Code Signing Trust

What is continuous
code signing for CI/CD?

What is CI/CD?

CI/CD stands for “Continuous Integration/Continuous Delivery” or “Continuous Integration/Continuous Deployment.” It is a software development process that supports agile development methodologies designed to deliver software in frequent release cycles with high quality. Continuous Integration refers to automated processes that support the build, test, and merge sequence to a shared repository. Continuous Delivery refers to an automated approach to the testing and release of code to the shared repository. Continuous Deployment supports automated sequences for pushing code into production. By adopting a CI/CD pipeline and agile development methodologies, companies are able to iterate rapidly on software features and functions and deliver those features with high quality to the market. For many development teams, CI/CD processes run several times a day.

What is Continuous Signing (CS) for Continuous Integration/Continuous Delivery (CI/CD)?

Like CI/CD, Continuous Signing is an operation mode for software development that focuses on closing security gaps by implementing complete, automated, end-to-end code signing. CS works by deploying automated software signing certificates which are issued and controlled through a centralized certificate management platform like DigiCert® Secure Software Manager inside DigiCert® ONE. These automated tools ensure code is continuously and properly signed throughout the CI/CD build, regardless of the stage of development, or who, or how many engineers touch the code.

Continuous Signing also attaches cryptographically unique identity markers, so anyone with permission can view when the code was signed and whose certificate key was used for that signature. CS greatly reduces the risk for human error while greatly improving code integrity and security in a development system that moves quickly and may involve multiple stops with different developers and organizations along the software supply chain.

How does Code Signing Fit in a Continuous Integration/Continuous Delivery (CI/CD) Process?

CI/CD is an SDLC process that supports agile development methodologies designed to deliver software in frequent release cycles rapidly and with high quality. Continuous Integration refers to automated processes that support the build, test, and merge sequence to a shared repository. Continuous Delivery refers to an automated approach to testing and release of code to the shared repository. And Continuous Deployment supports automated sequences for pushing code into production.

When the code or software is ready for production, it may be released to many organizations and/or departments and installed on their systems. The code has to be signed prior to release so that the receiving organizations or departments can verify the identity of the code publisher and be assured that the code has not been altered from the time of release to the time they download it.

Integration with CI/CD tools can automate code signing as part of the CI/CD process. Automated code signing with security controls enables an organization to meet their corporate security policies without slowing down the software development process. In addition, ensuring that code from other sources included in the CI/CD process are also signed provides assurance that those code can be trusted and be included in the software development process.