In light of potential vulnerabilities that can be foreseen with regard to the unsecured storage of code-signing private keys, Thawte highly advocates to all code-signing customers to adhere to stringent private key management in order to protect your business and reduce the risk or stolen, misplaced or compromised code-signing private keys.
The following are the code-signing best practice solutions which Thawte strongly recommends to our customers for secure code-signing private key protection:
If neither of the above two mentioned options are feasible, the alternative method is to choose another type of hardware storage token with a unit design form factor of SD Card or USB token (not necessarily certified as conformant with FIPS 140 Level 2 or Common Criteria EAL 4+). In the case of this solution you should ensure to keep the token physically separate from the device that hosts the code signing function until a signing session is begun.
At no stage should you leave code-signing private keys unsecured in a web browser or share code-signing private-keys with a third party (known or unknown) as to do so will dramatically increase the risk of bad actors having the capability to compromise your code-signing service and thus enhances the likelihood of the distribution of malware signed by your organization.