Code Signing Trust

What is CI/CD?

What is CI/CD?

CI/CD stands for “Continuous Integration/Continuous Delivery” or “Continuous Integration/Continuous Deployment.” It is a software development process that supports agile development methodologies designed to deliver software in frequent release cycles with high quality. Continuous Integration refers to automated processes that support the build, test, and merge sequence to a shared repository. Continuous Delivery refers to an automated approach to the testing and release of code to the shared repository. Continuous Deployment supports automated sequences for pushing code into production. By adopting a CI/CD pipeline and agile development methodologies, companies are able to iterate rapidly on software features and functions and deliver those features with high quality to the market. For many development teams, CI/CD processes run several times a day.

 

How does code signing fit in a Continuous Integration/Continuous Delivery (CI/CD) process?

CI/CD is an SDLC process that supports agile development methodologies designed to deliver software in frequent release cycles rapidly and with high quality. Continuous Integration refers to automated processes that support the build, test, and merge sequence to a shared repository. Continuous Delivery refers to an automated approach to testing and release of code to the shared repository. And Continuous Deployment supports automated sequences for pushing code into production.

When the code or software is ready for production, it may be released to many organizations and/or departments and installed on their systems. The code has to be signed prior to release so that the receiving organizations or departments can verify the identity of the code publisher and be assured that the code has not been altered from the time of release to the time they download it.

Integration with CI/CD tools can automate code signing as part of the CI/CD process. Automated code signing with security controls enables an organization to meet their corporate security policies without slowing down the software development process. In addition, ensuring that code from other sources included in the CI/CD process are also signed provides assurance that those code can be trusted and be included in the software development process.