實行代碼簽署程序和保護與他們的簽章憑關聯的私密密鑰的安全時,DigiCert 建議開發人員採取預防措施。
維持對代碼簽署密鑰的帳戶的控制權,並限制其分派。這將有助於執行嚴格負責密鑰的使用。
選擇用於私密密鑰的強密碼。我們要求有至少十六 (16) 個隨機產生的字元,包含大寫字母、小寫字母、數字和符號以傳輸私密密鑰。字典中的文字、使用者 ID 的衍生內容、一般字元順序 (例如 "123456")、正確名稱、地理位置、一般縮寫、俚語、家人名字、生日等不可使用。
使用 FIPS 140-2 Level 2 憑證的加密裝置安全存放私密密鑰。這些加密裝置不允許匯出私密密鑰。這些裝置中的大部份都有多因素身份驗證。
Microsoft 建議使用個別的 Test (測試) 簽章憑證簽署預先發行的代碼。Test 簽章憑證應僅在測試環境中受信任。Test 簽章憑章可以是自簽章的憑證,或來自內部測試 CA。
如需更多資訊,Microsoft 提供與代碼簽章有關的最佳做法文件。
DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.
©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.