Start free trial

June 7, 2026

Code signing certificate lifecycle beyond the build pipeline

TLS automation matured faster than code signing governance. Platform teams renew Let's Encrypt certs on cron while the EV code signing token still lives in one engineer's drawer with a calendar reminder. The lifecycle extends from CSR generation through timestamping, revocation, and audit evidence — most of which never appears in a CI YAML file.

Storage and access

Private keys for code signing must stay in HSM or cloud HSM-backed vaults — not on build agents. CI should request a signature operation via API with role separation: developers submit artifacts, a signing service applies the key. USB tokens break automation and vacation coverage. If policy requires hardware, maintain dual custodians and documented break-glass.

Validity and renewal lead time

Public CA code signing certs often run 1–3 years, but industry trends shorten lifetimes. Renewal lead time includes organizational validation, not just ACME-style minutes. Start 90 days before expiry with vendor paperwork, legal attestations, and security questionnaire updates. Missing renewal blocks every release — worse than a single API TLS outage.

Track parallel TLS inventory risk with the certificate expiry risk calculator so code signing dates do not hide in a separate spreadsheet from production TLS.

Timestamp servers

Signatures without RFC 3161 timestamps expire when the cert does — Windows and macOS gatekeeper reject old binaries. Configure timestamp URLs in every signing tool and verify offline installers still validate after cert rotation. Test signed artifacts from last year against current trust stores in QA before decommissioning an old cert.

Revocation and incident response

Compromised code signing keys require CA revocation, customer notification, and rebuild of every artifact signed during the exposure window. Have OCSP/CRL monitoring and a pre-written comms template. SOC 2 and ISO audits ask for proof of revocation drills — table-top the scenario annually.

Evidence for auditors

Maintain a register: cert thumbprint, approved signing pipelines, authorized requesters, and per-signature log entries. TLS audit exports are not interchangeable — code signing evidence ties to release versions and artifact hashes. Automate Certificates focuses on TLS fleet operations; apply the same discipline — inventory, alerts, named owners — to signing certs in your GRC tool.

Review cryptographic posture holistically with the TLS cipher audit checklist for delivery endpoints, then extend the checklist internally for signing algorithms and minimum key lengths mandated by your security standard.