Setting up GPG clients

Using CodeSign Protect, GPG keys can be stored and protected in the Trust Protection Platform secret store or on a connected HSM. CodeSign Protect presents those keys to code signing workstations as if they were on an HSM or Smart Card connected to the code signing workstation itself. CodeSign Protect accomplishes this by implementing the GnuPG SCDaemon protocol to emulate a Smart Card.

Any individual code signing workstation can have many GPG keys synced to it. All of the synced keys are available for GPG operations, and CodeSign Protect seamlessly switches between them based on the key used in the operation. If new keys are made available to the user in CodeSign Protect, they can be synced to the workstation. If keys are deleted or expired, they can no longer be used for GPG operations.

The private GPG keys themselves never leave the Trust Protection Platform. When the keys are synced to the code signing workstations, CodeSign Protect exports the public key with a signature that gets inserted into the GPG keychain, along with a stub for the private key that identifies which emulated Smart Card to use when using the private key.

The GPG architecture requires three separate keys: a signing key, an encryption key, and an authentication key. A CodeSign Protect GPG environment provides all three, and they are all fully functional.

Steps to set up GPG

1. A Code Signing Administrator sets up a GPG Environment Template. See Create Environment Templates.
2. A Project Owner creates a Project with a GPG Environment or adds a GPG Environment to an existing Project. See Creating CodeSign Protect Projects.
3. The CodeSign Protect client is installed on the code signing workstation. This installation can be done by the Key User or by an IT administrator. See Install CodeSign Protect Clients on signing workstations.
4. The Key User syncs available GPG keys to the code signing workstation and can use the keys to sign. See Configuring GPG clients with single key Environments.