Managing Signing Key access¶
Maintaining proper access to Signing Keys is essential for controlling how code signing is performed in your environment. Access is managed entirely at the Project level. Any user, team, or service account assigned as an Authorized Signer on a Project automatically inherits permission to use all Signing Keys associated with that project.
View Authorized Signers on a Project¶
- Sign in to Certificate Manager - SaaS.
-
Click Configurations > Code Sign Projects.
-
Select the Project you want to view.
- Open the Signing Key Properties tab.
The Authorized signers field lists all users, teams, and service accounts that can use the project’s Signing Keys.
Distinguishing between users, teams, and service accounts¶
When you click inside the Authorized signers field, the drop-down list shows icons identifying the Authorized Signer type:
| Icon | Type |
|---|---|
 | Individual user |
 | Team |
 | Service account |
 | Ineligible user |
Update Authorized Signers on a Project¶
You can update access in one of two ways:
Option 1: Add or remove a user, team, or service account directly¶
This is the most common workflow.
-
To add a signer:
Click inside the Authorized signers field and select a user, team, or service account.
-
To remove a signer:
Click the X on the pill representing that identity.
Option 2: Manage access through team membership¶
This applies when a team or a service account’s owning team is assigned as a signer.
Assigning a Team to a Project gives all members of that Team the ability to use the Signing Keys.
This means:
-
If a user has signing access because they belong to a Team, removing them from the Project does not remove their access. You must remove them from the Team instead.
-
Likewise, to add a new user who should inherit access from a Team, add them to the Team, not the Project.
-
These rules also apply when a service account is assigned: its owning Team determines which human users can manage or rotate its credentials.
Note
Team membership can be managed directly in Certificate Manager - SaaS, or it may be controlled automatically through SSO group claims.
If SSO is enabled, your identity provider determines who belongs to each Team, which in turn controls signing permissions.
Summary: When to update the Project vs. the Team¶
Use this quick guide to determine where to make changes:
| Scenario | Update the Project? | Update the Team? |
|---|---|---|
| Add/remove an individual user as a signer | Yes | No |
| Add/remove a service account as a signer | Yes | No |
| Add/remove a Team as a signer | Yes | No |
| User inherits access through a Team | No | Yes |
| User inherits access through a Team assigned to a service account | No | Yes |
| Access based on SSO group membership | No | Yes (managed by IdP) |
To learn how to create or manage Teams, see Managing Teams.