# Indicators for cryptographic signing
<a name="indicators-for-cryptographic-signing"></a>

Authenticate and verify software component origins and integrity, ensuring a secure software supply chain.

**Topics**
+ [[DL.CS.1] Implement automated digital attestation signing](dl.cs.1-implement-automated-digital-attestation-signing.md)
+ [[DL.CS.2] Sign code artifacts after each build](dl.cs.2-sign-code-artifacts-after-each-build.md)
+ [[DL.CS.3] Enforce verification before using signed artifacts](dl.cs.3-enforce-verification-before-using-signed-artifacts.md)
+ [[DL.CS.4] Enhance traceability using commit signing](dl.cs.4-enhance-traceability-using-commit-signing.md)

# [DL.CS.1] Implement automated digital attestation signing
<a name="dl.cs.1-implement-automated-digital-attestation-signing"></a>

 **Category:** RECOMMENDED 

 Digital attestations serve as verifiable evidence that software components were built, tested, and conform to organizational standards within a controlled environment. Signatures associated with each attestation can be verified to ensure that the component has not been tampered with and originated from a trusted source. Generating attestations throughout the development lifecycle provides a method of ensuring software quality, origin, and authenticity. 

 Embed automated tools into the deployment pipeline to produce digital attestations. Create an attestation for each action you want to create proof for, such as a test being run, software being packaged, or even manual approval acceptance steps. Sign these attestations using symmetric or asymmetric keys. Follow metadata frameworks such as [in-toto](https://in-toto.io/) for best practices for formatting attestations to include metadata about the software, the build environment, and the authoring party. Store attestations either with build artifacts in a repository or within governance tools for deeper analysis. 

**Related information:**
+  [Software attestations](https://slsa.dev/attestation-model) 

# [DL.CS.2] Sign code artifacts after each build
<a name="dl.cs.2-sign-code-artifacts-after-each-build"></a>

 **Category:** RECOMMENDED 

 Code signing is the process of attaching a digital signature to build artifacts like binaries, containers, and other forms of packaged code to enable verifying its integrity and authenticity. Signing code artifacts minimizes risk of using or distributing tampered or counterfeit software. 

 Cryptographically sign code artifacts during the build process. Ideally this occurs after testing and before publishing to production. Follow [best practices for timestamping](https://www.digicert.com/blog/best-practices-timestamping) while signing. Timestamping provides a verified date and time of the signing, serving as evidence that the code artifact existed and met the signature criteria while the certificate was still valid. To safeguard operations, ensure that the validity of the signed code artifact is recognized even after the signing certificate itself has expired. 

 Store signatures in a location accessible to users and systems that need to verify signed code artifacts. When using [Open Containers Initiative (OCI)](https://opencontainers.org/) compliant artifact registries, it is encouraged to store digital signatures alongside the build artifacts being signed. This enables a consolidated retrieval process and allows verification systems to easily locate and validate signatures. Just as with artifacts, signatures can accumulate over time. Implement a lifecycle policy that archives or deletes older signatures that are no longer needed to help manage storage costs. 

 After a signature has been stored, it should be immutable so that the signature cannot be tampered with or replaced. Use fine-grained access controls to ensure that only authorized entities can push or modify artifacts and their corresponding signatures. Regularly back up your digital signatures. Having a backup ensures you can still verify the integrity and authenticity of your artifacts in the event of storage failures. All access and operations on stored signatures should be logged to support forensic analysis and to adhere to compliance requirements. 

 Implement cryptographic signing of artifacts during the build process. Ideally this occurs after testing and before publishing to production. This helps ensure the integrity of the artifacts and confirms their authenticity. We recommend using a managed service like [AWS Signer](https://docs.aws.amazon.com/signer/latest/developerguide/Welcome.html) to reduce the complexity that comes with managing public key infrastructure. Refer to [AWS Signer workflows](https://docs.aws.amazon.com/signer/latest/developerguide/workflows.html) for guidance that fits your use case. 

 For more control over the signing process or for complex use cases, you can create and manage your own code signing platform using Public Key Infrastructure (PKI). While this approach offers precise control, it requires consistent upkeep and adherence to best practices. [AWS Private Certificate Authority](https://aws.amazon.com/private-ca/) is a managed private CA service that helps you manage the lifecycle of your private certificates easily, without the investment and ongoing maintenance costs of operating your own private CA. 

**Related information:**
+  [AWS Well-Architected Sustainability Pillar: SUS05-BP03 Use managed services](https://docs.aws.amazon.com/wellarchitected/latest/sustainability-pillar/sus_sus_hardware_a4.html) 
+  [Using AWS Signer workflows](https://docs.aws.amazon.com/signer/latest/developerguide/workflows.html) 
+  [Configuring code signing for AWS SAM applications - AWS Serverless Application Model](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/authoring-codesigning.html) 
+  [Security Considerations for Code Signing](https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.01262018.pdf) 
+  [Code signing using AWS Certificate Manager Private CA and AWS Key Management Service asymmetric keys](https://aws.amazon.com/blogs/security/code-signing-aws-certificate-manager-private-ca-aws-key-management-service-asymmetric-keys/) 

# [DL.CS.3] Enforce verification before using signed artifacts
<a name="dl.cs.3-enforce-verification-before-using-signed-artifacts"></a>

 **Category:** RECOMMENDED 

 Before using code artifacts, the cryptographic signature should be inspected and validated. This verification step enforces trust and security within the development lifecycle, ensuring that software remains unchanged before it is used or deployed. 

 Strictly enforce verification of cryptographic signatures each time a code artifact is used or deployed. Use a managed signing service like [AWS Signer](https://docs.aws.amazon.com/signer/latest/developerguide/Welcome.html) or the public key from your organization's trusted Certificate Authority (CA) for signature verification. Automate the verification process where possible, as manual checks can be error-prone and may not be strictly enforced. Some examples of this are integrating signature verification into the deployment pipeline, enforcing verification at the registry level as artifacts are distributed, or using the Kubernetes admission controller to verify each container image as they are pulled. 

**Related information:**
+  [Security Considerations for Code Signing](https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.01262018.pdf) 
+  [Configuring code signing for AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/configuration-codesigning.html) 
+  [Kyverno extension service for Notation and the AWS signer](https://github.com/nirmata/kyverno-notation-aws) 
+  [Announcing Container Image Signing with AWS Signer and Amazon EKS](https://aws.amazon.com/blogs/containers/announcing-container-image-signing-with-aws-signer-and-amazon-eks/) 

# [DL.CS.4] Enhance traceability using commit signing
<a name="dl.cs.4-enhance-traceability-using-commit-signing"></a>

 **Category:** OPTIONAL 

 Commit signing involves attaching a digital signature to code commits, certifying the integrity of changes and the identity of the committer. While not universally adopted by all organizations, commit signing enhances trust and traceability as developers make code changes, making it easier to track the origin of changes and ensure their authenticity. 

 Have developers sign their code changes when submitting to version control using personal private keys from tools like [GPG](https://gnupg.org/). Developers should be encouraged to sign both commits and tags with their private keys. This can be particularly valuable for open-source projects or where code originates from diverse sources.  

 For this approach to be effective in practice, developers require an understanding of certificates and using them for signing. Developers must ensure that their private keys remain confidential, taking measures to store them securely and avoid potential exposure. They also should be trained to recognize signs of key compromise, such as unexpected commits. When compromise is detected, the associated key should be revoked immediately to mitigate potential risks. 

**Related information:**
+  [Signing Commits](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work#_signing_commits) 
+  [The GNU Privacy Guard](https://gnupg.org/)