SignPath aims to turn code signing into a controlled and repeatable process that aligns the needs of both development teams and InfoSec people.
While practices, tools and services for code signing usually focus on certificate management, there are also important process requirements. There are many recommendations, but they are hard and expensive to implement. SignPath addresses code signing from a process perspective. Our topmost priority is to make it easy to set up a code signing process that just works for development teams and is secure and auditable at the same time.
There is often a conflict of interests: development teams need to be responsive and productive and want InfoSec to get out of the way. On the other hand, InfoSec is responsible for minimizing the considerable risk associated with code signing and therefore need to get control over the process.
|Developer priorities||InfoSec priorities|
SignPath provides a simple model that meets the requirements of both parties. It’s easy to set up and does not interfere with development processes, while at the same time providing full control for toe InfoSec team.
Setting up SignPath
|Create an organization||InfoSec||Register for a free trial (paid subscriptions coming soon)|
|Create or import certificates||InfoSec||
You will need at least two certificates (for test- and release-signing), but may choose to get different certificates for each product, customer, etc.
|Create projects||Development||Identify projects that need to be signed, restrict their content and define which elements need signing.
|Create signing policies||InfoSec||For each project
|Integrate into CI builds||Development||Use our Powershell module or call our API for automatically submitting signing requests to SignPath. See Build system integration|
See Key concepts for details about projects and signing policies
Note that currently, all setup steps have to be performed using the Administrator role. This role might be assigned to InfoSec staff only, or shared with dedicated people from the development teams. If you aim for the highest security, we recommend giving this role only to InfoSec people and have them working directly with the development teams.
There are two ways for submitting signing requests:
- Use the Web application to submit artifacts for signing
- Go to application dashboard
- Select a project and signing policy
- Upload a file
- Use the PowerShell module or call our API
In any case, you will receive e-mail notifications for your request and be able to monitor them in the Web application.
For signing policies that require approval, each approver will receive an e-mail notification whenever an approval is requested. They can also review signing request waiting for their approval in the Web application.
Administrator will be notified about important events. They can also use the Web application to see a full activity audit for each entity, including users, certificates, projects and policies, and signing requests.