Code Signing
Embed Cryptographic Trust Across the Software Delivery Pipelines
Today’s software moves fast. Applications are built and deployed continuously, across CI/CD pipelines, containers, Kubernetes clusters, and hybrid clouds. But while agility has accelerated, security hasn’t always kept up. Ensuring that code reaching production is authentic, untampered, and truly from your team is critical. Code signing using digital certificates is the most effective way to attest the integrity of the software, but keeping code-signing certificates secure is therefore critical. Organizations must safeguard the cryptographic keys used to secure the certificates, yet many teams still store keys in local files, build servers, or scripts. The vulnerability is real, and this risk is compounded by the emerging threat of post-quantum computing, which could break commonly used signing algorithms. While application code is often re-signed frequently, Operational Technology and IoT devices may remain in the field for 10+ years, making long-lived signatures particularly difficult to secure against quantum threats. Without a robust, secure, and future-proof solution, the trust chain behind software integrity is at risk.
Solution
Fortanix Data Security Manager (DSM), a unified data security platform, protects the entire code signing lifecycle while supporting post-quantum cryptography (PQC) signing algorithms. Fortanix DSM brings together enterprise key management and next-gen Hardware Security Module (HSM) with FIPS 140-2 Level 3 certification. DSM ensures signing keys never leave the HSM-backed enclave, remaining protected and isolated while developers and pipelines request signatures through APIs or integrations. DSM integrates seamlessly into modern DevOps workflows: signing Docker images in Kubernetes, releasing binaries through GitHub Actions, or producing validated firmware updates. PQC support ensures both short-lived application code and long-lived device signatures remain secure against quantum-capable adversaries.
Key Capabilities
Key Management Service (KMS)
Simplifies the creation, use, and rotation of keys for code signing and other cryptographic tasks.
Logging and Audit Trails
Every key usage and management action is logged from the moment the key is generated.
RBAC and Quorum Approvals
Prevents a single person from having excessive control over keys.
Attestation Logs
Verifies that private keys are generated inside a Level 3 HSM and can be shared with Certificates Authority to assure key security
Deployment Flexibility
Choose between on-prem deployment or fully managed SaaS
High Availability & Disaster Recovery
A globally resilient SaaS deployment ensures your keys are always protected and accessible.
Benefits
Signing keys remain fully protected and never exposed
Complete audit trails and attestation logs for compliance
Simplified key management with RBAC and quorum controls
Seamless CI/CD pipeline integration
Quantum-safe, long-lived device signature
