What SolarWinds taught us about the importance of a secure code signing system

Last year’s SolarWinds attack was caused by intruders who managed to inject Sunspot malware into the software supply chain. The hackers exploited a breach in the SolarWinds code signing system, which allowed them to fraudulently distribute malicious code as legitimate updates to installations across the world. While this attack taught the industry many lessons, one of the most important takeaways is to properly sign code that will be distributed and executed. 

Attacks like that of SolarWinds have even prompted the White House to issue a recent executive order requiring organizations working with the government to secure their supply chain and ensure code signing and other elements are properly secured as part of a zero-trust architecture and multi-factor authentication requirements.

Code signing is commonly used to protect all types of software modules and executables. Software drivers, applications, installation files, scripts, and firmware modules in vehicles or industrial systems can all be signed with PKI (Public Key Infrastructure)-based keys and certificates, providing a mechanism to trust that the code provided is legitimate. Code signing has been used for decades, but the need for secure code signing solutions has increased in the recent past, as demonstrated in the aftermath of the SolarWinds attack.

Ensuring Secure Code Signing

Protecting the signing keys and certificates are crucial in any code signing software system, and (HSMs) hardware security modules offer a secure way to generate, store and protect cryptographic keypairs and X.509 certificates on secure, purpose-built hardware. For organizations with increasingly high demands on IT security or those in regulated industries or high-risk environments, FIPS 140-2 certified HSMs are recommended or even mandatory for such deployments. 

Yubico offers the YubiHSM 2 and the YubiHSM 2 FIPS for protecting keys and certificates for signing code. For organizations that need to meet the FIPS 140-2 requirements, they have the option of a FIPS 140-2, Level 3 validated HSM if they are in regulated industries or high-risk environments, to ensure the highest levels of data protection. 

There are different cryptographic APIs for signing different types of code: The Microsoft Cryptographic API Next Generation (CNG) is designed for signing Windows executables, while the Java Cryptographic Architecture (JCA) can be used for signing Java code and JAR-files. 

The YubiHSM2 and YubiHSM 2 FIPS can both be used with both APIs for signing code. On Microsoft Windows, the YubiHSM 2 KSP extends the Microsoft CNG architecture, which allows for the Microsoft SignTool to sign Windows executables with keys and X.509 certificates that are stored in the YubiHSM 2.

As regards to the Java Cryptography Architecture (JCA), the YubiHSM 2 PKCS#11 module can be loaded by the native Oracle SunPKCS11 provider. We have recently published a reference implementation package on GitHub YubicoLabs with scripts and deployment instructions for certificate enrollment to the YubiHSM 2. Once the X.509 certificate is enrolled to the YubiHSM 2, it can be used with the Java tool Jarsigner or third-party applications for Java code signing.

SolarWinds also taught us that the source code repository must be safely managed to ensure that only proper code modules are signed. This puts additional requirements on signing the source code in a secure environment, preferably where the HSM with the code signing certificate is located.

There can also be industry specific demands on the code signing process, in particular for segments that are specifically exposed to SolarWinds type supply chain attacks. For instance, in the transportation sector there are cases where customized code modules are deployed in vehicles that travel across the world. Security is essential when deploying code in vehicles, so the code modules, in many cases, are signed to guarantee the integrity and authenticity. This means that the HSMs with the signing certificates often have to be distributed to remote locations, requiring building a PKI based chain to ensure the validity of the data from origin to where the code is ultimately deployed to, and providing a signature and verification for each step of the way in the supply chain.

Yubico recommends protecting code signing keys and certificates on an HSM, to protect Java and Windows solutions from a SolarWinds type of supply chain attacks. The YubiHSM 2 and YubiHSM 2 FIPS, which come in a portable nano form factor and offer a cost-effective price/performance ratio, are well-suited for such  deployments. This makes them well suited for cost-efficient, distributed and secure code signing.

For common usage of the YubiHSM 2 and the YubiHSM 2 FIPS, please visit the Yubico developer web site.

Talk to our teamTalk to our team

Share this article:


  • CEO Corner: Entering the second half of 2025 with momentumAs we continue to move further into the second half of 2025, I want to share a look back at our journey so far this year and as well as lay out Yubico’s strategic path ahead.  Resurgence in order growth and key segment wins While net sales declined for Q2, the end of the quarter […]Read moreCEOCEO CornerEarningsMattias Danielsson
  • Survey says: Your dog’s name isn’t a passwordWe all know we should be protecting our digital lives, but what are Americans actually doing? Yubico recently commissioned a survey, conducted by Talker Research, which asked 5,000 Americans in 10 major metro cities across the U.S. about their online security habits. Here’s a closer look at what they found (hint: they’re not as secure as they […]Read moreCompany Newssurvey
  • Passkeys are winning, but security leaders must raise the barPasswords are on their way out. In their place is a new form of login called passkeys that promises stronger security and less frustration. All passkeys offer the rare combination of improved usability and stronger security, especially when compared to passwords alone. But unless we act now, millions could be left more vulnerable than ever. […]Read moreDevice-bound passkeysHardware passkeypasskeyssynced passkeys
  • Your top YubiKey questions, answeredOver the 10+ years I’ve been at Yubico, I’ve had the pleasure of meeting customers, partners and many others talking about digital security. While every conversation is different, I am often asked many of the same questions about YubiKeys. One thing remains consistent: many people know they need better security, but they’re not sure what […]Read moreFAQYubiKey