Approving or rejecting use of code signing keys

Flows can be configured to require approval before using code signing keys. When approval is required in Flow, the approver receives a notification email. Normally, a key use approval request is sent after a key user attempts to sign with the key, thereby allowing the approver to view the specifics of the signing request and decide whether to approve the request.

In certain circumstances, however, it may be useful to pre-approve the use of a signing key. When pre-approval is granted, the normal approval steps defined in the Flow are bypassed.

NOTE  For information on creating Flows and the different types of approvals, see Create Flows.

Approving a single key use request

The key use approver defined in the Project should follow these steps to manage a signing request that requires approval.

Step 1: Open the key use request

  1. Sign in to CodeSign Protect at https://[tpp-server]/codesign-protect.

  2. Click Approvals, and then select Pending Approvals from the Approvals page drop-down. A list of pending key use approvals opens.

  3. For the request you want to approve, click on the date and time in the Requested On column. This opens the signing request details.

Step 2: Review the signing request

The details of the signing request are shown in the Signing Request modal. Review the details of the request to determine whether to approve or reject.

To learn more about the request identifier and the request identification fields, see Learn more about how request identification works.

Step 3: Approve or reject the signing request

To approve the request

In the Key Usage section, there are a number of different approval options:

  • Unlimited Use. Allows unlimited use of the key.

    If you select this option, you are required to set an Expire after date and time for this unlimited use approval.

    NOTE  If you don't see the Unlimited Use option, it's because your Code Signing Administrator has disabled it. See Default Flows tab for more information.

  • Limited Use. Allows the Key Use Approver to select a specific number of signings this user is allowed for this key. When the number is met, a new approval must be requested and approved.

    Optionally, you can set a date and time when this approval should expire using the Expire after option. Once that date and time is met, a new signing request must be issued and an new approval given.

Once you've set the approval parameters, click Approve. The Key User will be notified of the approval, at which point the approval request needs to be run again.

To reject the request

To Reject the signing request, add your justification in the Comment field, and then click Reject. The comment will be logged and also sent to the Key User.

Bulk approving multiple key use requests

While it is recommended to manage each approval request individually, Key Use Approvers do have the option to approve or reject requests in bulk.

  1. Sign in to CodeSign Protect at https://[tpp-server]/codesign-protect.

  2. Click Approvals, and then select Pending Approvals from the Approvals page drop-down. A list of pending key use approvals opens.

  3. For the requests you want to approve or reject, click the checkbox next to each request.

  4. Click either Approve or Reject in the top button bar.

    To approve the request

    In the Key Usage section, there are a number of different approval options:

    • Unlimited Use. Allows unlimited use of the key.

      If you select this option, you are required to set an Expire after date and time for this unlimited use approval.

      NOTE  If you don't see the Unlimited Use option, it's because your Code Signing Administrator has disabled it. See Default Flows tab for more information.

    • Limited Use. Allows the Key Use Approver to select a specific number of signings this user is allowed for this key. When the number is met, a new approval must be requested and approved.

      Optionally, you can set a date and time when this approval should expire using the Expire after option. Once that date and time is met, a new signing request must be issued and an new approval given.

    Once you've set the approval parameters, click Approve. The Key User will be notified of the approval, at which point the approval request needs to be run again.

    To reject the request

    To Reject the signing request, add your justification in the Comment field, and then click Reject. The comment will be logged and also sent to the Key User.

Pre-Approving key use

For Environments that use a Flow that includes both a Pre-Approval action and one or more Approval actions, Key Use Approvers can pre-approve key use either by calling the AddPreApproval API or by using Aperture.

IMPORTANT  Once a pre-approval is granted, it cannot be edited or canceled. It closes either when it's used or its date expires.

To use the AddPreApproval API, see POST Codesign/AddPreApproval.

To use the web interface, follow these steps:

  1. Sign in to the CodeSign Protect web interface at https://[tpp-server]/codesign-protect.

    NOTE  Only the Key Use Approver role can pre-approve key use.

  2. Click Projects, and then select the Project that contains the Environment you want to add a pre-approval for.

  3. Click the Environments tab.

  4. For the Environment you want to pre-approve, click Row Actions button, then click Pre-Approval Key Usage.

    If you don't see the Pre-Approval Key Usage button option, you can check a couple things:

    • Only Key Use Approvers can approve use of keys. To check the list of Key Use Approvers for this Project, click the Properties tab and find the Key User Approver box.
    • The Flow associated with this Environment must have both a Pre-Approval action and one or more Approval actions. Flows are set by Code Signing Administrators, so you may need to check with your administrator to review the Flow. For more information about Flows, see Create Flows.

  5. Complete the Pre-Approval Key Usage modal according to the following guidelines:

    • In the Key User field, enter one or more key users for whom this pre-approval will be valid. Only those who have the Key User role on the Project itself are eligible.

    • In the Validity section, select whether this pre-approval is just for a single key use, or whether it's for unlimited key use.

    • (Optional) In the Not Valid Before field, select a date and time when this pre-approval should begin.

    • In the Valid Until field, select a date and time when this pre-approval should expire.

    • Enter a Justification for this pre-approval action.