How do companies store private keys offline but still sign code with them?

Question

I've heard that companies store their private keys offline "in a safe that will never be opened" and stuff like that (the context for this is a console developer like Microsoft keeping the Xbox private keys offline in a safe).

How would they still sign code with their private keys if they're fully locked away? Does someone go and physically get the keys to sign the code? Is this a figure of speech that I don't understand?

Answer 1

By having a chain of trust:

• The master key itself is kept in a safe, airgapped from the evil Internet.
• Once in a blue moon, that key is taken out of the safe and used to sign an intermediate key.
• That intermediate key is what is used to sign code on a day-to-day basis.

Validation of the code on an end user's device is then a matter of asking "has this code been correctly signed with a key which itself was signed by the master key?" The advantage of all this is that if an intermediate key is compromised, it can easily be revoked and a new one generated without needing to change the end user devices - all they care about is the root of trust, the master key.

(Small disclaimer: I don't actually know how big software houses do this, but this is how the SSL CAs work, and they're effectively solving the same problem).

Answer 2

The "safe that will never be opened" is probably a figure of speech.

On the other hand, such private keys are of very great (economic) value to a company like Microsoft, so they will be protected very carefully. I can fully imagine that those keys are really stored in a safe that is only accessible to less than a handful of people who are trusted enough to sign the released code.