ContextQMD
Back to Infisical

Code Signing

docs/documentation/platform/pki/code-signing/overview.mdx

0.161.14.7 KB
Original Source

Code Signing is where teams digitally sign software (JARs, container images, Windows installers, Android APKs, Linux packages, scripts). Within Code Signing, you can:

  • Sign artifacts through any tool that supports PKCS#11, with native Windows signtool, or directly via the Sign API
  • Require approvals before signatures are produced, with per-approval limits on count and time
  • Manage who can sign with per-Signer roles for users, machine identities, and groups
  • Track every signing operation in a full audit trail

Each Signer represents a single signing identity, like mobile-app-prod, firmware-release, or ci-staging-builds. Product Admins create Signers, attach a code-signing certificate, and assign team members. Teams then operate independently within their assigned Signers.

What's in a Signer?

<CardGroup cols={2}> <Card title="Certificate" icon="certificate"> The X.509 code-signing certificate the Signer uses, backed by an internal or external CA. </Card> <Card title="Members" icon="users"> Team members with Administrator, Operator, or Auditor roles on this Signer. </Card> <Card title="Approval policy" icon="check-double"> Optional review workflow before signatures are produced. </Card> <Card title="Activity" icon="clock-rotate-left"> Audit trail of every successful, failed, and denied signing operation. </Card> </CardGroup>

How a signing operation flows

mermaid
sequenceDiagram
    participant Tool as Signing tool
(jarsigner / cosign / ...)
    participant PKCS as PKCS#11 Module
    participant Infisical as Infisical
    participant CA as Certificate Authority

    Note over Infisical,CA: Once, when the Signer is created
    Infisical->>CA: Request code-signing cert
    CA-->>Infisical: Certificate

    Note over Tool,Infisical: Per signing operation
    Tool->>PKCS: Sign artifact
    PKCS->>Infisical: POST /signers/{id}/sign
    Infisical->>Infisical: Check access
    Infisical->>Infisical: Sign
    Infisical-->>PKCS: Signature
    PKCS-->>Tool: Signature attached to artifact
  1. A Product Admin creates a Signer and picks the CA that issues its certificate.
  2. The Admin adds members (users, machine identities, or groups) and picks a role for each.
  3. Optionally, the Admin attaches an approval policy so signing requires sign-off.
  4. Operators sign through the PKCS#11 module, the Windows KSP (signtool), or the Sign API. Infisical produces the signature and records an audit entry on the Signer.

Signer roles

Members are assigned to Signers with one of three roles:

RoleCapabilities
AdministratorFull control: edit settings, manage members, edit the approval policy, pre-approve signing, sign, export the certificate.
OperatorSign artifacts and submit signing requests. Cannot change settings or members.
AuditorRead-only: view members, activity, and the audit log. Cannot sign.

FAQ

<AccordionGroup> <Accordion title="How is this different from handing out a .pfx or .p12 file?"> When you distribute a key file, anyone with a copy can sign anything for the lifetime of the certificate, and you can't take that copy back. With a Signer, you can disable signing, revoke active access, or remove a member at any time, and that change takes effect immediately. </Accordion> <Accordion title="Do I have to require approval for every signature?"> No. A Signer can have no approval policy, in which case any member with sign rights can sign immediately and you still get a full audit trail. Approvals are optional and most useful for production releases or compliance-sensitive workloads. </Accordion> </AccordionGroup>

What's next?

<CardGroup cols={2}> <Card title="Create a Signer" icon="pen-nib" href="/documentation/platform/pki/code-signing/signers#create-a-signer"> The 4-step wizard. </Card> <Card title="Add an approval policy" icon="check-double" href="/documentation/platform/pki/code-signing/approvals#configure-the-approval-policy"> Require sign-off and cap per-approval limits. </Card> <Card title="Install the PKCS#11 module" icon="plug" href="/documentation/platform/pki/code-signing/pkcs11-module#installation"> Hook up your signing tools. </Card> <Card title="Sign your first JAR" icon="java" href="/documentation/platform/pki/guides/code-signing/jarsigner"> End-to-end walkthrough. </Card> </CardGroup>