DigiCert 建议开发人员在实施代码签名过程和保护与签名证书关联的私钥时采取防范措施。
维护对代码签名密钥的访问控制和帐户控制并限制其分配。这将有助于对密钥使用执行严格的帐户控制。
为私钥选择强密码。我们要求在传输私钥时使用随机生成的至少十六 (16) 个字符,其中包含大小写字母、数字和符号。避免使用字典中的词、用户名缩写、常见字符序列(例如,"123456")、专有名词、地理位置、常见缩略词、俚语、家庭成员姓名、生日等。
使用 FIPS 140-2 2 级认证密码设备安全地存储私钥。禁止使用这些密码设备导出私钥。其中大多数设备包括多因素身份认证。
Microsoft 建议使用单独的测试签名证书签署预发行代码。测试签名证书应该仅在测试环境中受信任。测试签名证书可以是自签名证书或来自内部测试 CA。
有关更多信息,Microsoft 提供了关于代码签名的最佳实践文档。
DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.
©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.