Understanding Code Sign Manager - Self-Hosted

One of the primary challenges in code signing is protecting and monitoring the use of private code signing keys. A software publisher’s reputation and business depend on its customers’ ability to trust that the code it is distributing is authentic and safe to use. If the publisher’s private code signing keys are compromised, it opens the door for third parties to sign software as if it is from the software publisher itself.

In such a scenario, the software publisher must have the certificate revoked. While this will help correct the issue of unauthorized software being passed off as authentic, it also invalidates the digital signature of all authorized software that the publisher signed with that certificate.

A compromised code signing key exposes a software publisher to business disruptions and a damaged reputation in the marketplace.

The purpose of Code Sign Manager - Self-Hosted is to protect private code signing keys and govern the use of the keys it protects. Code Sign Manager - Self-Hosted mitigates the risk of unauthorized use of private code signing keys. Using the Code Sign Manager - Self-Hosted solution, you can do the following:

• Protect code signing keys, either in the Trust Protection Foundation Secret Store or on an HSM
• Restrict the use of keys only for specific purposes
• Allow keys to be used only by specific users
• Allow keys to be used only from specific IP addresses.
• Provide approval flows around the use of keys
• Audit the use of keys over time

This section introduces the concepts and provides an overview of how the Code Sign Manager - Self-Hosted solution works.