ContextQMD
Back to Infisical

Code Signing

docs/documentation/platform/pki/code-signing/overview.mdx

0.160.114.6 KB
Original Source

Code Signing is where teams digitally sign software (JARs, container images, Windows installers, Android APKs, Linux packages, scripts). Within Code Signing, you can:

  • Sign artifacts through any tool that supports PKCS#11, or directly via the Sign API
  • Require approvals before signatures are produced, with per-approval limits on count and time
  • Manage who can sign with per-Signer roles for users, machine identities, and groups
  • Track every signing operation in a full audit trail

Each Signer represents a single signing identity, like mobile-app-prod, firmware-release, or ci-staging-builds. Product Admins create Signers, attach a code-signing certificate, and assign team members. Teams then operate independently within their assigned Signers.

What's in a Signer?

<CardGroup cols={2}> <Card title="Certificate" icon="certificate"> The X.509 code-signing certificate the Signer uses, backed by an internal or external CA. </Card> <Card title="Members" icon="users"> Team members with Administrator, Operator, or Auditor roles on this Signer. </Card> <Card title="Approval policy" icon="check-double"> Optional review workflow before signatures are produced. </Card> <Card title="Activity" icon="clock-rotate-left"> Audit trail of every successful, failed, and denied signing operation. </Card> </CardGroup>

How a signing operation flows

mermaid
sequenceDiagram
    participant Tool as Signing tool
(jarsigner / cosign / ...)
    participant PKCS as PKCS#11 Module
    participant Infisical as Infisical
    participant CA as Certificate Authority

    Note over Infisical,CA: Once, when the Signer is created
    Infisical->>CA: Request code-signing cert
    CA-->>Infisical: Certificate

    Note over Tool,Infisical: Per signing operation
    Tool->>PKCS: Sign artifact
    PKCS->>Infisical: POST /signers/{id}/sign
    Infisical->>Infisical: Check access
    Infisical->>Infisical: Sign
    Infisical-->>PKCS: Signature
    PKCS-->>Tool: Signature attached to artifact
  1. A Product Admin creates a Signer and picks the CA that issues its certificate.
  2. The Admin adds members (users, machine identities, or groups) and picks a role for each.
  3. Optionally, the Admin attaches an approval policy so signing requires sign-off.
  4. Operators sign through the PKCS#11 module or the Sign API. Infisical produces the signature and records an audit entry on the Signer.

Signer roles

Members are assigned to Signers with one of three roles:

RoleCapabilities
AdministratorFull control: edit settings, manage members, edit the approval policy, pre-approve signing, sign, export the certificate.
OperatorSign artifacts and submit signing requests. Cannot change settings or members.
AuditorRead-only: view members, activity, and the audit log. Cannot sign.

FAQ

<AccordionGroup> <Accordion title="How is this different from handing out a .pfx or .p12 file?"> When you distribute a key file, anyone with a copy can sign anything for the lifetime of the certificate, and you can't take that copy back. With a Signer, you can disable signing, revoke active access, or remove a member at any time, and that change takes effect immediately. </Accordion> <Accordion title="Do I have to require approval for every signature?"> No. A Signer can have no approval policy, in which case any member with sign rights can sign immediately and you still get a full audit trail. Approvals are optional and most useful for production releases or compliance-sensitive workloads. </Accordion> </AccordionGroup>

What's next?

<CardGroup cols={2}> <Card title="Create a Signer" icon="pen-nib" href="/documentation/platform/pki/code-signing/signers#create-a-signer"> The 4-step wizard. </Card> <Card title="Add an approval policy" icon="check-double" href="/documentation/platform/pki/code-signing/approvals#configure-the-approval-policy"> Require sign-off and cap per-approval limits. </Card> <Card title="Install the PKCS#11 module" icon="plug" href="/documentation/platform/pki/code-signing/pkcs11-module#installation"> Hook up your signing tools. </Card> <Card title="Sign your first JAR" icon="java" href="/documentation/platform/pki/guides/code-signing/jarsigner"> End-to-end walkthrough. </Card> </CardGroup>