Skip to content

Understanding user and service account signing

Code Sign Manager - SaaS supports two ways to authenticate the Code Sign Client:

  • User-based authentication using an individual user’s API key.
  • Service account authentication using a client ID and a key pair.

The signing behavior on the client is the same in both cases. The difference is which identity the Code Sign Client represents and how that identity authenticates to Code Sign Manager - SaaS.

User-based authentication

Use user-based authentication when the Code Sign Client should act on behalf of a specific person, referred to as the Authorized Signer. The Authorized Signer can be any Certificate Manager - SaaS user.

Typical scenarios include:

  • Developers, release engineers, or operators who run signing tools from their own machines.
  • Automated jobs that you still want to associate with a particular user’s identity.

In this model:

  • The user authenticates the Code Sign Client with their API key.
  • The user is added as an Authorized Signer on one or more Projects.
  • The Code Sign Client can use only the Signing Keys that the user is authorized to access.

Service account authentication

Use service account authentication when the Code Sign Client should represent a machine or system rather than a person.

Typical scenarios include:

  • CI/CD pipelines and build servers.
  • Shared signing infrastructure used by multiple teams.
  • Environments where you do not want signing to depend on a user’s account or API key.

In this model:

  • You create a service account in Certificate Manager - SaaS and associate it with a Team.
  • You generate a key pair. The private key is on the client and the public key is in Certificate Manager - SaaS.
  • The Code Sign Client authenticates using the service account client ID and key pair.
  • The service account is assigned as an Authorized Signer on one or more Projects.

Choosing a model

In many environments, you will use both approaches:

  • Use user-based authentication when you want signing activity tied directly to a specific person’s identity.
  • Use service account authentication when you need long-lived, machine-based credentials for automated systems.

If you are just getting started, you can:

  • Begin with user-based authentication to learn how Code Sign Manager - SaaS manages Projects and Signing Keys.
  • Add service accounts when you are ready to integrate signing into build servers or CI/CD pipelines.

What's next

After choosing the signing workflow that fits your environment, review Roles and permissions to understand the access required for administrators, users, and service accounts.

If you're ready to begin configuration or follow a tutorial, go to the Getting started section.