CodeSign Protect architecture
The CodeSign Protect solution consists of the following components:
- Trust Protection Platform server with CodeSign Protect enabled. Throughout this article, this is referred to as the CodeSign Protect server.
- Venafi Code Signing clients, installed on the Windows, Linux, or macOS workstations from which code will be signed
- Optionally, a Hardware Security Module (HSM) connected to the CodeSign Protect server to generate and store private code signing keys
All code signing private keys are stored in either the CodeSign Protect Secret Store or in an attached HSM.
Venafi Code Signing Clients
The Venafi Code Signing Clients link code signing workstations to the CodeSign Protect server, which stores and manages use of private code signing keys. The Venafi Code Signing Clients communicate with the CodeSign Protect server over a TLS-encrypted REST API. Venafi CodeSign Protect currently supports RSA, Elliptic Curve, and experimental post-quantum code signing keys. The following Code Signing Connectors are available:
- Windows: CSP/KSP, PKCS#11, and GPG clients
- Linux: PKCS#11 and GPG clients
- macOS: PKCS#11, Keychain Access, and GPG clients
During Code Signing Client configuration, you will provide the address of the CodeSign Protect server you want to connect to and whether you want an access grant for the current user, local machine, or both. These options are described in the next section.
For more information on installing the Code Signing Clients, see Install CodeSign Protect Clients on signing workstations. For more information about using the clients, see the sections for PKCS#11, CSP, GPG, and Keychain Access.
Trust Protection Platform server
The CodeSign Protect server is the central orchestrator of the CodeSign Protect solution, and its job is to protect and govern the use of private code signing keys. All the keys are stored in either the CodeSign Protect Secret Store or on an HSM. The CodeSign Protect server performs the following functions:
- Authenticates users
- Issues certificate signing requests for approved code signing projects
- Stores code signing certificates
- Stores and protects private code signing keys
- Receives code signing requests
- Enforces permitted uses of private code signing keys
- Manages code signing request flows
- Returns signed hash to the requesting workstation
IMPORTANT The role of Venafi CodeSign Protect is to protect private code signing keys and to govern the use of those keys. Venafi CodeSign Protect itself does not sign code.
To facilitate authentication and virtual HSM functions, CodeSign Protect uses these two endpoints:
Hardware Security Module (HSM)
As an optional feature, CodeSign Protect can sign code with keys that are generated and reside on a Hardware Security Module (HSM). When the private key is on the HSM, a reference to that key is stored in the CodeSign Protect Secret Store. When a request is made to sign a hash with that key, CodeSign Protect forwards the request to the HSM. The signing occurs on the HSM, which then returns the signed hash to the CodeSign Protect server. In turn, the CodeSign Protect server returns the signed hash to the CSP.
Using an HSM for code signing requires the use of a supported HSM and activation of Venafi Advanced Key Protect, which is a separately-licensed component.
For more information about HSM integration with Trust Protection Platform, see Managing system encryption keys.