Architecture Overview

The QCecuring Code Signing Platform is a modern, scalable system designed for enterprise environments. It combines digest-based signing, asynchronous processing, multi-HSM support, and strong policy enforcement to deliver secure code signing without exposing private keys or requiring full file uploads.

High-Level Architecture

graph TD
    A[Client<br>(Jarsigner, Signtool, CI/CD)] -->|HTTPS / mTLS| B[REST API Layer<br>(Spring Boot)]
    B -->|Enqueue Job| C[Job Queue<br>(RabbitMQ)]
    C -->|Process| D[Worker Service]
    D -->|Sign Digest| E[HSM Abstraction Layer<br>(PKCS#11, AWS KMS, Azure Key Vault, GCP KMS)]
    B -->|Store / Retrieve| F[MongoDB<br>(Keys, Certificates, Policies, Audit Logs)]
    D -->|Store Logs / Status| F
    E -->|Timestamp (optional)| G[External TSA<br>(RFC 3161)]