Code-signing Quickstart

Goal of this Quickstart

This quickstart helps you:

Deploy a minimal Code Signing setup
Perform a successful signing operation
Verify the generated signature

This guide is intended for:

DevOps engineers
Platform engineers
Security teams evaluating the system

⚠️ This quickstart uses a non-production setup.
For enterprise deployments, follow the On-Prem or HSM-backed installation guides.

Prerequisites

Before you begin, ensure:

Linux system (local VM or server)
Java 17 or later
Docker installed (for quick evaluation)
A sample artifact to sign (JAR, EXE, or binary)

High-Level Flow

Artifact → Signing Request → Code Signing API
        → Signing Engine → Key Store
        → Signed Artifact → Verification
Step 1: Start the Code Signing Service
Start the signing service using Docker:

bash
Copy code
docker run -d \
  --name qcecuring-code-signing \
  -p 8080:8080 \
  qcecuring/code-signing:latest
Verify the service is running:

bash
Copy code
curl http://localhost:8080/health
Expected response:

json
Copy code
{ "status": "UP" }
Step 2: Configure a Signing Key (Evaluation Only)
Create a temporary signing key using the software keystore:

bash
Copy code
qcs-cli key create \
  --name demo-signing-key \
  --type software
⚠️ Software keys are not recommended for production use.

Step 3: Sign an Artifact
Sign a sample artifact:

bash
Copy code
qcs-cli sign \
  --key demo-signing-key \
  --input app.jar \
  --output app-signed.jar
What happens internally:

Request validation

Policy enforcement

Signing inside the protected boundary

Audit log generation

Step 4: Verify the Signature
Verify the signed artifact:

bash
Copy code
qcs-cli verify \
  --input app-signed.jar
Expected output:

text
Copy code
Signature valid
Certificate chain trusted
Step 5: Review Audit Logs
View recent signing activity:

bash
Copy code
qcs-cli audit list --limit 5
This confirms:

Who initiated the signing

Which key was used

When the operation occurred