A Signing Key is a configuration object that defines the properties, lifecycle, and usage of a code signing key pair stored in AWS Key Management Service (KMS) or Built-In Key Storage. The Signing Key specifies parameters such as algorithm, key size, and validity period, and it can optionally request a code signing certificate from a selected certificate authority. The following key storage locations are available:

When a Signing Key is created, Next-Gen Trust Security generates the actual cryptographic keypair inside the selected storage location. The private key never leaves its storage location and is never exposed to users or signing machines.

Creating and managing Signing Keys requires a role with write access to the Signing Keys page on the TSG.

The Code Sign Client is a lightweight tool installed on a signing machine. It connects the signing machine with the Next-Gen Trust Security code signing capability. Once authenticated to Next-Gen Trust Security, the client retrieves signing key references and makes those available to integrate with standard signing applications on the signing machine. The client ensures that private keys remain securely in KMS while still enabling fast, reliable local signing.

Built-in Accounts provide the credentials that the Code Sign Client uses to authenticate and perform signing operations. Creating a built-in account requires a role with write access to the Built-in Accounts page on the TSG.

After a built-in account is created, it produces a Client ID and an authentication key pair. These credentials can be used by anyone with access to them — the person using the credentials does not need a role or UI access. This allows administrators to provision signing access for users and automated systems without granting them access to Next-Gen Trust Security.

A signing machine is any workstation or CI system that runs the Code Sign Client and performs signing operations. Signing machines never store private code signing keys. They only hold the authentication material required to connect to the service.

The code signing capability supports both the built-in certificate authority as well as several trusted public CAs. When a Signing Key is created, you can optionally issue a code signing certificate from the selected CA to pair with the key.

The Built-in CA requires no configuration and is suitable for internal trust use cases, such as development builds. Certificates issued by the Built-in CA are not implicitly trusted by browsers or operating systems. To use the Built-in CA certificates, your organization must distribute and trust the Built-in CA certificate chain internally.

Now that you understand the core building blocks of the code signing capability, continue with the Solution overview to see how these components work together in the signing workflow.