One of the ZoTrus five principles is "Zero trust application software without a trusted identity, but only trusting application software with trusted digital signature and timestamp." This principle is an effective way to protect computer system security. Windows has zero trust for software without digital signatures. This is because without a digital signature, the true identity of the software developer cannot be proven, and it's impossible to guarantee that the software is not malicious. Of course, even with a digital signature, it's not guaranteed to be free of malicious software, so Windows still performs further checks. Windows provides the SmartScreen reputation accumulation mechanism to allow each software developer with a digital signature to build reputation. To immediately gain trusted reputation, the software developer needs to use an EV code signing certificate to digitally sign the code, the signed software immediately gains reputation and can be installed smoothly.
This mechanism, which constantly verifies the software developer's identity, is a zero trust security mechanism. It effectively protects the security of the Windows operating system, and of course, various China developed operating systems. This signature verification mechanism is also very suitable for all OTA (Over-The-Air) software update. Only upgrade packages downloaded through HTTPS encrypted channels with trusted digital signatures are trusted, effectively ensuring the security of software upgrades on device systems. Furthermore, to prove the trustworthiness of the code signing time, a timestamp signature must also be added during code signing. This represents zero trust in the software code's generation and release times. Only by adding a timestamp signature and consistently verifying the timestamp signature every time the software code is run can it be guaranteed that even if the code signing certificate expires, the code signature can still effectively prove its trusted identity.
Implementing digital signature for software code requires a code signing certificate. However, to protect the private key security of this certificate, starting June 1, 2023, all types of code signing certificates must use a USB Key or HSM (Hardware Security Module) that meets FIPS 140-2 Level 2 or the general standard EAL 4+ to protect the certificate's private key. Software key code signing certificates are no longer supported. After completing user identity validation, the CA generates the private key and imports the certificate into a compliant USB Key, then delivers the USB Key hardware to the user from the US or Europe. This process typically takes 10-15 days, which is the first hurdle users encounter: waiting! And it's not just waiting; there are also shipping costs as high as $50!
The second challenge is the ever-shortening validity period of code signing certificates. Currently, it is valid for 3 years, but on March 1, 2026, it will be shortened to one year and 3 months (15 months). This means that from March 2026 onwards, users can only purchase one-year certificates, and they will have to pay to have the USB key shipped from the United States every year. They will also have to wait every year to receive the hardware UKey certificate before they can sign the code. What if there are bugs in the software and an update is urgently needed? This is the second hurdle that users encounter: not only do they have to wait, but they must wait every year!
This trend of continuously shortening the validity period of code signing certificates can also be seen in SSL certificates: the validity period will be shortened to 47 days on March 15, 2029. It is foreseeable that the validity period of code signing certificates will also continue to shorten and will not remain in the one-year period. This is because traditional cryptographic algorithms RSA/ECC/SM2 cannot resist quantum computing attacks, making the code signing mechanism to guarantee the trusted identity of software code no longer effective. The current solution is to continuously shorten the certificate validity period to shorten the attack window, while actively promoting the implementation of digital signatures using post-quantum cryptographic algorithms.
ZoTrus Technology is also a user of code signing certificates because ZT Browser releases versions regularly, requiring a large amount of code to be digitally signed. Therefore, ZoTrus deeply understands the pain points software developers face regarding code signing. Application security is one of ZoTrus Technology's five planned zero trust + cryptographic technology solutions. After completing the most important website security solution, ZoTrus Technology invested its R&D resources to perfectly solve the two challenges faced by code signing.
Many computer hardware products manufactured in China require Microsoft logo certification, also known as the Partner Center for Windows Hardware. This program designates six Certificate Authorities (CAs) to issue EV code signing certificates to users. Four of these CAs are in the United States, and two in Europe. This is why China users need to wait for USB Key certificates to be shipped from the US or Europe. To solve the first challenge of waiting, there are two solutions: provide users with code signing cloud services or have the CAs agree to use China made USB Keys and ship them to users from China. ZoTrus Technology's solution addresses these two challenges, rather than simply acting as a reseller for selling code signing certificates from CAs.
Currently, some CAs offer cloud code signing services, allowing users to sign software code immediately after finishing the identity validation and certificate issuance, without waiting for a USB Key to be shipped from overseas. However, these cloud code signing services have the following three problems:
ZoTrust code signing cloud service completely solves these problems, and its main features include:
ZoTrus code signing cloud service not only solves the problem of users having to wait for UKeys to be shipped from overseas, but also addresses the issue of ever-decreasing code signing certificate validity periods. Regardless of how many days the validity period is shortened in the future, users only need to focus on the cloud signing service's validity period. Within the purchased service period, users don't need to worry about the certificate's expiration; ZoTrus cloud signing service system will automatically update the certificate on schedule, ensuring that users have a certificate available for signing within the service's validity period. This perfectly solves two challenges in code signing applications.
ZoTrus Code Signing Cloud Service follows the Cloud Signing API standards released by Cloud Signature Consortium. This not only strongly ensures the quality of the cloud signing service but, more importantly, provides users with development capabilities an API interface based on international standards, making it convenient for users to integrate code signing automation service into their code automation management system.
For users who still prefer to use USB Key certificates for local signing, ZoTrus Technology offers a better solution than other competitors. Users don't need to wait for USB Key certificates to be shipped from overseas; they can directly receive the USB Key certificates from SF Express in Shenzhen, with delivery as fast as the same day within 24 hours.
ZoTrus Technology, in collaboration with CAs and China USB Key manufacturers, rigorously tests USB Keys to ensure they meet relevant international standards. This allows code signing certificates to directly use China made UKey, which are always usable. When a code signing certificate expires, there's no need to ship a new UKey ; the same UKey can be used to renew the certificate. Unlike other CAs that require shipping new UKey from overseas for each renewal, wasting user costs and preventing immediate renewal, ZoTrus Technology's solution ensures certificate renewal is immediately usable, without waiting for the UKey to arrive.
Code signing is the most powerful technical means to ensure the trustworthiness of software identity and the security of operating systems. However, currently, China made operating systems have not yet implemented a unified standard multi-level code signing verification mechanism like Windows, nor have they issued a unified code signing standard. ZoTrus Technology plans to refer to the code signing mechanism of Microsoft Windows and the code signing practices of China operating systems to provide users with a dual-algorithm code signing service, ensuring that every signature is a dual- algorithm dual-signature and dual-algorithm dual-timestamp signature. In this way, Windows can verify RSA/ECC algorithm digital signatures and timestamps, while China operating systems can verify SM2 algorithm digital signatures and timestamps.
In order to address the security threats posed by quantum computing to digital signatures using traditional cryptographic algorithms, ZoTrus Technology is also tracking international standards and plans to provide users with a hybrid signature scheme that combines traditional cryptographic algorithms (RSA/ECC/SM2) and post-quantum cryptographic algorithms (ML-DSA) as soon as possible. This will enable systems that do not support the PQC algorithm to verify digital signatures using traditional cryptographic algorithms, while systems that support the PQC algorithm will verify PQC signatures, thus effectively ensuring the continued security and effectiveness of software code in the quantum era.
The code signing value-added services mentioned above will be completely free, continuously ensuring the security of users' software code. Welcome to choose our unique application security solution.