Setting up GPG clients

Using Code Sign Manager - Self-Hosted, GPG keys can be stored and protected in the Trust Protection Foundation secret store or on a connected HSM. Code Sign Manager - Self-Hosted presents those keys to code signing workstations as if they were on an HSM or Smart Card connected to the code signing workstation itself. Code Sign Manager - Self-Hosted accomplishes this by implementing the GnuPG SCDaemon protocol to emulate a Smart Card.

Any individual code signing workstation can have many GPG keys synced to it. All of the synced keys are available for GPG operations, and Code Sign Manager - Self-Hosted seamlessly switches between them based on the key used in the operation. If new keys are made available to the user in Code Sign Manager - Self-Hosted, they can be synced to the workstation. If keys are deleted or expired, they can no longer be used for GPG operations.

The private GPG keys themselves never leave the Trust Protection Foundation. When the keys are synced to the code signing workstations, Code Sign Manager - Self-Hosted exports the public key with a signature that gets inserted into the GPG keychain, along with a stub for the private key that identifies which emulated Smart Card to use when using the private key.

The GPG architecture requires three separate keys: a signing key, an encryption key, and an authentication key. A Code Sign Manager - Self-Hosted GPG environment provides all three, and they are all fully functional.

Steps to set up GPG

  1. A Code Signing Administrator sets up a GPG Environment Template. See Create Environment Templates.
  2. A Project Owner creates a Project with a GPG Environment or adds a GPG Environment to an existing Project. See Creating Code Sign Manager - Self-Hosted Projects.
  3. The Code Sign Manager - Self-Hosted client is installed on the code signing workstation. This installation can be done by the Key User or by an IT administrator. See Install Code Sign Clients on signing workstations.
  4. The Key User syncs available GPG keys to the code signing workstation and can use the keys to sign. See Configuring GPG clients with single key Environments.

NOTE  This documentation gives instructions on how to configure GPG to use keys protected by Trust Protection Foundation. Familiarity with GPG concepts and commands is expected. For more information about GPG itself, see gnupg.org.

TIP  To browse topics in this section, use the menu on the left side of this page.