Reputation: 2427
Using Google's Cloud HSM to sign executables
I'm trying to find some documentation about using Google's Cloud HSM to sign executables. I have found a quite comprehensive guide for AWS CloudHSM but AWS pricing (>$1,000/month) seems to be orders of magnitude more expensive for our use-case.
Can I apply the AWS guide (above) to Google's Cloud HSM infrastructure or are there any significant differences that I should be aware of?
Upvotes: 3
Views: 2906
Answers (3)
Reputation: 1832
For Windows executables signing (Authenticode) you can use jsign which supports Google Cloud HSM and works on Windows or Linux (as it is a pure Java tool).
Upvotes: 1
Reputation: 870
At my work we do this (and, for some technical reasons, we use all three cloud vendors' KMS offerings). We have a dedicated signing server that proxies the KMS systems and routes to the appropriate KMS (i.e., AWS, Google, or Azure) based on the key we are trying to use. We also have cryptographic service providers (e.g., KSP for Windows, JCE for Java, CTK for macOS, PKCS11/OpenSSL Engine for Linux, etc.) that send the hash to sign to the signing server which then offloads it to KMS. Bottom line, it all works with the same signing tools we normally use (e.g., signtool, jarsigner, codesign, etc.) and we're able to sign in sub-second time due to the client-side hashing. Another nice byproduct is that we're able to derive our permissions to keys from our Active Directory group memberships since that is all handled at the signing server proxy.
Upvotes: 0
Reputation: 11
Depending on your project and restrictions you may be able to use java's org.bouncycaslte for the code signing operations.
There is a very helpful pdf for bouncycastle: https://www.bouncycastle.org/fips-java/BCFipsIn100.pdf
Depending on how you are signing the executables the ContentSigner.java provides private key API signing
public class ContentSignerFactory {
public static ContentSigner getContentSigner(Function<ByteArrayOutputStream, byte[]> lambda, String algorithm) {
return new ContentSigner() {
//This is to ensure that signature is created using the right data.
ByteArrayOutputStream stream = new ByteArrayOutputStream();
@Override
public byte[] getSignature() {
//Calling HSM here instead, the stream is the AttributeMap
byte[] data = lambda.apply(stream);
return data;
}
//Perhaps called by BouncyCastle library to provide the content
@Override
public OutputStream getOutputStream() {
return stream;
}
@Override
public AlgorithmIdentifier getAlgorithmIdentifier() {
return new DefaultSignatureAlgorithmIdentifierFinder().find(algorithm);
}
};
}
}
Also AWS HSM is $28000 per year as they require clustered HSM's in order to allow custom KMS store
Upvotes: 0
Related Questions
- how to Code Sign EV certificate using electron-builder?
- Sign an electron app on macos using pfx certificate
- Do you need access to the target OS's to code sign electron apps
- signtool fails to sign a binary with a key from a AWS CloudHSM
- Why electron-osx-sign fails to produce a signed app recognised by Gatekeeper?
- How to sign code in the cloud after the new 2017 rules?
- How to make your Executable trustable
- AWS Signing and Javascript
- How do I code sign an Electron app before bundling it (for Mac)?
- Signing Windows Electron App