Code Signing

Unbound Key Control (UKC) gives you a single, centralized code signing solution that covers development teams across your entire global, hybrid cloud infrastructure.

( let’s talk )

Securing Your Code Shouldn’t Impede Your Innovation

The efficacy of code signing as an authentication mechanism for software depends on the integrity of code signing keys. Unfortunately, the ability to properly implement code signing and assure adequate protection of the private keys and certificates is growing more and more challenging in today’s world of increased virtualization, scaling and distribution.

Hardware Security Modules (HSMs) Aren’t Compatible with the Digital Era

Using dedicated HW across multiple sites creates silos, making centralized management and policy enforcement difficult

The manual set-up, admin & maintenance of dedicated HW conflicts with the short delivery cycles and automation needs of DevSecOps

Granular user-based auditing isn’t readily available even though many code signing activities are user and file-specific

HSMs don’t support the ability to grant authentication to a specific user using a specific build application

The ability to control keys in the public cloud is very limited, and synching keys across different CSPs is near impossible

Protect Your Software with
Software-Defined Code Signing

Unbound Key Control (UKC) code signing solution delivers hardware-level security without the hardware, making it an excellent fit for organizations with hybrid cloud environments and/or disparate development sites. This platform-agnostic solution has fully abstracted the hardware and can be deployed as a single, centralized code signing solution to cover development teams in disparate locations using any mix of environments (public cloud, private cloud, on premise). UKC is very easy to use and supports full automation of all operations including maintenance, set up and administration, seamlessly integrating with DevSecOps processes to ensure secure and rapid application delivery.

UKC includes advanced context-based auditing tools that give you the full details of every code signing operation, every time a key is used. Logs include: what type of operation, the date and time of the operation; the build servers from which the request was made; and the user that authorized the code signing operation. Audit logs can be viewed from the UKC console or exported to a third-party tool such as a SIEM.

Providing an additional security layer that is highly effective and easy to use, UKC integrates with organizational directories such as Active Directory and also supports SAML-based user/application authentication.

Any Code, Anywhere

Cover distributed teams using any mix of cloud/hybrid environments for code signing on multiple platforms

DevSecOps Ready

Seamlessly integrates with your DevSecOps processes to ensure secure and rapid application delivery

Infinitely Scalable

Fits any deployment size and complexity including huge development teams distributed globally

Fully Automated

Supports full automation of all operations including maintenance, setup and administration

User-level Audit

Seamless AD/IDaaS integration for user-based authentication and auditing on your code signing keys

How Does it Work?

Unbound Key Control enables secure management of cryptographic keys on any standard platform, including physical/virtual machines and containers.

A typical code signing process is started by calculating the hash of the code using algorithms like SHA-1 or SHA-2. Then, the build server initiates a certification request to Unbound accompanied with the application name, the hash and the public key, after which Unbound signs the hash with the private key using MPC protocol to access both key shares. The signed hash is then returned to the build server.

1. Create a hash of the code using an algorithm such as SHA-1 or SHA-2.

2. Certificate Request (Application Name & Version, Hash, Public Key).

3. Unbound signs with the private key on the hash.

4. Returning hash signed with the private key.

Unbound provides hybrid-cloud, multi-site support in a single system deployment, meeting the needs of organizations with large and/or disparate development teams across distributed environments.

A single Unbound Key Control cluster is used to manage all code signing certificates from one centralized system with a single pane of glass. All build servers and developer machines are connect to the cluster to consume code signing services.

See it in Action

Learn how our proprietary vHSM technology can enable secure code signing across your global infrastructure.

    ( Request a Demo )

Related Articles

MPC Primer

Get an in-depth explanation of how Unbound uses MPC, a mathematically proven method to secure keys on any device.

( Download )

How to Go Beyond BYOK with CYOK

Control Your Own Keys in the Cloud (CYOK) can ensure your sensitive assets remain secure even in the event of a breach.

( Watch )

Unbound Key Control

Learn how Unbound Key Control, the first secure-as-hardware key management system can protect your crypto keys anywhere.

( Download )

Securing Data in Multi-Cloud Environments

Learn more about how two major banks are using Unbound to reinvent data reinvent data protection in the Digital Banking age.

( Watch )