Authentic Countersignature Made Easy

Authentic countersignature

besides DC would like to thank all of our sponsors and a special thank you to all of our speakers volunteers and organizers thank you very much welcome welcome here no rainy Sunday morning after was a night of well celebration or losses I guess depending on whether you're a Texas or a nationalist fan right so you know however that goes but thank you for coming here and I'm or Novotny I'm chief architect of DevOps and modern software insight or a large Microsoft partner and I am also a member of the dotnet Foundation board of directors a Regional Director and you know a bunch of other things there it means I work very closely with a lot of Microsoft people but I do not work for Microsoft however if you have feedback or questions or other suggestions I can certainly help make connections with the right people as I'm fairly well connected there best way to get a hold of me is usually on Twitter I am there probably non-stop when I'm not speaking so if you have questions or suggestions or anything else you know please follow me there and I will do my best to get back to you as soon as I can this morning we're going to take a look at code signing and what it is and why you might want to use it some of the common types of code signing there's more than one and how key vault might be able to help protect you and what in you know and secure your certificates and what that looks like as well as how to set up a code signing service and so your organization can do this in a secure and automated way so you don't have to revert to manual and probably unsecure things like certificates on developer machines short you know short take don't do it quick survey here how many folks here in the room are creating applications either let's just say for the public or your organization's create applications any developers here a few okay how about libraries or internal any internal up against the internal applications in aya Brea's windows-based libraries any or windows-based Start programs a few Linux other things Mac breasts okay so how many of you have seen this dialog ever oh come on I know more of you have seen this okay did it make you stop and think you're like what the heck am I about to do what would you expect your non-technical friends to do if they saw this would they know to click more info you know and then eventually get to another scary dialogue and press the button again probably not in this volatile landscape users need to know who they can trust and integrity helps prove that a package was not tampered with it doesn't prove trust because malware can and often is signed as well but it is the foundation for building reputation its reputation of the publishers and of the publishers of the software where there is an individual or an organization that can lead to trust you don't expect bad things to come from Adobe from Microsoft from Apple from Intuit or whomever all these folks that you other organizations that you trust in the real world you want to be able to use their software on your devices without you know risk or without fear that there might be bad things in there that you know they this one's probably okay because Adobe is probably has a secure process in place you know we hope so that they don't have malware getting into their programs it is the basis of things like smart screen which is a system-wide feature of Windows as of windows 8 that helps provide fun dialogues like the one we saw before which builds on that reputation and turns that into an actionable thing it also enables non-repudiation which is a legal concept that helps ensure that if you're consuming a package you can go to the publisher and say you know hey look you gave me this bad thing or this thing that came from you and the publisher says no that's not ours it didn't come from us you say well it's signed and you'd signed about you it did come from you and that can hold up in court and that can have implications for other things as well so there are a number of different aspects to it there's also some more practical reasons it can reduce those scary install prompts that we saw before so that you never see them again it makes it a better experience for your end-users many enterprise antivirus products will tend to flag unsigned files now we all know or hopefully we know in this room that again malware can be signed so that's not a indicator but it might be one of the many parts of the equation that the antivirus engines are looking at corporate requirements are often a big reason I know Microsoft among other organizations has strict requirements that any binary that they produce and ship must be signed it doesn't matter whether it's public whether it's beta whether it's whatever if it's leaving Microsoft it has to always be signed and that helps ensure that if anything is not signed they could more easily say that's not real that's not us because they have the processes in place that mandate this for everything it does also enable lockdown location configurations and can help prove that certain binaries came from you so if you have you know you're awesome media player and there's another awesome media player and you're saying well someone's trying to step on your name which one is really yours and you can prove this by the code so the code signing certificate that's on it and say look this one's ours this other ones of fraud and isn't really ours and you can start issuing takedown notices or have that stuff so it can help protect your IP for that new get which is a popular package manager in the.net ecosystem also has added signing to its repositories into its packages as well as machine level configuration that can help secure the supply chain of dependencies so we've probably heard of like the left pad style attacks where you know bad things get in there bad packages get inserted into the system with this with a properly locked down you get configuration both on the server and on the client you can make sure that only packages that are signed by trusted publishers are loaded and downloaded and used by the system so it's part of a it's a soul solution but it's part of a defense-in-depth strategy to help secure the supply chain of your packages and finally Swift on security said so so you know we all should listen to her when it comes to security stuff anyway because we know that she knows what she's talking about so there are many techniques for securing a system this talk isn't specifically about those there may be others at this conference and other security conferences that go into these topics in greater depth I will mention that SmartScreen is the predominant one that you'll encounter on Windows as a consumer and user of software it's the one that led to that dialogue it's also the one that will both you know give you the easy time and a hard time it enforces things like if it's a new certificate that it's never seen before you're gonna get that dialog even if it knows who you are it based as it on number of downloads the popularity of your package and whatnot there are ways that they have put in there to to get instant reputation so you never see that dialog and that involves extended validation code signing certificates which I'll come back to in a few minutes it also is a part in you know of foundation of restricted environment so device guard helps protect and only load signed modules by the hardware where Windows works with the you know security modules on the hardware to load only special binaries whereas app blocker is more of an OS level software check for those saying for signed binaries all different techniques for making sure only known code is run so that if malware is on your network it can't run and will be blocked by the machine from executing an example of this in use is privileged access to workstations which is one of the ways Microsoft protects its access to the azure of production environments and you can't just take your ordinary laptop plug it in to the network and RDP into or secure shell into an azure anything I mean that would be a bad thing and I think we can all agree on that they so they have a white paper that they published it says here how we've used all of these different lockdown configurations to secure the hardware to make it still usable from a from user perspective and all that and I encourage you to check out that link over the bitly link there and it's a big documentation that kind of discusses how they put all this together so I want to take a quick pause here to switch over to the demo machine to look at how automated code signing or how easy it can be and this is what we're gonna come back to in a minute so what I have here is a new get package that I'm going to submit using a you know server to the do the signing on Azure and it already came back and this is the kind of thing you can incorporate into your CI CD pipeline it doesn't matter whether it's a new get package or a DLL or vsi X or click once manifest on either common file types you might use it would be sent over to the server running and Azure where the certificate is stored in a hardware security module in the cloud and audited and logged and you know all that good stuff if I come back and open a new get package using a tool called NuGet package explorer which you know shameless plug is one of the applications I help maintain it's open source on github it will show you the package information or the signature information in the package and we can see that it was signed by a test certificate no folks i did not have a password or any credentials on my machine that would get you access to my production certificates you're not that lucky but you can show it shows you that it is also not trusted because it is a self-signed certificate and the tool will show you the information that as it's validating the package so that you can kind of see if it's either valid or not and what the chain of trust is you can also go deeper and say that this new get package which is a container it's basically a fancy zip file with other files in it has a sorry has a dll in here and if I examine the DLL it's also signed and you know because it is a DLL is signed with an authentic code signature whereas new get assigned by a new get signature different techniques same process but it shows me the information there as well and I can see that it was signed by digit by digit certs time stamping for a counter signature and it has the same certificate subject here and that Windows is telling me that hey this file is signed with an untrusted certificate which is completely true it's as a test certificate but that's just an illustration here of a way to see the details of the signatures along the way and we're going to take a look at how we can set this up for your own environment so you can make it you know hopefully fairly straightforward as least as straightforward as it can be when we're talking about this topic so code signing is a process it is not a specific technology there are many different kinds where attenti code is one of the oldest it is over 20 years old and it was initially created for at the time when someone thought it was a good idea where you might want to load random binaries off the internet and run them in your web browser as you hello exploits what I don't think anyone thought that was a good idea but nevertheless the signatures were there to try and show who these were so that the browsers could attempt to put some policy around that to say look I only want to give or allow Microsoft Ones or Adobe once you know the Adobe Flash controls all of the early ways of extending the browser initially came from things like ActiveX until we got better options the initial versions of authentico did not actually have support for time stamping so time stamping is a mechanism where an external party can say hey look this is the time right now and add a counter signature to your to your overall package so that you can know or consumer can know that what if the signature was done within the validity period of the original certificate that's an important thing and we'll come back to that in a bit as well but that was added eventually to future versions of authentic code if they are based on various cryptographic standards asn.1 which is a binary way of representing structured data as well as pkcs which is a effectively the like schema is to XML so if you think of asn.1 as XML and defining brackets and syntax and attributes and the like whereas PK for the various pkcs formats are like XS DS they're schemas they're hey this is this kind of message and there's a number of different kinds of those and they are based on public key crypto structure and rely on chains of trust and certificate authorities to verify the information about the issue or like who's asking for the certificate where is it going and the like the easiest way on Windows to see some of these certificates are to look at any like right click on a file and hit properties that signed and you can see this is an example of just Devon which is Visual Studio almost any any file Microsoft has will be signed however many third-party ones majority of third-party ones will be especially from large publishers if you click on here you'll see an example of a dual signed package or library where it's signed with both the sha-1 and a sha-256 hashing algorithm and that was as Microsoft was busy transitioning or people were busy transitioning using two stronger cryptography algorithms well older versions of Windows didn't support them nowadays it's not really common to see shot one sign things anymore because that is a weak algorithm but it the underlying mechanism does support adding multiple signatures Windows will use the strongest one if it's as long as it recognizes it so you don't have to worry about the older one in there you can dive in and see some of the details where we'll show you the signature information and the counter signature information and then you can go in further see the subject and the purpose of it and then finally get in and see some of the details now all of this is all encoded within the asn.1 message and you can certainly take some of that signature there are other tools that can take the signature data you can put it on online tools view the binary and get this in other ways but this is certainly an easy way to you know see this just on any computer there's no special tools required these are standard windows dialogues digital certificates are comprised of an x.509 certificate that's the part that contains the information on it the attributes of what it can be used for that you're the name of the certificate the issuer the any other attributes that you might want to store in it and a public Sr and a private key it is a common misconception that a certificate consists of a private key it does not typically that's what we'll call you know a key pair however you just did something to know it's not really relevant for most of the time because people think of hey I have a certificate do you have the public key or do you have the private key and you know you have it in these pfx files and the pfx files are just different kinds of messages different the pkcs number twelve that contain the combination of the x.509 public information would the private information if it can be exported that information that is given to you by that certificate is given to you by a certificate authority and that is signed by them so that's them vouching for you that's what creates the chain of trust if you use something like digit cert and say look I'm you know Jane Smith I want a certificate for my code you're gonna go to digit cert they're gonna ask for some proof some information they're gonna give you the certificate and it's going to be signed by them and that is going there in their certificate is trusted by Windows and Mac and Android by way of the various root programs corporations will also have public or sort of internal certificate authorities and that will be useful or domain environments where a corporation controls that so instead of relying on a public certificate an internal one can say hey look use ours button because if we have existing infrastructure that's pushing out the you know what's trusted by the Machine we can use it there's also self-signed certificates which are ones you can just basically create yourself which are really much only good for testing because they're not by definition trusted there's a number of different types of certificates out there some of the most common ones you'll see are server certificates and those are what you'll use when you authenticate or when you connect rather to any web server or almost any web server these days they used to come in a standard in an e v variety the e v variety had extra validation in there and that's what gave you the green bar in the browser until people started to realize that it's pretty much pointless because users had no idea what the difference was and what this green bar meant so evie certificates for web servers have basically been completely phased out none of the major browsers even show indicators anymore for them and this is generally automated by tools like let's encrypt these days and you can get them for free and not have to pay a lot of money for them code siding comes in a standard and an Eevee variety as well however in this context Eevee has significant meaning and difference because of the rules set by the sea-- a browser forum and the various operating system and vendors so folks like Microsoft and Adobe and Apple the people that have in the browser makers the people that have to say or stake in this ecosystem participate in this forum to dictate what are the rules the certificate authorities have to follow to issue the different kinds of certificates issued requirements are on storage and use of those certificates and whatnot so easy for code signing has some specific individuals cannot get them you have to be a legal organization or entity you know a non-profit can get one an LLC can get one or in Novotny cannot get one I do have an LLC and that has one so you have to play by the rules but that's just part of the extra text that they're doing as well as they for code signing in particular Evi certificates cannot be issued to anything other than a hardware device and it has to be FIPS 140-2 compliant so that it's tamper resistant and it cannot be stolen so there are significant differences whereas a standard code signing certificate can be issued just and be exported can be on a file can go between different machines the the eveyone's cannot there's other ones that for document signing and those are ones where adobe has more of an influence as you might imagine that the adobe reader and you know other folks like DocuSign play in this space and these are really my conforming to government regulations about identity and checks there so that signatures that are signed when you're signing a digital file with a contract or document with the document signing certificate they are ecig matures they can't hold up in court for you instead of using a pen and paper so there's other sets of requirements around that as well there's different algorithms that you might use for the cryptography whereas elliptic curve typically has shorter key lengths and RSA some of that gets definitely beyond what my area of expertise are but the window supports the majority of them for that and then there's this concept or there's this one of the attributes of the certificate is this extended key usage and that's the thing that tells you what kind of certificate it is and these are just another property on the certificate that says hey it's a code signing certificate it's a server certificate it's a you know client authentication certificate the process of creating a signature is generally fairly straightforward it's just a straight public key cryptography math where the hashing algorithm will take some data will generate a number for it or the hash value and it will be signed with the publishers private key the public you know that number that value and it will be then and embedded and packaged within the application file typically and that's how you have a signature like you know an executable file there's a special area of the executable file which is able to have this signature data embedded in it without affecting the execution or the integrity of the file there are other types of signatures that are side cards where it's just another file that goes and sits next to the DLL or the the tied to file format rather I tend to prefer the embedded ones just because they're easier to manage I don't have to want to have to manage hey I have this file and I have this other sidecar file and I have to keep them together or I'm going to not be able to verify it later but functionally equivalent otherwise to verify a signature it's basically doing the operation the same operation and in the other in verifying in Traverse so the client will do two things it will look at the hash algorithm that was specified by the signature and it will say hey look it was shot - let me go run the same set of calculations and we take the contents of that file get the hash of that to get the value and it will check that against the public key you know make sure it was make sure the signature was not tampered by using the public key from the certificate that was also embedded and if the values match the one that was stored in the file that was signed by the public but the private key it knows it has not been tampered with and it can go on if there's any discrepancies that their certificates not valid it will generate some kind of warning like we saw earlier where it said hey this thing was not trusted no if it had been tampered with it would have said something different it said it would have been tampered with yeah that was it does validations in all kinds of different areas to get a certificate it's a multi-step process as many things here are typically you'll have a user asking for a new certificate saying hey I want a new certificate and that will so I'm going to talk about the context of getting one from digit cert for a public one but it would be very similar if you're using an internal certificate authority where you might have a website to submit a request here but they're gonna use either a browser or a their HSM tool or as your key vault something wherever the key is going to go is going to generate what's called a certificate signing request and that is a special pkcs message that will be sent to the certificate authority for you know for signing to generate the public certificate out of it does not contain the private key that's one thing that you know is easy common misconception and say hey look am i giving the private key to the certificate authority and the answer is absolutely not the private key does not leave the device that it was the CSR was issued from which is also why later when you need to complete the request you need to complete it on the same device that you started it because only the private key is there until you export it if you're allowed to so you have the certificate signing request and you give that over to the CA and this might be a case where I say hey look I'm gonna create a you know give me a new certificate there might be money involved in the case of you know public CAS where they're gonna charge you money because it costs them human time to validate these things someone has to go look up those business records people often ask well why can't I have a let's encrypt of code-signing certs and the answer is because it's a lot easier to verify domains than human information and business information domains you can automate you can say look there's a responder on one side I can check it from the other side if they match I can automatically issue it the whole process can be automated in you know seconds in the case of code signing where human information needs to be verified it can be coming from anywhere there's government documents that are valid it could be business registrations with the BBB or with Duns information is often verified it can be business registration data in the state of incorporation so now you're talking about 50 states in this country plus the various territories and that's just this country you're showing them from another country and you can this quickly gets adds up so you need human elements to be able to go verify and know which database to check for the specific entity and that's why it costs money because it can't be fully automated and people need to be paid so they're going to do that and once they've verified the information that you've given them they're gonna issue a public certificate that is signed by them as we discussed earlier that's going to say hey I did assert have given you or a Novotny a certificate with your name on it because I checked this information and it is I found it to be true I'm gonna take that certificate back and then merge that into the device in this case I'm using key vault but wherever the certificate request was generated from and that will then give me that public private key pair that I can use for cryptographic operations in the future when they're merged together non Hardware bound certificates that is to say ones that don't have a Evy or export restriction on them can later be exported by the operating system to this p12 you know or pfx file they're both the same they're pkcs12 messages Mac tends to use them as p12 Windows tends to call them pfx and that's because pfx was there before the format was standardized and you know eventually became p12 but the the file extension stuck there the same thing you can rename them it doesn't matter so the process once you have a certificate the process of code signing historically has been in order to do it right kind of tedious I don't think anyone follows this approach as you can see this graphic is a little bit dated liberally borrowed it from some Microsoft documentation that itself was quite old you would have a segregation of responsibilities you would maintain the certificate on a smart card somewhere offline because you don't want to have it stolen and so you would typically take the output of a build give it maybe on a thumb drive to a administrator to a signing admin someone who has the rights to do this they would in scan this for any viruses and malware they would log the files and you know some database that says hey we're signing these files here the check sums here the hashes of the files were going to sign they would have to figure out how to use all the code signing tools and there's different tools for different file types and they would have to sign them all individually and then hand them back they would still ultimately need an outbound connection to a time stamping Authority in order to do the counter signatures correctly so you can't do this process entirely offline not really so that was slow in error-prone and not really amenable to doing in any kind of automated fashion conceptually the process of doing it automated is much more of a client-server operation where you have a client might be a thin client around arrest service is going to take a bunch of files say here and let the server figure it out and that takes the job of what the admins did offline and does it in a consistent and repeatable and scalable way online where it can run through antivirus it can log all the files all the inter activities can be logged to your seam tools so they if there's an incident after the fact it can be monitored all that stuff can happen in a way that you're guaranteed as well as all of the configuration of the various signing tools is handled by the service as well so that you don't have to figure out what do you need to do for what file type so there's different signing different file types have different signing tools in Windows authentically handled by something called sign tool and that handles most of the common ones that the operating system handles that's like X YZ dll's app X Files you know actually you can sign PowerShell scripts and many of the default ones and windows are so as a part of that is actually by default PowerShell cannot execute random scripts that you just write locally you actually have to set the execution policy to unsigned in order to enable that so if you want to keep them in the default policy to say look I'm an admin I don't want you writing default I don't want you being able to touch your PowerShell security settings you can sign your PowerShell scripts this way believe it or not you can actually sign JavaScript and vbscript stuff but I don't think anything in the world validates them anymore except for the Windows scripting host as a relic of bygone days but in those text formats the signature is stored as a comment in the end of the file so they're there and you can see them if you want oh sorry there's other file for other of the different other file types have different tools so visual studio and visual studio code extensions come in a file format called v6 it's a fancy zip file and they use a tool called you know v6 and tools so shocking really original name click once which is a common format for distributing applications within enterprise because it can auto-update uses something called mage NuGet uses the new get tool to do it signatures Java has its own tools for apk signer and jar signing Apple has its own code signing tool for signing the files for a gatekeeper as well as I think there's another own product builder for signing the package files as well so there's Apple has its own tools as well like they're all the same thing they're all calculating signatures in this way we talked about before but different file formats have all these different tools for handling it also out of the box none of them have direct support for extra keys that are stored externally though you know Windows doesn't know about so if you wanted to they all rely on CSP which is basically the equivalent of an operating system driver for a security certificate so you can have a hardware token with it and you plug it in and you install the software like I have something from Gemalto that has a certificate on it I plug it in I have software on there and the SafeNet authentication client will prompt me for a password and the it just doesn't work because that'll work for this but if I want to put it and say something like key vault where Windows doesn't know anything about the HSM in Azure it's not going to work for me so we need to take a different approach there's a number of challenges with code signing protecting the certificate or protecting the key rather a certificate doesn't matter the key it can be quite hard certificate compromises a real thing so in 2017 there was a research firm Venna fee that put together a study that found that certificates were selling on the dark web for over $1,200 which is significantly more than the cost of a firearm on the dark web and that's because it's much more valuable you know guns are easy certificates unfortunately but certificates are used by bad actors especially ones that are shredding on your good name and your reputation and they can once they've steal them they are often very difficult to detect that the compromises happen for some time afterwards so you know if they're a bad actor gets on your network they're gonna look for those pfx files if they can get a hold of them and start route forcing those passwords and they'll usually get them certificate use also needs to be audited as we talked about like if something does happen one of the key parts of incident response is being able to look and say okay well under what timeframe what was signed when you know under that situation if someone just steals a pfx file well you'll never figure that out if you have a service that's under your control at least you can look at the audit logs and see what happened and what at that period of time there had been a number of incidents so this is something that even big companies have trouble with so like ASIS earlier this year had malware in their software signed by a you know in their updater which was signed by mob their certificate Sony in 2014 had the the death Dover virus the desk over worm used the Sony certificate HP had malware in 2014 CCleaner in 2017 had malware injected into their system and Adobe in 2012 had stuff signed malicious stuff signed by their key so point here is that even large organizations can have trouble protecting the certificates here so something to consider because I suspect most of the organizations we work at are probably not as sophisticated as Adobe when it comes to those kind of practices maybe we wish we were but you know let's face it we don't always get that privilege there's also arcane commands for these tools so it's not as simple as just you know sign this thing each of the different commands has a whole lot of different options and most people don't know what they are and the defaults are also pretty bad because windows optimizes for compatibility over security and the default options for most of the commands were meant for Windows 2000 you know news break it's been about 20 years and you know the defaults may have changed but there are other parameters but you just need to know what they are there's also the issue of orchestrating multiple tool so if a v6 which is a fancy zip file contains a nougat which contains DLLs what do you do a visto has dll's you know the click once stuff has dll's in it you need to sign the DLLs first before you sign the manifest so you need to be able to sign the right things in the right order typically going inside out so there's an orchestration component to this which ties together all the different tools so I it gets tedious and it can be error-prone so stepping back to as your key vault just quick show of hands anyone here familiar with as your key vault a few no okay so as your key vault is microsoft's hosted HSM in the cloud it comes in two editions standard in a premium the premium one is backed by hardware you know I think they're using fails devices in there but you may never see them but they're there but they are FIPS 140-2 certified devices their certificates are all there for auditing and on the Microsoft security site they are protected by a JD from security standpoint so you can create Ackles to the various resources and it has its split into an admin plane into a data plane so admin operations can be segregated out a proper separation of responsibilities and it provides multiple layers of redundancy so if you were to do this yourself you might need to have multiple hardware devices each one of them might be five or six figures you know because they're expensive especially the network ready ones and if you want to be able to make sure that you have you know data recovery and uptime you can have multiple and azor handles this for you by having multiple hard pieces of hardware for you in data centers over 150 miles away because if in most shops if you can't get your build-out you're down so again this is a mission-critical kind of service which is another good reason why something like this makes can make sense it is based on breast api's there are libraries for net and any other lots of other languages for this and it can be a supports all the current Azure features like managed service identities to minimize the use of special credentials for your applications so you don't have to manage this stuff the azure portal which constantly is changing this screenshot I'm sure is already dated will list the various certificates you might have in it and if you can you can dive in and it will show you the various properties of these certificates like what are the valid dates the expiration dates the URLs and whatnot so several years ago I took over as maintainer of a set of packages for reactive extensions and we had a process we had to Remote Desktop into a VM and Azure to sign all these things and this was very tedious and error-prone and I said look there had to be a better way because I want to get releases out automatically and I don't want to have to have a human element to take dll's copy them into a VM sign them we after unpitying and everything else and then copying them out and then publishing them so I set about to create a signing service for the.net foundation and its member projects to use and some of the goals here were that it can securely do all the stuff we've been talking about during CI builds it needed to be multi certificate capable because we wanted each project to have different certificates so X unit has its own certificate and unit has its own all the different projects can get certificates from the foundation for free which are chained up through digit cert and it can handle you know all of the nested files all of the orchestration and it needed to be inexpensive to operate it's also fully open source and on github so you know if you want to deploy this within your own organization it's absolutely something you can do the security architecture was designed to be as you know is as good as we could do it based on well as your supports so it relies on two keys to the castle the admin the service itself cannot do any cryptographic operations without an active incoming connection because it relies on the OAuth 2 on behalf of flows to make sure that only access they can only do the cryptographic operations on behalf of the incoming kline connection it cannot do cryptographic operations on its own so even in the event of server compromise it doesn't necessarily do something for those calls that were happening at that point in time just any other random data would not be exposed so to minimize that stuff yeah so the service itself can create users and create the key vaults and create and manage the requests but it cannot do the important operations if you will we're running a little bit low on time so I just want to call out this was done with help from the community Kevin Jones it created an open version of a couple of tools for a sure sign tool and a open v6 sign tool to enable the you know authentic code and v6 integers took work with Azure key vault and I work to figure it out mage and new get and we're gonna support in jar sign coming soon it's really just open source we haven't had a lot of demand for it but it certainly if anyone wants to help we will be happy to take contributions a couple of just case studies I'm gonna kind of skip these slides because I want to kind of show you a quick demo here the executive director of the foundation yeah I mean it's been valuable to the projects as well as cake build they found it useful as well cake build is a build bootstrapper to help do things and build automation and they have an executable file so the dotnet Foundation provides code signing certificates that are using evie code signing certificates so that's something that they get for free as a huge value because they couldn't get that as an open source project on their own because they would not have a legal entity the foundation serves as a legal entity for them by way to get a certificate in order to set up the code signing service it does require global admin of an azure ad directory tied to the subscription it does not have to be your corporate directory because I understand that that is oftentimes quite difficult to get rightfully so but you can do this using a separate subscription and that's because it needs to store its configuration information and using extended you know some of the extension attributes with an azure ID to avoid the use of a database so there's all of the tools or on github there's to deploy this thing there isn't get there is both an installation guide as well as a user guide for how to set this stuff up and please reach out to me or filing the shoe on the github repository and you know trying to help you out I mean an open-source the documentation can always be better no question about that but you know try to get make it as easy as possible with utilities and scripts to for the tedious bits and then once you have something your sis which over this computer I know the github site has all this here and you know the installation and deployment information is linked off the readme if I come back and once you have the signed service running and it's gonna be can you log in again this is just the admin UI users would never see this they just would automate that with a rest call or a you know genetic or global tool which is cross-platform runs on Mac Rebennack Linux and Windows wouldn't save you the trouble and automate all the the authentication and the client bits for submit for submitting the binaries but you would come in here create a user basically a service account for the user and I can say you know b-side se b-sides DC sign I can type sign and B so I just and give it the timestamp URL up I can tell you and what this is going to do is it's going to create an azure ad user with the attributes that are going to be set up it's gonna create a key vault for the to tote that attach to that user account and that's because of key vault security model which is only doing ackles per vault not per resource in the vault that's not in itself as much of a trouble because you paper certificate not per resource so it doesn't really matter whether you have one key vault or 100 key vaults you're paying for the number of certificates there's no charge for a particular key vault in this case the usage is fairly inexpensive and a premium HSM back key vault it's a dollar per certificate per month and some like a few cents per ten thousand operations for this use case the key vault cost next nothing to use again compared to the cost using an HSM yourself and the economics of the cloud very much work in your favor it'll give you the information you need to give input you know to the users and the configuration this passwords not going to get you very far because it's not gonna I'm going to delete this account shortly and it's not going to do much anyway but it will give you this information you give it to them and store it in a secret variable in your build system once you have the key vault there you can use this to generate that certificate request this is where you'd come in and say new certificate the name itself doesn't matter eveyone or whatever cert one and it will let you view the certificate request and this is the information that you would provide to the certificate authority in the form that they say hey we're a Stu CSR in and when you have the certificate you would browse for the sir file that they give you and it will upload that in mirja and it'll become available for use the final thing you would do is opt to just configure the cert and that's where you it'll show you the available certificates in case you have more than one in that key vault which is the one associated to that user so the point here is that all the information all the configuration is done on the server the client doesn't have to do any of this you can have any if you have different departments different organizations they can have their own service accounts it's all configured and you manage it here if there's ever an issue you can just unconfigured you know you uncheck the box were configured and it will block that signing service operation until you re enable it in case of an incident you need to quickly you know block them for a time being without potentially like changing the password if you don't need to maybe just need to investigate or see what's up so with that I believe we are at time thank you for coming and I'll be I'll stick around for a little bit I think there's a half hour break and you know that's certainly happy to help out if you need to get this or want this to get this configured for your organization so thank you very much [Applause] sure yes sorry I didn't have time for questions I'm happy to answer questions now that I know we're good so executable files and PE files is a type of PE files portable executable the PE file format has an area within it which can contain a certificate so there's data segments there's executable segments there's other things so part of the hashing algorithm I mean it's not just taking you know it's not just doing a dumb binary you know read the whole buffer in and calculate a hash there is a defined structure to it and that's what the authentic code and each file type has its own mechanism of doing that so it reads the data segment it reads the text segment it reads the executable reads all of the relevant parts of the file to generate this signature which then get tucked in to another part of the file that it's not checked it's also an area where yeah so when does certificate we'll read that from the from that area correct it's also an interesting area ever wonder how you know you when you download Chrome or you download some of those programs that you say it magically already has some of your account information in it because there are some tricks in there that they can piggyback some data so I didn't really get a chance to cover this but Sigma certificates and Sigma actors that signatures themself can have signed attributes and unsigned attributes signed attributes are the stuff that I'm gonna just tuck in the signature here's the stuff you know I can it's arbitrary it's whatever I want to put in the suit in the signature I can do that and then I sign it and then that goes you know that since signature goes around that right so if I modify any of the signed attributes the signature is no longer valid I can also put unsigned attributes which are not checked and I can modify those after the signature is done because they are not trusted there they can still go in the same area of the file but if you look at some of those things like either Backblaze or google has done this a number of others you can tuck magic links or other random data in there in the unsigned attributes in the cert in that signature so that when you launch that program the program will read its own signature to pull out that information and magically get started so it's kind of a neat nasty other oh is trick that you can kind of piggyback some information in there I don't recall the name of it I I'm sure it's online somewhere I'm sorry so so I guess is the question it's like I if the web sites providing me the the SHA of the file and you know what's the easier for the user or let me so you so you absolutely can do that I will say this there I'll say the thing that's the less effort is if I don't have to do anything and that's what Windows will do for you so yes what you can absolutely download a file run the hashing tool calculate this stuff out but I guarantee and my mother won't do that right so like we in this room might know how to do that and you know please do but if you can have something that's running in the background and it's always on it basically never gets turned or cannot be turned off that's the kind of thing that smart screen is so smart screen is doing that behind the scenes it gets that's what's known as the mark of the web so Windows whenever you download a file off the Internet whether it's Chrome Firefox brave internet explorer edge whatever will say hey there's a an alternate data stream that is that contains the mark of the web and that's where if you've ever seen that files is unblocked or blog right there's a checkbox in there for the ones that came from the web the loader will do an extra check to say ah is this signed or not and if it is signed great do I trust it what's the reputation of that certificate and if it's a non Eevee cert that and if it's a brand-new cert you're gonna get that dialog anyway because it's gonna say I don't know you from a hole in the wall these could be malware is it good is it bad I don't know I don't you have has no reputation of developed yet over time number downloads popularities executions Microsoft will not say because they don't want anyone gaming the system it will become trusted in that dialog will go away until you have to you know get a new certain two or three years Eevee certs contain instant reputation for smart screen so that's where Microsoft has said well based on the issuance requirements a can only be two organizations and it has to be on HSM or if it's you know device we trust it more it's less likely to be stolen so you will not see that dialogue unless things go south does that make sense so it's it's really I think the benefit is that it's always happening in the background it's not I don't have to take a proactive you know an action to check this thing