Adobe just published an article "Inappropriate Use of Adobe Code Signing Certificate" describing the inappropriate use of their code signature private key.
Adobe uses a Hardware Security Module (HSM) to store the private key. The signature requests are sent by build servers and signed by the HSM.
Unfortunately one build server has been compromised and malicious software has been signed.
LessonsMaybe the lesson is that automatic code signing, without human verification, is an error. Of course the human verification shall be smart enough to avoid repetitive and boring tasks.
In general smart card doing cryptographic signature with a legal value (eID or citizen cards) are configured so that the user PIN has to be entered before each signature. And the use of a pinpad reader is a big security improvement. So even if the user computer is compromised the attacker cannot sign many documents without the user noticing something wrong.
- only one signed document may be enough for the attacker
- noticing something is wrong requests some user intelligence
ConclusionThe best security architects can do is:
- provide systems simple to understand
- provide some kind of detection of strange events
- provide a way to easily revoke a compromised key