Getting Started with Code Signing SafeNet Authentication Client
Code signing is the process of digitally signing executable Code with a certificate to prove the identity of the publisher and ensure that the Code has not been tampered with. SafeNet Authentication Client is a program used to generate and store digital certificates for securely signing codes.
SafeNet Authentication Client allows developers to implement a robust code signing process. It integrates with the Windows certificate store to allow easy access to certificates for code signing. The client also enables two-factor authentication for private key protection. This prevents unauthorized access to code signing certificates.
Also Read: What is Code Signing Time Stamping?
Why Code Signing is Important
Code signing provides several important security benefits:
- Proof of identity: Code signatures are issued by trusted Certificate Authorities who validate the publisher’s identity. This verifies to users that the Code is from a legitimate publisher.
- Tamper Protection: Any changes made to the signed Code will invalidate the signature. This allows users to detect if the Code has been altered or corrupted since Signing.
- Malware Prevention: Many systems are configured to block unsigned executables or warn users before running them. Code signing prevents malware from disguising itself as legitimate software.
- Accountability: If any issues arise, the Signed Code can be traced back to the publisher. This ensures the publisher can be held accountable for its Code.
Overview of SafeNet Authentication Client
SafeNet Authentication Client is a certificate management program that enables secure code signing by:
- Providing protected local storage of code-signing certificates
- Integrating with Windows certificate stores for easy access
- Facilitating two-factor authentication for private key security
- Automating repetitive code signing tasks
The client is designed for both enterprise and individual software developers. It simplifies the code signing process while ensuring protection against the compromise of code signing keys.
Key features of SafeNet Authentication Client include:
Secure USB Tokens: Certificates are stored on encrypted USB devices that require two-factor authentication to access keys. This prevents unauthorized Signing.
- Smart Card Support: Compatible with smart cards that provide tamper-resistant certificate storage.
- Biometric Authentication: Use fingerprint scanners or facial recognition for two-factor authentication.
- FIPS 140-2 Level 2/3: Meet stringent industry standards for cryptographic security.
- Auto Certificate Selection: Automatically select the correct certificate for code signing tasks.
- Seamless Integration: Integrates with Visual Studio, Windows Explorer, MSBuild, and other developer tools for streamlined Signing.
Installing SafeNet Authentication Client
SafeNet Authentication Client can be installed on Windows and Linux operating systems. The general installation steps are outlined below:
Windows Installation
- Download the SafeNet Authentication Client installer from the official website.
- Run the downloaded .exe installer and proceed through the installation wizard.
- At the prompt, choose a location for the SafeNet Client program directory. The default is C:\Program Files\Gemalto\SafeNet Authentication Client.
- Once installation is completed, the SafeNet Authentication Client will launch automatically. The system tray icon indicates it is running.
Linux Installation
- Download the SafeNet Client .rpm or .deb package for your Linux distribution from the customer support portal.
- Open a terminal window and navigate to the download folder.
- Run the appropriate install command:
- For RPM packages: sudo rpm -i safenet-authentication-client-xxx.rpm
- For DEB packages: sudo dpkg -i safenet-authentication-client-xxx.deb
- Follow the on-screen prompts to complete installation.
- The SafeNet Client GUI can then be launched by running /opt/safenet/authentication/Start.sh
Obtaining a Code Signing Certificate
To use SafeNet for code signing, you will need a valid code signing certificate from a trusted Certificate Authority. The main options are:
- Buy from a public CA like Comodo, DigiCert, GlobalSign, etc. This allows your Code to be trusted by default on most devices.
- If you want to create certificates exclusively for your organization, use an internal private CA. This requires configuring each device to trust your private CA first.
- Use a self-signed certificate for testing or very small-scale code signing. Self-signed certificates provide cryptographic validity but will generate warnings on user devices.
For broader compatibility, purchasing a certificate from a commercial public CA is recommended. The process typically involves:
- Generating a certificate signing request (CSR) on your local system. This can be done through SafeNet Client.
- Submitting the CSR to the CA and providing organization identity verification as needed.
- Waiting for the CA to validate, sign, and return the certificate. This can take 1-5 days.
- Download the issued certificate to your local system.
Once you have the signed certificate file (usually in .pem or .p12 format), you can import it into SafeNet Client for signing.
Importing Certificates to SafeNet Client
There are two methods to import a code signing certificate to the SafeNet Authentication Client:
Import into Local Token Storage
This securely stores the certificate in SafeNet’s encrypted local token. It is the recommended method as it enables the full security capabilities of SafeNet Client.
- Open the SafeNet Client application. Go to Tools > Options and ensure local token storage is enabled.
- If your secure USB token is not already connected, connect it. Certificates can only be imported when a token is associated.
- Go to Certificates > Import Certificate and browse to select your code signing certificate file.
- The certificate’s private key will be extracted and encrypted to store in the token. Provide any requested password or credential confirmation.
- Once completed, the certificate will appear in your certificates list under the Local Security Officer token.
Import into Windows Certificate Store
You can also import the certificate to the Windows system certificate store. This method provides less security but allows other applications to access the certificate.
- Open the Windows certificate manager (certmgr.msc)
- Go to the Trusted Root Certification Authorities > Certificates.
- Right-click on Certificates and select All Tasks > Import.
- Import your code signing certificate file. Windows will store the private key.
- The certificate will now appear in the certificates list.
SafeNet Client is integrated with the Windows certificate store, so any certificate imported this way will also be selectable from within the SafeNet application.
Configuring Certificate Auto-Selection
SafeNet Client can be configured to automatically select the correct certificate for code signing events based on different rules.
This prevents you from having to choose a certificate each time you manually sign the Code. To set up auto-selection:
- In SafeNet Client, go to Tools > Certificate Selection Configuration
- Click the Auto select certificate checkbox.
- Under Auto Select rules, click Add to create a new rule.
- Give the rule a name like “Sign Company Code.“
- Under Certificate Property, select Intended Purpose and set it to Code Signing.
- Click OK to create the rule. You can add multiple rules as needed.
- Order the rules with the up/down arrows to set the desired precedence.
- Check the Enabled box next to each rule you want to activate.
- Click OK to save the configuration.
Now, when you execute a code signing operation, SafeNet Client will automatically find a valid code signing certificate based on your rules.
This helps streamline the code signing process, so you don’t have to select a certificate each time manually.
Digitally Signing Code with SafeNet
Once your code signing certificate is installed in SafeNet Client, you can use it to sign Code digitCode. Here are the basic steps:
Sign Code using SafeNet Client
- Open SafeNet Authentication Client. Make sure your code signing certificate token is connected.
- Go to Tools > Sign File/Folder/Code.
- Browse and select the file or folder containing your executable Code to be signed.
- The certificate configured for code signing will be automatically selected based on your auto-selection rules.
- Click Sign. The Code will be signed using your certificate’s private key.
- The digital signature is embedded into the executable files. The Code is now fully signed.
Sign code through an IDE like Visual Studio
- From within Visual Studio, right-click on the project in Solution Explorer and choose Properties.
- Go to Signing and check the box to sign the ClickOnce manifests.
- Select your code signing certificate from the dropdown if prompted. SafeNet certificates will appear in the list.
- Build your code package as normal. The compiled executables will be digitally signed using the selected certificate.
- You can verify signatures by right-clicking the files, choosing Properties, and checking the Digital Signatures tab.
Be sure to backup your original unsigned code. Signing irrevocably modifies the executable, so you cannot “unsign” it after the fact.
Renewing a Code Signing Certificate
Code signing certificates have an expiration date set by the issuing CA, usually 1-3 years from issuance. As this date approaches, you will need to renew your certificate to maintain valid code signatures. The renewal process is similar to the initial application:
- Generate a new certificate signing request in SafeNet Client a few weeks before expiration.
- Submit the CSR to your CA to request renewal.
- The CA will have you verify your identity for security purposes.
- Once approved, the CA issues and sends you a renewed certificate file.
- Import this renewed certificate into SafeNet Client, overwriting the expiring certificate.
Be sure to check certificate expiration dates and plan renewal cycles accordingly to prevent any disruption to your code signing capabilities.
Final Thoughts
Code signing is essential to establishing trust in software. SafeNet Authentication Client provides a robust set of capabilities to enable enterprise-grade Code signing security.
With protected certificate storage, two-factor authentication, automated Signing, and tight access controls, SafeNet helps organizations sign codes with a high degree of integrity.
This tutorial covered the end-to-end process of using SafeNet for code signing, from installation and certificate acquisition to signing Code and renewing certificates.
Following the guidelines in this guide will help you implement a code-signing solution that provides security, efficiency, and flexibility for your organization’s needs.
Frequently Asked Questions
Does SafeNet Client work on macOS or Linux?
Yes, SafeNet Authentication Client is available for macOS, Windows, and Linux platforms. The core functionality is consistent across operating systems.
Can I sign the Code when offline or disconnected from the network?
Yes, SafeNet allows fully offline code signing using locally stored certificates in secure hardware tokens. This enhances security.
What types of Code can be signed with SafeNet Client?
SafeNet can sign any executable code, including EXEs, MSIs, device drivers, scripts, Java code, and .NET assemblies.
Can I back up or extract the private key from a SafeNet certificate?
No, private keys stored in SafeNet tokens cannot be extracted or backed up. This prevents unauthorized access and copying of signing keys.
Does SafeNet Client integrate with my existing enterprise PKI infrastructure?
Yes, SafeNet Client can interoperate with most X.509 PKI, LDAP, and Active Directory environments for enterprise-wide certificate management.
What happens if my code signing certificate expires before I can renew it?
Any code already signed will remain valid. But you will not be able to sign a new Code until you obtain and import a renewed code signing certificate.
- RSA 2048 bits or larger
- ECC P-256 or P-384
Larger key sizes provide greater security but take longer to generate and sign with.
Can I store Code signing certificates and keys for multiple applications in YubiHSM 2?
Yes, YubiHSM 2 can hold keys for signing numerous applications and packages. Be sure to use unique label names for each one.
Does YubiHSM 2 integrate with common code signing utilities like jarsigner and SignTool?
Yes, the YubiHSM Connector provides a PKCS#11 interface that is compatible with jarsigner and SignTool for signing operations using keys in YubiHSM 2.
Can I store code signing keys for multiple applications from different developers on one YubiHSM 2?
Yes, when properly partitioned, one YubiHSM 2 can hold keys for many different applications and development teams. To restrict cross-signing, assign each key to a different domain or credential group.
What happens if the code signing certificate expires? Do I need to re-sign all my Codes?
When the code signing certificate expires, you should generate a new certificate and sign future releases. However, the existing signed Code remains valid and verified using the original expired certificate-no need to re-sign released artifacts.
Is there a sample code available for integrating YubiHSM 2 with Java code signing workflows?
Yes, Yubico provides code examples on GitHub for integrating YubiHSM with common Java build tools like Maven and Gradle. These serve as a good starting point for your integrations.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
