Software Trust API
5 minute read
DigiCert® Software Trust Manager API lets you automate code signing operations, manage signing keys and certificates, scan software for vulnerabilities, and enforce secure release workflows for your software supply chain.
What you can do
- Manage signing keys: Create and manage keypairs in FIPS-compliant HSMs for secure code signing operations.
- Sign code and artifacts: Execute cryptographic signing operations for binaries, containers, packages, and scripts.
- Scan software: Analyze software releases for security vulnerabilities and open-source license compliance issues.
- Control release workflows: Define release windows with approval gates and signature limits to enforce secure development practices.
- Rotate keys: Automate key rotation schedules to maintain cryptographic hygiene and compliance.
- Monitor operations: Query audit logs and signature logs to track all signing activities and key usage.
Tip
See Get started for complete details on making your first API call to DigiCert® ONE APIs.Authentication
| Method | Best for | How it works |
|---|---|---|
| API key (default) | CI/CD pipelines, backend services | Add the service user API token in the x-api-key request header. |
| Mutual TLS (mTLS) | High-assurance, network-restricted, or key-rotation-averse environments | Present a client TLS certificate and call the clientauth. hostname. |
| Segment | Description | examples |
|---|---|---|
{hostname} | DigiCert® ONE hostname | one.digicert.comdemo.one.digicert.comone.digicert.co.jp |
{product} | DigiCert® ONE product-specific path segment | /signingmanager (Software Trust Manager) |
api/v{n} | API version; Software Trust Manager primarily uses v1 | /api/v1 (most operations)/api/v2 (enhanced signatures listing) |
{resource} | Specific endpoint path | /keypairs/keypairs/{keypair_id}/sign/certificates/release-windows/scans |
Keypairs and signing
Software Trust Manager stores private keys in FIPS 140-2 Level 3 certified HSMs so your cryptographic material never leaves secure storage.
Keypair types
- Standard keypairs: RSA, ECDSA, or EdDSA keys for signing binaries, documents, and artifacts
- GPG keypairs: GNU Privacy Guard keys for package signing (RPM, DEB, etc.) and cryptographic operations
Signing workflow
- Create or import a keypair using
/api/v1/keypairsor/api/v1/gpg-keypairsendpoints. - Generate a certificate for the keypair (for standard keypairs) or use existing GPG identity.
- Call the sign endpoint
/api/v1/keypairs/{keypair_id}/signwith your hash or data. - Receive the signature to attach to your artifact.
Note
All cryptographic operations occur within the HSM. Private keys are never exported or exposed during signing operations.Certificate hierarchies
Software Trust Manager allows you to create custom certificate hierarchies for code signing certificates.
Hierarchy workflow
Hierarchies define the chain of trust for issued certificates. Create a hierarchy specifying root and intermediate CA certificates, then associate certificate profiles with that hierarchy. Certificates generated through those profiles will chain to your custom PKI.
Hierarchy states
- Pending: Hierarchy created but awaiting approval.
- Approved: Hierarchy is active and can be used for certificate issuance.
- Suspended: Hierarchy temporarily inactive; no new certificates can be issued.
- Locked: Hierarchy configuration is locked to prevent modifications.
Tip
Use/api/v1/hierarchies and its sub-endpoints to create and manage hierarchies. Having granular approval workflows ensure proper oversight of PKI changes.Release windows
Release windows provide governance and approval controls for software releases, enforcing secure development practices.
What is a release window?
A release window is a time-bound approval gate that controls when and how much code can be signed. It combines the following metrics:
- Time boundaries (start and end dates)
- Signature limits (maximum number of signing operations)
- Approval requirements (who must approve before signing)
- Associated resources (scans, keypairs, certificates)
Release window workflow
- Create a release window with defined parameters and resource mappings.
- Request approval from designated approvers.
- Once approved, the window becomes active.
- Signing operations are allowed within the window’s constraints.
- Close the release window when the release cycle completes.
Tip
Use/api/v1/release-windows endpoints to manage release windows and enforce controlled signing practices.Software scans
Software Trust Manager integrates with FOSSA to provide security and compliance scanning for software releases.
Scan capabilities:
- Vulnerability detection in dependencies
- Open-source license compliance checking
- Software composition analysis (SCA)
- Integration with release windows for approval workflows
Scans can be associated with release windows to ensure that only validated, secure software releases proceed to signing. Use /api/v1/scans endpoints to retrieve scan results and /api/v1/release-windows/{release_window_id}/map-resources to associate scans with release windows.
Teams and access control
Teams provide fine-grained access control for signing resources. They also enable delegation and separation of duties. Team-based access allows you to:
- Organize users into teams with specific responsibilities.
- Map resources (keypairs, certificates, release windows) to teams.
- Control which teams can access which signing assets.
- Enforce multi-person approval for sensitive operations.
Use /api/v1/teams endpoints to create teams and map resources. Multi-person approval requests ensure that critical operations require consensus from more than one authorized individual.
Roles and permissions
Assigned roles determine a user’s permissions. Roles are manager-specific and provide a granular permission structure.
Use the /account/api/v1/role endpoint to see available roles for Software Trust Manager:
curl -X GET https://demo.one.digicert.com/account/api/v1/role?application_code=secure_software_manager \
-H "x-api-key: USER_API_TOKEN" \
-H "Content-Type: application/json" | jq '.'
Important considerations
- Private keys never leave the HSM. All signing operations occur within FIPS-certified hardware security modules. Keypair export requires approval workflows and is only available in specific scenarios.
- Keypair suspension is immediate. Suspending a keypair prevents all signing operations immediately. Use suspension when you suspect key compromise or need to temporarily halt signing.
- Certificate profiles define issuance parameters. Before generating certificates, configure certificate profiles that specify validity periods, key usage, and extended key usage attributes.
- Release windows enforce governance. Use release windows to control signing operations during development cycles. Signature limits prevent runaway signing and enforce controlled release practices.
- GPG keypairs require special handling. GPG keypairs are managed separately from standard keypairs. Use
/api/v1/gpg-keypairsendpoints and note that GPG keyring operations use different formats. - Audit logging is comprehensive. All signing operations, key operations, and approval actions are logged. Use
/api/v1/audit-logand/api/v1/signaturesendpoints to maintain complete audit trails.
Common operations
| Method | Endpoint | Description |
|---|---|---|
| POST | /signingmanager/api/v1/keypairs | Create a new keypair; generates signing key in HSM |
| GET | /signingmanager/api/v1/keypairs | List all keypairs; use query parameters to filter by account or status |
| POST | /signingmanager/api/v1/keypairs/{keypair_id}/sign | Sign a hash using the specified keypair; primary signing operation |
| POST | /signingmanager/api/v1/keypairs/{keypair_id}/certificates | Generate a certificate for a keypair |
| PUT | /signingmanager/api/v1/keypairs/{keypair_id}/suspend | Suspend a keypair; prevents all signing operations |
| POST | /signingmanager/api/v1/release-windows/ | Create a release window; establishes approval gate for signing |
| PUT | /signingmanager/api/v1/release-windows/{release_window_id}/approve | Approve a release window; enables signing within the window |
| GET | /signingmanager/api/v1/scans | List software scans; view vulnerability and compliance reports |
| GET | /signingmanager/api/v1/signatures | List signing operations; track all signatures created in your account |
| POST | /signingmanager/api/v1/teams | Create a team; enables resource-based access control |
| GET | /signingmanager/api/v1/audit-log | View audit logs; track keypair operations and approvals |
| POST | /signingmanager/api/v1/key-rotation | Create key rotation schedule; automates keypair lifecycle management |
API reference
OpenAPI reference documentation for Software Trust
Was this page helpful?
Provide feedback