Security Architecture

Security Model

The Code Signing platform enforces a layered security model based on:

Key trust boundaries include:

A compromise in one boundary does not imply compromise of signing keys.

This page summarizes pragmatic security controls and operational practices to protect code signing processes, keys, and artifacts.

Least privilege — grant only the minimal access required for human and machine identities.
Separation of duties — administrative privileges are not signing privileges; use approval/quorum workflows for production signings.
Key custody — keep private keys inside HSMs or managed KMS; avoid exporting private key material.
Immutable auditing — every signing action must be logged and tamper-evident.
Secure supply chain — ensure reproducible builds, SBOMs, and signed provenance attestation.

Keep signing keys inside FIPS‑validated HSMs (or managed KMS with equivalent guarantees).
Generate keys inside the HSM when possible; restrict key usage to signing only and set object attributes accordingly.
Use PKCS#11 / vendor APIs and enforce access controls (PINs, roles, ACLs).
Plan and test key rotation and vendor-supported backup/recovery procedures.

Use short-lived credentials for CI/CD (OIDC preferred) and rotate credentials frequently.
Use Role-Based Access Control (RBAC) and group-based approver lists for quorum signing flows.
Require multi-factor authentication for admin actions and protect approval UIs behind SSO.

Place HSMs on management-only networks with strict firewall rules.
Use mTLS for service-to-service communication and for agent proxies.
Protect public ingress with WAF rules and DDoS mitigation where public endpoints exist.

Prefer digest-based signing (sign artifact digest) to avoid signing unverified build outputs.
Use reproducible builds when possible. Record and sign build provenance (commit, builder, environment).
Use ephemeral ephemeral build runners or short-lived agents; do not store secrets in images or long-lived runners.
Gate production signing behind approvals and automated policy checks (artifact provenance, SBOM, vulnerability thresholds).

Emit structured, immutable audit logs: who requested signing, which key was used, policy applied, timestamp token included.
Export logs to a central SIEM and set alerts on unusual signing activity, HSM failures, or queue spikes.
Define an incident playbook for key compromise, including suspension of key usage, incident notification, and re-issuance.

Keep platform components up to date; subscribe to vendor security advisories.
Enforce secure TLS configurations (modern cipher suites, HTTP Strict Transport Security).
Limit runtimes to least-privilege users, disable interactive access on production worker nodes.
Regularly scan images/containers for vulnerabilities and enforce runtime policies.