Skip to content

Code Sign Manager - SaaS overview

Code Sign Manager - SaaS provides a secure, cloud-based architecture for generating, storing, and using code signing keys. The platform keeps private keys in an HSM at all times while still enabling users and automated systems to perform signing operations. The following overview describes how the main components interact during the code signing lifecycle.

Sequence diagram

This diagram summarizes the high-level flow of Code Sign Manager - SaaS. The text below explains eash step in detail.

Click here for larger version

sequenceDiagram
    participant Admin as Administrator (UI)
    participant CSM as Code Sign Manager - SaaS
    participant HSM as HSM
    participant CA as Certificate Authority
    participant Client as Code Sign Client
    participant File as File to sign

    Admin->>CSM: Create Project, Signing Key,<br/>and service account
    CSM->>HSM: Generate key in HSM
    CSM->>CA: Request certificate
    CA-->>CSM: Issue certificate

    Client->>CSM: Authenticate (API key or service account)
    Client->>CSM: List available Signing Keys

    File->>Client: File ready to sign
    Client->>CSM: Request signing
    CSM->>HSM: Sign digest
    HSM-->>CSM: Signature
    CSM-->>Client: Return signature
    Client-->>File: Write signature

    CSM-->>CSM: Record event & usage

1. Administrators configure the signing environment

Administrators create a Project to organize signing activities and define which identities can use a key. Each project can contain one or more Signing Keys. When a key is created, Code Sign Manager - SaaS generates it inside an HSM and (optionally) issues a matching code signing certificate from the selected certificate authority.

If you plan to obtain a certificate from a public certificate authority, you must configure a certificate authority connector in Certificate Manager - SaaS before creating a Signing Key.

Note

Code Sign Manager - SaaS includes a Built-in CA that requires no configuration, but certificates issued by the Built-in CA are not implicitly trusted by browsers or operating systems. You can also choose None when creating a Signing Key if you only need a key pair and not a certificate.

Administrators then assign one or more Authorized Signers to the Project, either individual users or service accounts, depending on the workflow.

2. Signers authenticate to Code Sign Manager - SaaS

Authorized Signers authenticate using the Code Sign Client:

  • Users authenticate with an API key tied to their account.
  • Service accounts authenticate with a key pair generated locally on the signing machine.

Authentication gives the Code Sign Client temporary, least-privilege access to the Signing Keys assigned to the signer.

3. The Code Sign Client identifies which keys the signer can use

After authentication, the Code Sign Client connects to Code Sign Manager - SaaS to determine which Signing Keys are assigned to the signer. The private keys remain in the HSM at all times. The client does not download or store them. Instead, the client requests signing operations through Code Sign Manager - SaaS, which performs the signing inside the HSM and returns the result.

No private key material is ever sent to the signing machine.

4. Signing occurs on the signing machine

The signer (user or automated system) chooses a file to sign on the signing machine. The Code Sign Client computes a digest locally, sends the digest to Code Sign Manager - SaaS, and Code Sign Manager - SaaS instructs the HSM to sign it using the selected Signing Key. The resulting signature is returned to the signing machine and written to disk.

This design ensures that:

  • Private keys remain in the HSM.
  • Signing workloads run close to source files.
  • Automated systems do not need to manage private key storage.

5. Code Sign Manager - SaaS tracks and logs all signing activity

Every signing operation generates event records and updates usage counters within Certificate Manager - SaaS. Administrators can view:

  • Which Signing Key was used
  • Which Authorized Signer performed the operation
  • When the signing occurred
  • Whether it succeeded

These audit features help organizations maintain compliance and track operational usage over time.

6. Keys and certificates remain centrally managed

Because all Signing Keys are stored and managed in Code Sign Manager - SaaS:

  • Keys can be renewed, rotated, or disabled without modifying signing machines.
  • Signer access can be changed centrally.
  • Certificates can be reissued or updated without distributing new private keys.

This centralized model keeps code signing operations secure, consistent, and easy to administer.

What's next

Next, explore how authentication works in Code Sign Manager - SaaS by reviewing signing workflows. This will help you decide whether to use user-based authentication, service accounts, or both in your environment.

If you already know which workflow you need, proceed to Roles and permissions to understand who can perform each task.