Jump to content
A.M. Hoornweg

New security requirements for code signing, disruptive ?

Recommended Posts

10 hours ago, Angus Robertson said:

That concept I can live with for a local dongle, the major problem I have is with shipping physical dongles around the world each year to be updated. customs do not like USB keys.

I didn't have any issues with that last time.. but that was 3 yrs ago. I'm sure these dongles will be a nice little earner for thales and the CA's - the cost of certificates is already outrageous without the added expense of the dongle. CA's say the cost is for the time spent validating the applicants - my guess is much of that is automated - and they have minimum wage call centers doing the rest. License to print money. 

  • Like 1

Share this post

Link to post
19 hours ago, Uwe Raabe said:

As far as I understand, the dongle is for the system that does the signing, not the one checking the signed exe.


The problem I see is that this completely counterfeits the idea of virtualization when the dongle (or HSM) is hardware bound. I can move around my build server and agents, which are all realized as VM. If my build machine breaks, I can easily set up a new one and continue. In case of a dongle I may be able to move it too, as long as it did survive the fire, flood, earth  quake or bomb attack that destroyed the old machine. It creates a new hardware dependency and a single point of failure.

In the case of VMWare, the "hardware identity" of the machine is determined by some entries in the *.VMX file which can be manually edited as long as the VM is unencrypted. 
These entries are "uuid.bios" and "uuid.location".  The VM's MAC addresses are also derived from these ID's. 


It is vital to set uuid.action="keep" if you want to force VMWare to maintain the hardware identity of a VM if it is moved to a different host machine.

Share this post

Link to post
On 10/4/2022 at 11:23 PM, Vincent Parrett said:

Thanks. One thing to bear in mind with usb is that it is very sensitve to latency - so not sure how it would work in high latency connections. I have fiber at home and get 6ms pings to the data center where our servers live - which is fine. I suspect anything over 30ms might be a problem for some devices.  

nSoftware just announced PKI Proxy. I'm still using "old" file-based certificates but it looks like it could be a viable solution: https://www.nsoftware.com/pkiproxy/

Share this post

Link to post
Posted (edited)
10 hours ago, John R. said:

nSoftware just announced PKI Proxy

looks interesting - but for historical reasons I'll probably not use anything from them (currently working on replacing SBB). 

Edited by Vincent Parrett

Share this post

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now