GaraSign For Code Signing

Some of the most sensitive keys in an enterprise are the code signing keys. If improperly protected, these keys can be compromised, potentially resulting in catastrophe.

Storing your code signing keys in an HSM provides excellent security but may introduce integration challenges and performance bottlenecks, leaving the CI/CD pipeline clogged. On the other hand, storing your keys outside of an HSM significantly increases risk and may put your enterprise out of compliance.

GaraSign gives you the best of both worlds: strong security and superior performance, plus client integrations to all the tools used in your environment today.

Your code signing solution must be secure, fast, and easy to use. How do you achieve all three?

The ramifications of insecure code signing can be disastrous. Signing keys must be secured at all times.

But security isn’t the only thing that matters— an enterprise code signing solution must also account for performance and ease of use. In a DevOps environment, speed is paramount: code signing must not slow down the CI/CD pipeline. At the same time, the solution must integrate with existing enterprise tools and processes for ease of deployment, use, and management.

Strong Security Requirements

Code signing keys are mission-critical assets and must be protected with the highest level of security at all times.

High Performance Demands

Enterprises continuously integrate and sign code, so a code signing solution must provide extremely fast signatures.

Ease of Use is Essential

If your signing tools aren't integrated with your HSM, deploying a fast and secure code signing solution at scale is challenging.

GaraSign enables sub-second signatures with HSM-protected keys from all the tools you use today.

GaraSign Demo For
Code Signing

Secured Access To HSM-Protected Keys

GaraSign is deployed on customer-managed infrastructure between the HSM and the signing clients, restricting those signing clients to proxied key access.

The result is that all code signing keys remain secured and non-exportable in the HSM at all times, providing maximum security, while end-users can still use the keys they need to efficiently sign code.

High Performance With Client-Side Hashing

GaraSign uses a client-side hashing architecture. Signing clients hash the code they need to sign before sending it over the network to create the signature.

This hash signing architecture limits the amount of data being transmitted over the network, so code signing stays fast to support continuous integration while the signing keys remain secured in the HSM.

Advanced Security Features

GaraSign supports advanced security features, including multi-factor authentication, device authentication, approval workflows, IP address whitelisting, notifications, and more. With GaraSign’s granular controls, these features can be enabled on a per-key or per-user basis and integrated with any signing tool.

Ensure Code Is Tamper-Free

With client-side hashing in place, GaraSign receives only the hash to sign during the code signing process. To ensure that the hash it receives matches the hash of the code in the repository, GaraSign automatically retrieves the source code, performs a deterministic build, and independently generates a hash. A precise match of the two hashes proves that the code has not been tampered with, preventing malware injections and supply chain attacks.

Integrations To All The Tools You Use

GaraSign comes with a host of native client integrations, making it easy to deploy GaraSign directly into your IT environment without needing to develop custom integrations.


GaraSign for Code Signing FAQs

Yes, GaraSign supports native signing tools that can be executed from any CI/CD pipeline.

Yes, GaraSign supports native signing tools that can be executed from a developer's workstation.

GaraSign can support certificates from any certificate authority via its most basic certificate processing capabilities. For automated certificate issuance, GaraSign has first class support for certain certificate authorities.

For manual production code signing (typically done as a ceremonial process), GaraSign supports multi-factor authentication, device authentication, quorum-based approval workflows, automated hash validation, IP address whitelisting, just-in-time access, audit notifications, and granular key permissions.

For automated code signing, GaraSign supports device authentication, automated hash validation, IP address whitelisting, audit notifications, and granular key permissions.

One of GaraSign's most advanced security controls is its patented Automated Hash Validation feature. This feature uses reproducible builds to ensure that what is being signed matches what is in the source control repository. By doing this, compromising the build server alone is not sufficient for an attacker to get their malware signed. The attacker must commit the malware to the source code repository. Not only is this an additional attack that the attacker must be capable of, it also leaves a permanent record of the attack that should get detected during code review or scanning.

GaraSign supports two modes of Automated Hash Validation - pre-sign and post-sign. In pre-sign mode the validation is done before the code gets signed, thereby acting as a preventative control, which provides the highest level of security but also has the highest performance penalty. In post-sign mode, the validation is done after the signature is generated, thereby acting as a detective control, which has slightly reduced security benefits but great performance. In post-sign mode, even if an attacker is able to sign their malware it will be detected relatively quickly so action can be taken. Garantir recommends using pre-sign validation for production signing and post-sign validation for non-production signing that happens in the continuous integration environment.

Yes, as part of Automated Hash Validation GaraSign can run any set of tools on the source code and/or binaries and use the result of running those tools as part of validation. For example, GaraSign can be configured to run static analysis tools, fuzzing tools, etc.


For very performance-sensitive customers, GaraSign's Automated Hash Validation feature can be used to offload processing that the build server would otherwise have to do. By doing this, tasks can be run in parallel that would otherwise run in series, thereby reducing the overall wall-clock time taken to complete a build.

There are a few reasons. The first is that all your code signing keys, including non-production, should be stored in your enterprise's HSM. Even though these keys aren't publicly trusted, they are trusted in your test environment and so they can be used to sign malware that spreads in that environment. The second is that code signing keys and build servers are high-value targets for attackers. If you are under attack you want strong protection in place and you want to be alerted to the issue as soon as possible. GaraSign provides this for you. The third reason is that you want to have a system that manages your certificates for you. Without that, it is easy to forget that a certificate will expire which results in downtime in your CI/CD pipeline.

GaraSign supports a quorum-based approval process where a quorum of approvers must approve the request before the signature is generated. If any approver rejects the request, the signature is not generated. GaraSign even supports tiers of quorums with each tier having its own quorum size. For example, you could configure it so that at least three developers must approve the request. Once that is complete, at least one tester must approve it. And so on as you see fit.

Give GaraSign a Try

Schedule a demo to see how GaraSign can improve the security and performance of cryptographic operations throughout your environment.