Authenticode Code Signing



Since malicious code (viruses, ransomware, Trojans, etc.) is a serious threat to disrupt and financially harm organizations, it is imperative to authenticate code prior to use. Microsoft Authenticode reduces the level of risk and minimizes exposure to malicious code by defining a set of security zones, and associated rules, that determine code authentication and user notification within each zone. At the heart of authenticating code is the ability to determine if it originated from a trusted software publisher, or if it has been tampered with since it was published.

Microsoft Authenticode provides services that assist software publishers in establishing a trusted identity, and in digitally signing their code prior to publishing. The resulting digital signature allows recipients of the published software to both authenticate the author and ensure the code has not been tampered with.

To create a digital signature, the software publisher needs to acquire a code signing certificate. Depending on the application, the code signing certificate may be obtained from a commercial Certificate Authority (CA), certificate server such as Microsoft Certificate Server, or certificate appliance such as the BlackVault CA. To obtain a code signing certificate, the publisher must create a public / private cryptographic key pair. The public key is included in the signing certificate along with other identifying information.

The actual code signing process consists of creating a hash* of the executable software and encrypting this hash with the publisher’s private key (created above). It may also include a time stamp of when the code was signed. The encrypted hash, code signing certificate and executable are bundled together to become the signed code.

When the code is authenticated, the code signing certificate is verified, and the hash is decrypted using the publisher’s public key obtained from the certificate. A new hash is then computed across the executable and compared with the decrypted hash. If they match, the code is authenticated.


At the heart of this process is the private key created when the code signing certificate was generated. This private key must be kept secret by the publisher, because if compromised, it could be used to fraudulently sign malicious software which would appear as if it is from the trusted publisher. Best practices for protecting private keys ensure they can never be accessed in an unencrypted form and that operations performed with these keys do not expose the private key.

To meet these best practices, Microsoft Authenticode supports protecting keys within Hardware Security Modules (HSM). The BlackVault HSM provides physical and logical barriers to attack that do not exist with a software only security solution. It also provides multi-factor and Quorum authentication not found with USB and smart card tokens.

With the BlackVault HSM, key generation and digital signature operations are performed inside of the protected cryptographic boundary and private keys are never exposed. When private keys are backed up or transported outside of the BlackVault HSM, they are encrypted and the cryptographic material can be distributed across multiple smart cards for additional security. The BlackVault HSM is certified to FIPS Level 3, meaning environmental, electrical or physical tamper will result in deletion (zeroize) of the cryptographic keys. It’s long battery life also allows for transport and offline storage in a secure room or safe.

 NEW SMART CARD BV L angle with screen smCROPED

Engage BlackVault HSM

BlackVault is a compact cryptographic appliance with a unique color touch screen display, smart card reader, USB and Ethernet ports, and it supports all major cryptographic APIs. This includes Microsoft Cryptography API (CAPI) and Cryptography Next Generation (CNG) for seamless integration with Microsoft Authentication services. It also supports a wide variety of the latest cryptographic and hashing algorithms, including Suite B and elliptical curve cryptography.

In addition, the BlackVault HSM quorum feature prevents code signing and publication until the appropriate “sign-offs” occur. For example, if Product Management, Development, and QA are required to sign-off on a new release, each signatory would insert and authenticate their individual smart cards before the BlackVault allows the code signing operation. 

Using the BlackVault HSM with Microsoft Authenticode ensures:

  • Publishers’ private signing keys are secured with best practices FIPS Level 3 hardware security module technology;
  • Use of private keys for code signing is performed within a FIPS Level 3 silicon based cryptographic boundary;
  • The code release approval process is enforced by preventing code signing until an “M of N” quorum is present;
  • Keys can be securely backed up on a BlackVault HSM clone;
  • Simplified installation, configuration and operation with the BlackVault HSM’s touch screen color display;
  • HSM authentication is not exposed to compromise from intermediary software or devices with the BlackVault HSM’s single trust path authentication capability.

Engage logo 990000 rev 2.000
9565 Soquel Drive Dr,
Aptos, CA 95003
Telephone: +1-831-688-1021
Toll Free : +1-877-ENGAGE4
Designed, Fabricated, and Assembled
in America icon
Supported Worldwide