Back to Infisical

Signers

docs/documentation/platform/pki/code-signing/signers.mdx

0.161.1213.3 KB
Original Source

A Signer is a single signing identity inside Code Signing. It bundles three things:

  • A code-signing certificate issued by a Certificate Authority
  • A list of members who are allowed to use it
  • An optional approval policy that decides whether signing needs sign-off

You'll typically have one Signer per real-world signing concern, such as mobile-app-prod, firmware-release, or ci-staging-builds.

What's in a Signer?

<CardGroup cols={2}> <Card title="Certificate" icon="certificate"> The X.509 code-signing certificate the Signer uses, backed by an internal or external CA. </Card> <Card title="Members" icon="users"> Users, machine identities, and groups. Each member has an Administrator, Operator, or Auditor role on this Signer. </Card> <Card title="Approval policy" icon="check-double"> Optional. Decides whether signing needs approval, who approves, and how each approval is bounded. See [Approvals](/documentation/platform/pki/code-signing/approvals). </Card> <Card title="Activity" icon="clock-rotate-left"> Audit trail of every successful, failed, and denied signing operation. </Card> </CardGroup>

Signer roles

RoleCapabilities
AdministratorEdit settings, manage members, edit the approval policy, pre-approve signing for others, sign, and export the certificate.
OperatorSign artifacts and submit signing requests. Export the certificate. Cannot manage members or the policy.
AuditorView members, activity, and the audit log. Export the certificate. Cannot sign or change anything.
<Info> The user who creates a Signer becomes its Administrator automatically. </Info>

Create a Signer

In Certificate Manager → Code Signing → Signers, click Create Signer. The wizard walks you through five steps in order: Basics, Certificate, Signing Key, Members, and Approval Policy.

<Steps> <Step title="Basics"> Pick a name for the Signer and (optionally) describe what it's for.
| Field | Description |
|-------|-------------|
| **Signer name** | A short, slug-friendly identifier (lowercase, dashes). Example: `mobile-app-prod`. The PKCS#11 module shows this as the **token label**. |
| **Description** | Optional. What this Signer is for, in plain English. Example: *iOS and Android production bundles*. |

Click **Next** to move on to the certificate.
</Step> <Step title="Certificate"> Choose which Certificate Authority issues the Signer's certificate and the identity on it.
| Field | Description |
|-------|-------------|
| **Certificate Authority** | The CA that issues the certificate. Internal CAs issue immediately. External CAs (AWS Private CA, Azure AD CS, DigiCert) issue asynchronously and the Signer enters **Pending** until the cert lands. |
| **Common Name** | The legal name shown on the certificate, for example `Acme Mobile, Inc.`. You can change it later; doing so reissues the certificate. |
| **Validity (days)** | How long each issued certificate is valid for. Default 365. |
| **Renew before (days)** | Optional, 1 to 30. Auto-renew this many days before expiry. Must be less than Validity. Leave empty to disable auto-renewal. |

<Note>
  Some CAs add extra fields on this step. Check your CA's documentation for any CA-specific options.
</Note>

Click **Next** to choose the signing key.
</Step> <Step title="Signing Key"> Decide where the signing key lives and which algorithm to use.
| Field | Description |
|-------|-------------|
| **Key source** | Where the signing key is generated. **Infisical** (default) lets Infisical generate and manage the key for you. **HSM** generates the key inside your own HSM through an [HSM Connector](/documentation/platform/pki/settings/hsm-connectors). Some CAs require an HSM-backed key and lock this to **HSM** (DigiCert code signing is one of them). |
| **HSM Connector** | The HSM Connector Infisical uses to reach your HSM. Set the Connector up first under **Certificate Manager > Settings > HSM Connectors**. Shown only when **Key source = HSM**. See [HSM Connectors](/documentation/platform/pki/settings/hsm-connectors). |
| **Key algorithm** | The signing key algorithm: `RSA-2048`, `RSA-3072`, `RSA-4096`, `ECDSA P-256`, `ECDSA P-384`, or `ECDSA P-521`. When **Key source = HSM** the choice is restricted to `RSA-2048`, `RSA-4096`, `ECDSA P-256`, or `ECDSA P-384`. |

Click **Next** to add members.
</Step> <Step title="Members"> Add the people and machine identities who will work with this Signer:
- **User**
- **Machine Identity**: a non-human caller (CI runner, build job, deploy script). Operator is the typical role.
- **Group**: a directory group. Everyone in the group inherits the role on this Signer.

The user who creates the Signer is added as Administrator automatically and cannot be removed at creation time. You can manage members later from the Signer's **Members** tab.

Click **Next** to set up the approval policy.
</Step> <Step title="Approval policy"> Decide whether this Signer needs approval before signing.
- **No approval required**: leave the policy empty. Members with sign rights can sign immediately. Recommended for dev and internal Signers.
- **Add approval steps**: require one or more sign-offs. See [Approvals → Configure the approval policy](/documentation/platform/pki/code-signing/approvals#configure-the-approval-policy) for the step editor and per-approval limits.

Press **Create Signer** to finish. Infisical issues the certificate (synchronously for internal CAs, asynchronously for external CAs) and the Signer appears in the list with a status badge.
</Step> </Steps>

HSM-backed Signers

When you pick Key source = HSM on the Signing Key step, pick the HSM Connector Infisical should use. The Key algorithm choices narrow to the HSM-supported subset. The private key never leaves the HSM and every sign operation routes through the linked Connector. Infisical only holds the public key and the issued certificate.

You can later switch an existing Signer between Infisical and HSM by reissuing the certificate with a different key source. Hit the reissue endpoint with a certificate.keySource body, plus hsmConnectorId when switching to HSM. The signer keeps its name, members, policy, and CA. Only the underlying key and the cert wrapping it change.

See HSM Connectors for the setup.

Signer statuses

StatusMeaning
PendingThe Signer is created but the certificate has not been issued yet. Most common with external CAs that take time to respond. The PKCS#11 module sees this slot but signing is rejected until the certificate lands.
ActiveCertificate issued and bound. Signing works, subject to the approval policy.
FailedIssuance failed. Hover the badge to see the reason. Use Retry issuance from the Options menu, or Edit a Signer to change the CA, Common Name, or Validity and try again.
DisabledManually disabled. Signing is blocked. Re-enable from the Options menu.
ExpiredThe certificate's notAfter has passed and no auto-renewal was configured (or the renewal failed). Reissue with a new validity period.

Edit a Signer

Open the Signer and choose Options → Edit settings. The edit sheet walks you through three steps: Basics, Certificate, and Signing Key. Changing the CA, identity, validity, or key triggers a fresh issuance, and the signer switches to the newly issued certificate.

<Steps> <Step title="Basics"> Update the Signer's identifying information. These never reissue the certificate.
- **Signer name**: rename freely. The PKCS#11 token label updates on the next refresh.
- **Description**: edit at will.

Click **Next** to edit the certificate.
</Step> <Step title="Certificate"> Change which CA issues the certificate and its identity.
- **Certificate Authority**: swap to another CA. Saving with a different CA reissues the certificate immediately from the new CA.
- **Reuse an existing order**: offered by some CAs (DigiCert code signing). Point the Signer at an existing order to reuse that order slot instead of placing a new one. Common Name and Validity are inherited from the order.
- **Common Name** and **Validity (days)**: edit them to change the identity on the certificate. Saving reissues the certificate with the new values, and the signer switches to the new certificate.
- **Renew before (days)**: edit any time, 1 to 30, must be less than Validity.

Click **Next** to edit the signing key.
</Step> <Step title="Signing Key"> Change where the key lives or which algorithm it uses. Both reissue the certificate with a new key.
- **Key source**: switch between Infisical and HSM. Switching to HSM requires picking an HSM Connector and a supported algorithm. CAs that require an HSM-backed key (such as DigiCert code signing) lock this to **HSM**.
- **HSM Connector**: shown when Key source is HSM.
- **Key algorithm**: pick a different algorithm. Changing it generates a new key and reissues the certificate.

<Note>
  Renewals always issue a new certificate from the same CA with a fresh key pair. Old artifacts remain valid under the old certificate. New sign operations use the new one.
</Note>

Press **Save** to apply the changes.
</Step> </Steps>

Signing with a Signer

To sign with a Signer, pick the integration that matches your tooling:

  • PKCS#11 module for cross-platform tools (jarsigner, cosign, osslsigncode, apksigner, openssl, gpg, and more).
  • Windows KSP for native signtool Authenticode signing on Windows.
  • Sign API to sign directly over HTTP.

FAQ

<AccordionGroup> <Accordion title="Can I reuse one certificate across multiple Signers?"> No. Every Signer has its own certificate. If you want different teams or different approval workflows against the same CA, create one Signer per team or workflow. Each gets its own certificate from that CA. </Accordion> <Accordion title="What's the difference between Disable and Delete?"> **Disable** is reversible. The Signer, its members, its policy, its history, and the certificate are all preserved, and sign calls just get rejected. Re-enable to resume.
**Delete** is permanent. The Signer and everything attached to it (members, policy, access records, audit log) is removed. The certificate object remains in the inventory unless you delete that separately.
</Accordion> <Accordion title="Why is my new Signer stuck in Pending?"> External CAs (AWS Private CA, Azure AD CS, DigiCert) issue asynchronously. Infisical polls the CA in the background and flips the Signer to **Active** once the certificate is delivered. AWS and Azure usually take seconds. DigiCert takes minutes to hours for an already-validated organization, and up to 3 business days the first time an organization is used for code signing while DigiCert validates it. If it stays Pending well beyond those windows, hover the badge. The failure reason appears there once the polling job gives up. </Accordion> <Accordion title="What happens to signed artifacts when I delete a Signer?"> Artifacts already signed remain valid as long as the certificate they were signed with is still valid and the verifier trusts the issuing CA's chain. Deleting the Signer in Infisical only removes Infisical's ability to sign new artifacts with that certificate. It does not invalidate past signatures. </Accordion> <Accordion title="Can I migrate an existing Signer between Infisical and an HSM?"> Yes. From the Signer detail page, open **Edit Signer > Signing Key** and change **Key source**. When switching to HSM, pick an HSM Connector and a supported algorithm (RSA-2048, RSA-4096, ECDSA P-256, or ECDSA P-384). Saving reissues the certificate with the new key. The signer keeps its name, members, approval policy, and CA. Only the key and the cert wrapping it change.
The same operation is available via the [reissue endpoint](/api-reference/endpoints/code-signing/signers/reissue) by passing `certificate.keySource` and (when switching to HSM) `hsmConnectorId`.

The previous certificate stays in the inventory. Delete or retire the old certificate before you try to delete the HSM Connector it referenced.
</Accordion> </AccordionGroup>

What's next?

<CardGroup cols={2}> <Card title="Approvals" icon="check-double" href="/documentation/platform/pki/code-signing/approvals"> Add approval steps and per-approval limits to a Signer. </Card> <Card title="HSM Connectors" icon="shield-halved" href="/documentation/platform/pki/settings/hsm-connectors"> Route the Signer's key operations to your own HSM. </Card> <Card title="PKCS#11 Module" icon="plug" href="/documentation/platform/pki/code-signing/pkcs11-module"> Use jarsigner, cosign, osslsigncode, and friends with this Signer. </Card> <Card title="Windows KSP" icon="windows" href="/documentation/platform/pki/code-signing/windows-ksp"> Sign with native `signtool` on Windows. </Card> </CardGroup>