HSM (Hardware Security Module) codesigning

 

HSM (Hardware Security Module) codesigning is a method of digitally signing software using cryptographic keys that are stored inside a dedicated hardware device. Unlike software-based signing, where private keys were stored directly on the ISL Conference Proxy server, an HSM keeps the private key inside a tamper-resistant hardware device, so it can never be extracted or compromised. When a user downloads an application from ISL Conference Proxy, the server sends the hash of the file to the HSM via https://updates.islonline.com, which signs it using the private key stored inside and returns the signature, which is then attached to the downloaded application.

HSM codesigning was introduced in ISL Conference Proxy as a response to shifting industry standards. Software-based codesigning is being phased out, and many certificate authorities no longer offer standard code signing certificates. HSM-based codesigning is now the required standard by certificate authorities and platform vendors such as Microsoft and Apple, ensuring that private keys are stored and used only inside a dedicated hardware device at all times.


How HSM codesigning works

When a user downloads an ISL application from ISL Conference Proxy, the following process takes place:

1) Download - The user initiates the download of an ISL application from ISL Conference Proxy.
2) Hashing - ISL Conference Proxy generates a hash of the application file. A hash is a unique string of characters that represents the contents of the file.
3) Signing Request - ISL Conference Proxy sends the hash to the Cloud HSM via https://updates.islonline.com.
4) Signing - The HSM signs the hash using the private key stored inside the hardware device and returns the signature to ISL Conference Proxy.
5) Attaching the Signature - ISL Conference Proxy attaches the signature to the application file, which is then delivered to the user.
6) Verification - When the user runs the downloaded application on their Windows machine, Windows generates a new hash of the downloaded file. It then uses the public key from the certificate attached to the file to decrypt the signed hash and compares the two. If the hashes match, it confirms that the file has not been modified since it was signed. Windows also checks the timestamp of the signature to confirm that the file was signed while the certificate was still valid.
7) Installation/Execution - If all checks pass, Windows allows the application to run. If the signature is missing or any of the checks fail, Windows will display a warning to the user.


Note: The above is an example of how the verification is done on a Windows machine. The same procedure is done on other operating systems as well.


Air gapped ISL Conference Proxy installation

Since ISL Conference Proxy communicates with the Cloud HSM via https://updates.islonline.com to sign downloaded applications, this process will not work in air-gapped environments where internet access is restricted.

In such cases, the following workarounds are available:

- Allow access to https://updates.islonline.com
- Use HTTP proxy to set up a proxy server with access to https://updates.islonline.com.
- Use custom codesign method

 

Allow access to https://updates.islonline.com

If your environment allows it, this is the simplest and recommended solution, as it requires no additional configuration on the ISL Conference Proxy server. 

Allow access to https://updates.islonline.com via TCP port 443 in the firewall settings, which allows ISL Conference Proxy to communicate with the Cloud HSM and sign downloaded applications as normal.

 

Using HTTP proxy

If ISL Conference Proxy does not have direct internet access but has access to another machine that does, an HTTP proxy can be configured to allow ISL Conference Proxy to reach https://updates.islonline.com through it. 

This can be configured in ISL Conference Proxy:

  1. Open localhost:7615/conf
  2. Navigate to “Configuration” → “Security”
  3. Find the setting “HTTP proxy for web client”
  4. Enter your HTTP proxy information (IP address or DNS)
  5. Click “Save”

 

Note: If the proxy server allows it, it can be configured to only allow traffic to https://updates.islonline.com, which limits the exposure of the ISL Conference Proxy server to the internet and strengthens overall security.

 

Using custom codesign method

ISL Conference Proxy supports the use of a custom code signing certificate and an external private key for codesigning, which can be located on a cloud HSM, a local HSM module, or a USB token. This allows codesigning to be done without the need for internet access, making it a suitable solution for air-gapped environments. 

If your certificate authority still offers standard software-based Authenticode certificates, this can also be used, however note that this is a legacy approach and may not be supported by all certificate authorities.

For more information, see our Using a Custom Code Signing Certificate guide.

Was this article helpful?

Cookie Consent

We use cookies to ensure the proper functioning of our website (essential cookies) and, with your consent, for other purposes (functional and other cookies) as outlined in our Cookie Policy and Privacy Policy. You can update your cookie preferences at any time.