Set global code signing properties

There are a number of properties that Code Signing Administrators can set at the global code signing level. Some of these properties serve as defaults that can be overridden in Environment Templates, whereas others become restrictions that cannot be overridden. To access these settings, select the Venafi Code Signing node in the Venafi Configuration Console, and in the Actions Panel, click Properties.

The Venafi CodeSign Protect Properties window opens. The window is divided into the following tabs:

Global Code Signing Configuration tab
Default Flows tab
Request Instance Identification tab

Global Code Signing Configuration tab

Default Containers

In this section, you can set the default storage locations for Certificate Authority Templates, Credentials, and Certificates. To change any of these locations, click the drop-down box and select a new folder.

These locations can be reset in the Environment Templates.

Private Key Generation and Storage

This section lists the available generation and storage locations for code signing private keys. Place a checkmark next to each location that you want to be able use for key storage. The storage locations selected here will be the only locations available in the Environment Templates.

NOTE If you do not have any connected HSMs, then the only option shown is Software, which is the Trust Protection Platform Secret Store. To select an HSM, you first need to configure an HSM. See Creating a HSM (Cryptoki) connector for instruction on connecting an HSM.

Options

Key Users may not have other roles in the same project. Checking this box disallows users who are assigned as Key Users or who are members of a Key User group from having any other role on the code signing project.

NOTE User roles in the project are checked when the key is used, not when the project is created or edited. The reason for this is that group membership is dynamic, which means that the only reliable time to validate user roles is at the time of key use.

NOTE The Trust Protection Platform Master Admin and Code Signing Administrator roles cannot be assigned as CodeSign Protect Key Users.
Role members must be in groups. Checking this box disallows Owners from selecting individual users to fill roles in code signing. All roles must be assigned to groups.
Wait period before timing out requests. Specifies the number of seconds to wait before the CSP will time out. This value is pushed from the Trust Protection Platform server to the CSP clients.

Request in Progress Message

The Request in Progress field provides Code Signing Administrators the ability to customize the dialog returned to the Key User when an approval is required or a signing operation is rejected.

EXAMPLE In the case where approval is required to use a code signing key, providing an email address for Key Users to get additional information may be helpful.

If you enter a message that contains the macro "$flowmessage$", only what you enter will be displayed, with "$flowmessage$" being replaced with the flow status.

EXAMPLE Using the "$flowmessage$" macro.

Certificate Configuration

If you want Owners to be able to add a SAN Email to certificate requests, check the Allow SAN Email checkbox.

Default Flows tab

Delete Flows

The Delete flows box of allows you to set the default Object Delete Flow. This Flow is invoked any time a Project or Environment is deleted. By default, the Flow set as the default Flow doesn't require any approvals for a Project or Environment to be deleted. If you want to create a Flow that requires approvals, see Create Flows.

To select a Flow, click the drop-down box in the Delete Flows section and find the Object Delete Flow you want to use.

If the Object Delete Flow requires approvals, approvers will be notified anytime a Project or Environments deletion request is received. Approvers should follow the instructions in Approving or Rejecting a project deletion request to take action on the request.

Signing Flows

To remove the option for Key Use Approvers to allow unlimited signings when approving a signing request, check the Approvers may not allow unlimited signings upon signing request approval checkbox in this section. With this checked, the Unlimited Use radio button (outlined in the screenshot below) will be removed from the Signing Request approval screen entirely.

If you leave Unlimited Use enabled, Key Use Approvers will be required to select a date and time when the unlimited key use approval expires.

Request Instance Identification tab

The Request Instance Identification options allow Code Signing Administrators to determine which attributes of a signing request are used to match previous signing requests that are not yet fulfilled. The global settings can be overridden in Environment Templates.

DID YOU KNOW? Every code signing private key managed by Trust Protection Platform is associated with an Environment, and each Environment has an associated Flow. The final step in every Flow is to sign the code. In some cases, a signing request's Flow will not be able to finish in a single operation, such as in the case of a required approval.

When the Trust Protection Platform server receives a signing request, it needs to determine whether the request is new or whether it is a continuation of a previous request that is not yet fulfilled. If Trust Protection Platform cannot find an unfulfilled signing request that matches the attributes selected, it considers the request a new request and will start at the beginning of the Flow that is associated with the Environment.

To learn more about Flows, see Create Flows.

The following values can be used to match signing requests with previously-submitted requests that are not yet fulfilled.

CAUTION Changing these options invalidates any existing pending approvals.

Command Line: The actual command used to issue the signing request. This is enabled by default.; This identifier should be disabled for GPG Environment Templates that use a Flow with approvals.
Signing Executable: The filename of the signing application.
Signing Executable Checksum (Hash): The hash of the signing application being used to sign.
Signing Executable Signer: The signer of the signing application. This is the subject of the certificate used to sign the signing application itself.
Signing Executable Size: The disk size of the signing application.
Request IP Address: The IP address of the workstation from which the request was issued.
Request Justification: The request justification is a freeform field that allows the Key User to include a reason why they are requesting use of the key.
Signing Key Identifier: The Trust Protection Platform unique identifier for a private key. This is enabled by default.
Requesting Machine Name: The name of the workstation from which the signing request is made. This is enabled by default.
Data to be signed: The hash of the data (such as an executable, macro, or document) that the signing application creates.; NOTE Checking this option ensures that the binary being signed cannot change between the request, approval, and signature.
User requesting signature: The Trust Protection Platform username of the user requesting the signing.
Username of requestor on signing machine: The workstation username of the user requesting the signing. This is enabled by default.