Keyfactor Signum
Overview
Keyfactor Signum is a cloud-based code signing platform that centralises and protects signing keys in HSM-backed cloud services whilst enforcing policy controls and integrating into developer toolchains. It supports popular signing tools including SignTool, Jarsigner, Cosign, OpenSSL, and Jenkins, enabling development teams to sign code within their existing workflows without managing signing key infrastructure locally.
Unsung implements Signum for UK customers that need to establish governed, cloud-hosted code signing services with HSM key protection, particularly organisations looking to remove signing keys from individual developer workstations and establish centralised policy control over signing operations.
The Challenge
Code signing protects software integrity, but many organisations still manage signing keys on individual developer machines or shared network drives. This creates significant risk: lost or stolen signing keys can be used to distribute malicious software that appears legitimate, and there is no centralised audit trail of who signed what, when. Development teams also face friction when signing processes require manual steps outside their existing CI/CD pipelines.
Organisations need a code signing approach that protects signing keys in HSMs, enforces policy over who can sign and under what conditions, integrates seamlessly into CI/CD workflows to avoid slowing development, and provides the audit evidence that security and compliance teams require. A cloud-hosted solution reduces the infrastructure burden for organisations that do not want to operate on-premises signing infrastructure.
What It Does
Signum provides cloud-hosted code signing with HSM-backed key protection. Signing keys are generated and stored within cloud HSMs, never leaving the hardware security boundary. Policy controls define which users, teams, and CI/CD pipelines are authorised to sign specific artefact types, preventing unauthorised signing operations.
The platform integrates with standard signing tools and CI/CD platforms, enabling developers to sign code within their existing workflows using familiar commands. Signum handles the HSM interaction transparently, so development teams sign code without managing HSM connections or key material directly. Comprehensive audit logging records every signing operation for compliance reporting, including the identity of the signer, the artefact signed, and the signing key and certificate used.
How Unsung Helps
Unsung helps clients design code signing policies, integrate Signum into their development pipelines, and establish the governance framework needed for auditable signing operations. Our PKI Consultancy service provides guidance on code signing strategy and how cloud-hosted signing fits within the organisation’s broader PKI and security architecture.
Related Unsung Services
PKI Consultancy — Advisory on code signing strategy and software supply chain security.
PKI Design & Build — Design and implementation of signing infrastructure and CI/CD integration.
Hardware Security Modules — HSM strategy for signing key protection.
