Configure Code Signing Flows

The purpose of Code Signing Flows is to allow Code Signing Administrators to require approvals, checks, and actions before a key can be used to sign. You can open the Code Signing Flows interface by opening the Customer Flows node, and then clicking Add new Code Signing Flow in the Actions Panel.

The Actions Panel shows the actions that you can add to the flow.

  • The Insert Approval section includes the options to insert several types of approvals:

    • Standard approvals allow you to select either the Project Owner or the Project Key Use Approvers as approvers. These roles are set in the Code Signing Project configurations. See Add a Standard Approval step.

    • Fixed approvals are similar to Standard approvals, except that a named approver or group is identified rather than relying on the roles from the Code Signing Project. See Add a Fixed Approval Step.

    • Administrator approvals allow you to require approval from Code Signing Administrators and/or Master Admins. See Add an Administrator Approval step.

    When a Key User signs with a key that has a Code Signing Flow that requires approvals, an approval request will be sent to the approvers. Once the approvals are given, the Key User can then re-perform the signing.

  • The Insert Check section includes the option to add certain pre-signing checks that must be satisfied prior to the signing being performed.

    • Pre-Approval provides Code Signing Administrators the ability to approve the use of a code signing key prior to a code signing event. See Add a Pre-Approval check.

    • Pre-Qualified Signatures allows you to upload hashes to CodeSign Protect. For Environments that use this Flow, the hash of the code being signed must match a hash that has been uploaded to CodeSign Protect. See Add a Pre-Qualified Signature check.

  • The Insert Action section allows you to create custom log events to be associated with this Flow.

Code Signing Flows can be configured with any number and any mix actions. The pre-approval action can also be configured to disable any subsequent approval actions in the Flow, dependent upon successful pre-approval.

Set up Code Signing Flows

BEST PRACTICE  When an approval ticket is created, the Approvers are written to the ticket, and those Approvers are the only ones who can approve it.

Assigning groups as Approvers (rather than individuals) provides flexibility with who can approve the ticket. Group membership can be changed anytime. So if the Approvers are part of a group, and the group is assigned as the Approver, you then have the ability to manage the effective Approver list independent of the ticket itself.

In general, the more you can do with group assignments, the better.

  1. In Venafi Configuration Console, expand the Code Signing node.

  2. In the Custom Views node, click Add new Code Signing Flow in the Actions Panel.

  3. Give the new Flow a name, and then click Create. The name will be used as both the Flow name and as the name of the first step in the Flow. The new Flow is added to the Custom Flows node and the Code Signing Flow configuration screen opens.

    1. In the Flow Summary Panel, click the step that you want to precede your approval step. For example, if you want to add a step after the "Approval 1" step, then click Approval 1.
    2. In the Actions Panel, click Standard. Give the approval action a name, and then click Create. The name you enter will be the name of the step in the Flow Summary Panel.
    3. (Optional) Enter a Description for this step. The description displays as part of the step in the Flow Summary Panel.

    4. From the Attribute drop-down, do one of the following:

      • Select either Key Use Approver or Owner, depending on which role you want to assign this approval step to.
      • Type in the Attribute value manually.

    5. Select the Required number of Approvers that must approve in order for this approval step to be complete.

      EXAMPLE  If you selected three approvers, or if you selected a group that has three members, and you want any two of those three to have to approve this request, then select 2.

    6. If you want to check to see if there is a policy setting for the Attribute value when this step is executed, check Use policy when reading attributes. If the Attribute value is set on the policy, it will use what is set on the policy rather than what is set on the object.
    7. Click OK.
    1. In the Flow Summary Panel, click the step that you want to precede your approval step. For example, if you want to add a step after the "Approval 1" step, then click Approval 1.
    2. In the Actions Panel, click Fixed. Give the approval action a name, and then click Create. The name you enter will be the name of the step in the Flow Summary Panel.
    3. (Optional) Enter a Description for this step. The description displays as part of the step in the Flow Summary Panel.
    4. Click the Approvers drop-down, and then search for the individuals or groups that you want to add as approvers. Use the arrow button to move the approvers from the Results box to the Selected box. Click Close. The approvers are added to the Approvers field.

    5. Select the Required number of Approvers that must approve in order for this approval step to be complete.

      EXAMPLE  If you selected three approvers, or if you selected a group that has three members, and you want any two of those three to have to approve this request, then select 2.

    6. Click OK.
    1. In the Flow Summary Panel, click the step that you want to precede your approval step. For example, if you want to add a step after the "Approval 1" step, then click Approval 1.
    2. In the Actions Panel, click Administrator. Give the approval action a name, and then click Create. The name you enter will be the name of the step in the Flow Summary Panel.
    3. (Optional) Enter a Description for this step. The description displays as part of the step in the Flow Summary Panel.
    4. From the Who Approves drop-down, select which types of administrators can approve.

    5. Select the Required number of Approvers that must approve in order for this approval step to be complete.

      EXAMPLE  If you selected three approvers, or if you selected a group that has three members, and you want any two of those three to have to approve this request, then select 2.

    6. Click OK.

    1. In the Flow Summary Panel, click the step that should precede the Pre-Approval action.
    2. In the Actions Panel, click Add Pre-Approval action. Give the approval action a name, and then click Create. The name you enter will be the name of the step in the Flow Summary Panel.
    3. (Optional) Enter a Description for this step. The description displays as part of the step in the Flow Summary Panel.
    4. If you want to the flow to disable any subsequent approval actions in this flow, click either Skip all approval stages, or select specific stages from the Skipped Stages drop-down and add them.
    5. Click OK.

    To apply the pre-approval, either call the AddPreApproval API or use the web user interface.

    1. In the Flow Summary Panel, click the step that should precede the Pre-Qualified Signature check.
    2. In the Actions Panel, click Pre-Qualified Signature. Give the approval action a name, and then click Create. The name you enter will be the name of the step in the Flow Summary Panel.
    3. (Optional) Enter a Description for this step. The description displays as part of the step in the Flow Summary Panel.

    To apply pre-qualified signatures, see POST Flow/Actions/CodeSign/PreQualify/Create.

Edit an approval step

Click the step you want to edit, and from the Actions Panel, click Properties.

Delete an approval step

Click any step after the first step, and from the Actions Panel, click Delete.

Delete an entire Flow

  1. Unassign the Flow from any Environment Templates that use the Flow. Flows that are in use cannot be deleted. See Edit existing Environment Templates.
  2. In the Flow Summary Panel, click the first step. In the Actions Panel, click Delete.