and mediate communication with the cloud using an API. For the user, everything is as simple as before, when the certificate was stored on the computer. DigiCert has libraries for all major systems so you don't have to worry. You can automate signing with extensive support for tools like Azure DevOps, Jenkins, ANT, Gradle, and Apache Maven.
On Windows, the libraries work with Authenticode and Windows Sign Tool, but also with Mage, Nuget, Clickonce, HLK or HCK tools. This makes it possible to sign not only applications, but also libraries, drivers and practically any type of file. The PKCS11 library is intended for Java, Android, Linux, Docker, OpenSSL platforms; understands Docker Notary tools and formats, APIKSigner for Android, OpenSSL, GPG, Debian, XML, JSign, osslsigncode and others.
About DigiCert ONE
DigiCert ONE is a platform for modern PKI management. It covers every aspect you might need - from your own CA in the cloud to signing files and applications. The platform was developed to be used in automation and integrated into CI/CD. You can find out how to integrate DC ONE into DevOps, for example, in this document. Throw away tokens with Code Signing EV certificates, the future is here!
DigiCert ONE contains the following components, the name of which says it all:
- DigiCert® Secure Software Manager
- DigiCert® IoT Device Manager
- DigiCert® Enterprise PKI Manager
- DigiCert® Document Signing Manager
- DigiCert CertCentral® TLS Manager
How to get Secure Software Manager and DigiCert ONE
You can get the license of the individual components and access to DigiCert ONE through us, DigiCert's platinum partner. Just contact us with a request on our contact email. We will then contact you immediately, discuss the method of use and create a non-binding price offer based on this.