- Sign artifacts through any tool that supports PKCS#11, or directly via the Sign API
- Require approvals before signatures are produced, with per-approval limits on count and time
- Manage who can sign with per-Signer roles for users, machine identities, and groups
- Track every signing operation in a full audit trail
mobile-app-prod, firmware-release, or ci-staging-builds. Product Admins create Signers, attach a code-signing certificate, and assign team members. Teams then operate independently within their assigned Signers.
What’s in a Signer?
Certificate
The X.509 code-signing certificate the Signer uses, backed by an internal or external CA.
Members
Team members with Administrator, Operator, or Auditor roles on this Signer.
Approval policy
Optional review workflow before signatures are produced.
Activity
Audit trail of every successful, failed, and denied signing operation.
How a signing operation flows
- A Product Admin creates a Signer and picks the CA that issues its certificate.
- The Admin adds members (users, machine identities, or groups) and picks a role for each.
- Optionally, the Admin attaches an approval policy so signing requires sign-off.
- Operators sign through the PKCS#11 module or the Sign API. Infisical produces the signature and records an audit entry on the Signer.
Signer roles
Members are assigned to Signers with one of three roles:| Role | Capabilities |
|---|---|
| Administrator | Full control: edit settings, manage members, edit the approval policy, pre-approve signing, sign, export the certificate. |
| Operator | Sign artifacts and submit signing requests. Cannot change settings or members. |
| Auditor | Read-only: view members, activity, and the audit log. Cannot sign. |
FAQ
How is this different from handing out a .pfx or .p12 file?
How is this different from handing out a .pfx or .p12 file?
When you distribute a key file, anyone with a copy can sign anything for the lifetime of the certificate, and you can’t take that copy back. With a Signer, you can disable signing, revoke active access, or remove a member at any time, and that change takes effect immediately.
Do I have to require approval for every signature?
Do I have to require approval for every signature?
No. A Signer can have no approval policy, in which case any member with sign rights can sign immediately and you still get a full audit trail. Approvals are optional and most useful for production releases or compliance-sensitive workloads.
What’s next?
Create a Signer
The 4-step wizard.
Add an approval policy
Require sign-off and cap per-approval limits.
Install the PKCS#11 module
Hook up your signing tools.
Sign your first JAR
End-to-end walkthrough.