#KEYMASTER: Keys to the Kingdom – How Code Signing Can Make—or Break—Your Security
2026-04-28
In today’s connected world, code signing is a cornerstone of device security—especially in systems relying on secure boot.
In this #KEYMASTER conversation, Sven Rajala and Jérôme Ducros, Solution Engineer at Keyfactor, explore how signing keys are protected, why they matter, and what it takes to scale signing securely across millions of devices.
Why Protecting Signing Keys Is Critical
At the heart of code signing lies the private signing key—a highly sensitive asset that represents the identity and authority of an organization.
A common misconception is that developers can safely store and use signing keys locally. In reality, this is a dangerous practice. If a private key is exposed, attackers can sign malicious code that devices will trust and execute without question.
Instead, modern best practice is to:
- Store private keys in Hardware Security Modules (HSMs)
- Ensure keys are never exposed in plaintext
- Only allow access through controlled backend signing systems
In this model, developers never interact directly with the key. They simply request a signature, and the system returns a cryptographic result—nothing more.
HSMs Are Not Enough: Governance Matters
While HSMs provide strong technical protection, they are only part of the solution. True security requires strict governance and access control.
Key principles include:
- Role-Based Access Control (RBAC): Define who can sign what (for example, test vs. production releases)
- Separation of Duties: No single individual should have full control
- Auditability: Every action must be logged and traceable
Without these controls, even the most secure hardware can be misused.
The Risk of Key Compromise
A compromised signing key is one of the worst-case scenarios in cybersecurity.
When attackers gain access to a private signing key:
- They can produce malicious firmware or software
- Devices will trust and execute it as legitimate
- Even secure boot mechanisms will work against you
Real-world incidents have shown that such breaches can allow attackers to distribute trusted malware at scale, severely damaging trust and security.
Challenges of Signing at Scale
As organizations grow, so does the complexity of code signing.
Signing firmware for thousands—or millions—of devices introduces both security and operational challenges:
1. Automation with Control
CI/CD pipelines must integrate signing securely:
- Signing should be automated—but never uncontrolled
- Systems must enforce policies at every step
2. Lifecycle Management
Devices often live for 10–20 years. During that time:
- Keys may need rotation
- Firmware requires updates and patches
- Systems must support revocation and expiration
3. Anti-Rollback Protection
Devices should prevent execution of outdated or vulnerable firmware versions, requiring coordination between:
- The signing platform
- The device itself
4. Reliability
If the signing platform goes down:
- Critical updates cannot be released
- Security patches may be delayed
- Customer trust can be impacted
Code Signing Across the Device Lifecycle
Code signing isn’t just a one-time step—it spans the entire lifecycle of a device.
At Manufacturing
Devices are provisioned with a root of trust:
- Public keys embedded into hardware (often in fuses)
- Used to verify the first stage of firmware
Because these keys cannot be changed later:
- Manufacturers often provision multiple keys upfront
- This enables future key rotation
During Operation
Over the device’s lifetime:
- Firmware updates must be signed and verified
- Security patches rely on trusted signing infrastructure
- Key management becomes an ongoing responsibility
Preparing for the Post-Quantum Future
With the rise of quantum computing, traditional cryptographic algorithms may eventually become vulnerable.
Jerome highlights a forward-looking strategy:
- Start embedding post-quantum cryptography (PQC) roots of trust today
- Use algorithms like ML-DSA alongside classical ones
- Even if unused initially, this prepares devices for future transitions
The key idea: design for the future at day one.
Key Takeaways
- Never store signing keys on developer machines—use HSM-backed systems.
- Private keys must always remain hidden; only signatures should be exposed.
- Security requires governance, not just hardware—RBAC, auditing, and separation of duties are essential.
- A compromised key undermines the entire trust chain, allowing malicious code to appear legitimate.
- Scaling code signing introduces operational complexity, including automation, lifecycle management, and reliability concerns.
- Plan for long device lifetimes by enabling key rotation and update mechanisms from the start.
- Embed multiple roots of trust at manufacturing to future-proof devices.
- Prepare for post-quantum cryptography now, even if adoption is gradual.
Learn more
Related resources
#KEYMASTER: Common Secure Boot and Code Signing Mistakes — And How to Avoid Them