Skip to content
QCecuring

Agents

Agents

Section titled “Agents”

The Agents section provides centralized visibility and control over all distributed signing agents connected to the platform.

Agents Inventory

Overview

Section titled “Overview”

Agents are lightweight components installed on developer machines or build servers that:

  • Perform local signing operations
  • Communicate securely with the platform via mTLS
  • Enforce centralized policy controls
  • Maintain real-time heartbeat connectivity

Agents enable secure distributed signing without exposing private keys.

Agent Inventory

Section titled “Agent Inventory”

Each agent entry displays:

  • Agent ID – Unique identifier
  • Hostname – Machine where agent is installed
  • Mode – Attended / Unattended
  • Status – Active or Offline
  • Trust State – Pending / Trusted
  • Last Seen – Most recent heartbeat timestamp
  • Capabilities – Supported tools (e.g., Jarsigner, Signtool)
  • Actions – Manage agent configuration

Agent Modes

Section titled “Agent Modes”

Attended

Section titled “Attended”
  • Runs interactively
  • Suitable for developer workstations
  • Requires user context

Unattended

Section titled “Unattended”
  • Runs as a background service
  • Designed for CI/CD pipelines
  • Fully automated signing

Trust Model

Section titled “Trust Model”

Pending

Section titled “Pending”

Agent registered but not yet trusted.

Trusted

Section titled “Trusted”

Agent approved for signing operations.

Trust state ensures only verified endpoints can perform signing.

Heartbeat Monitoring

Section titled “Heartbeat Monitoring”

Agents periodically send heartbeat signals to the platform:

  • Confirms connectivity
  • Reports health status
  • Updates capability metadata
  • Detects offline systems

If no heartbeat is received within threshold, the agent is marked offline.

Secure Signing Flow

Section titled “Secure Signing Flow”
  1. File digest (SHA-256) computed locally
  2. Digest sent to platform
  3. Platform evaluates policies
  4. HSM signs digest
  5. Signature returned to agent
  6. Agent applies signature locally

Files never leave the local environment.

Agent Registration

Section titled “Agent Registration”

To register a new agent:

  1. Install agent package
  2. Configure platform URL and certificates
  3. Establish mTLS connection
  4. Agent registers automatically
  5. Administrator reviews trust state

Governance & Security

Section titled “Governance & Security”

Agents provide:

  • Distributed signing scalability
  • Centralized policy enforcement
  • mTLS-secured communication
  • Zero file transmission architecture
  • Full audit traceability