Skip to content

Core concepts

Code Sign Manager - SaaS uses several key concepts that work together to provide a secure, scalable code signing workflow. Understanding these concepts will help you navigate the product and complete the tasks in later sections.

Project

A Project is a logical container that groups signing keys and controls who is allowed to use them. Projects help you organize signing activities by application, team, environment, or business unit. Each Signing Key belongs to exactly one Project.

Signing Key

A Signing Key is a configuration object that defines the properties, lifecycle, and usage of a signing key pair stored in an HSM. The Signing Key specifies parameters such as algorithm, key size, and validity period, and it can optionally request a code signing certificate from a selected certificate authority.

When a Signing Key is created, Code Signing Manager – SaaS generates the actual cryptographic keypair inside the HSM. The private key never leaves the HSM and is never exposed to users or signing machines.

Authorized Signer

An Authorized Signer is an identity, either a human user or a service account, that is allowed to use a Signing Key for signing. A signer can access only the keys assigned to them through the Project. Users authenticate with an API key. Service accounts authenticate using a private key generated on the signing machine.

Code Sign Client

The Code Sign Client is a lightweight tool installed on the signing machine. It retrieves signing key references from Code Sign Manager - SaaS and makes those available to integrate with signing applications on the signing machine. The client ensures that private keys remain in the HSM while still enabling fast, reliable signing.

Signing machine

A signing machine is any workstation or CI system that runs the Code Sign Client and performs signing operations. Signing machines never store private keys; they only hold authentication material such as an API key (for users) or an authentication key pair (for service accounts).

Teams

Teams allow administrators to group users and service accounts under a shared ownership and permission model. When a service account belongs to a Team, the Team controls who can view, manage, or rotate its credentials.

Service accounts

Service accounts are non-interactive identities used by automated systems such as build servers or CI pipelines. They authenticate using a key pair generated on the signing machine and can be assigned as Authorized Signers on a Project to enable automated signing workflows.

Certificate authorities

Code Sign Manager - SaaS supports both the Certificate Manager - SaaS built-in certificate authority and trusted public CAs. When a Signing Key is created, Code Sign Manager - SaaS issues a code signing certificate from the selected CA to pair with the key.

Next steps

Now that you understand the core building blocks of Code Sign Manager - SaaS, continue with the Solution overview to see how these components work together in the signing workflow.

If you already know how Code Sign Manager - SaaS operates and want to choose a signing model, see Understanding signing workflows.