>
    Strata Copilot
    Code Signing Capability Overview
    Focus
    Focus
    1. Home
    2. Next‑Gen Trust Security
    3. Next-Gen Trust Security
    4. Next-Gen Trust Security Overview
    5. Introduction to the Code Signing Capability
    6. Code Signing Capability Overview
    Next‑Gen Trust Security

    Code Signing Capability Overview

    Table of Contents

    Code Signing Capability Overview

    The code signing capability provides a secure, cloud-based architecture for generating, storing, and using code signing keys. Next-Gen Trust Security keeps private keys securely in either AWS Key Management Service (KMS) or Built-In Key Storage at all times, while still enabling users and automated systems to perform signing operations. The following overview describes how the main components interact during the code signing lifecycle.

    Sequence Diagram

    This diagram summarizes the high-level flow of the code signing capability. The text below explains each step in detail.

    1. Administrators Configure the Signing Environment

    Administrators use a Tenant Security Group (TSG) or child TSG to organize signing activities and define access boundaries. Each TSG can contain one or more Signing Keys. When a key is created, Next-Gen Trust Security generates the key inside your selected storage location (AWS KMS or Built-In Key Storage) and (optionally) issues a matching code signing certificate from the selected certificate authority.
    If you plan to obtain a certificate from a public certificate authority, you must select AWS KMS as your storage location and configure a certificate authority connector before creating a Signing Key.
    Note: Next-Gen Trust Security includes a Built-in CA that requires no configuration, but certificates issued by the Built-in CA are not implicitly trusted by browsers or operating systems. You can also choose None when creating a Signing Key if you only need a key pair and not a certificate.

    2. Code Sign Clients authenticate to Next-Gen Trust Security

    To perform signing operations, the Code Sign Client authenticates using the Client ID and private key file generated by a built-in account in Next-Gen Trust Security. Authentication gives the Code Sign Client temporary, least-privilege access to the Signing Keys within the scope of that built-in account's TSG.

    3. The Code Sign Client identifies which keys it can use

    After authentication, the Code Sign Client connects to Next-Gen Trust Security to determine which Signing Keys are available within its TSG scope. The private keys remain in their selected storage location at all times. The client does not download or store them. Instead, the client requests signing operations through the code signing capability, which performs the signing inside the secure storage backend and returns the result.
    No private key material is ever sent to the signing machine.

    4. Signing Initiated from the Signing Machine

    The user or automated system chooses a file to sign on the signing machine. The signing tool (such as SignTool, jarsigner, or similar) computes a digest of the file. The Code Sign Client sends it to the Next-Gen Trust Security code signing capability, which instructs the storage backend to sign it using the specified Signing Key. The resulting signature is returned to the signing machine and written to disk.
    This design ensures that:
    • Private keys remain in their secure storage location (AWS KMS or Built-In Key Storage).
    • Signing workloads run close to source files.
    • Automated systems do not need to manage private key storage.

    5. Next-Gen Trust Security tracks and logs all signing activity

    Every signing operation generates event records and updates usage counters. Administrators can view:
    • Which Signing Key was used
    • Which built-in account identity performed the operation
    • When the signing occurred
    • Whether it succeeded
    These audit features help organizations maintain compliance and track operational usage over time.

    6. Keys and Certificates Remain Centrally Managed

    Because all Signing Keys are stored and managed by Next-Gen Trust Security:
    • Keys can be renewed, rotated, or disabled without modifying signing machines.
    • Access is inherently and centrally controlled through your TSG hierarchy.
    • Certificates can be reissued or updated without distributing new private keys.
    This centralized model keeps code signing operations secure, consistent, and easy to administer.

    What's Next

    Next, explore Roles and permissions to understand who can perform each task within the TSG hierarchy.
    If you are ready to begin configuration, proceed to the Getting Started tutorial to see the full setup and signing lifecycle in action.

    © 2026 Palo Alto Networks, Inc. All rights reserved.