Breadcrumbs

Interoperability

Signum is designed to integrate with the signing tools and cryptographic interfaces that organizations already use, rather than requiring adoption of a proprietary signing client. This is achieved through cryptographic interfaces native to each platform:

  • Windows: Microsoft Cryptography API: Next Generation Key Storage Provider (CNG KSP), Microsoft Cryptographic Service Provider (CSP), and PKCS#11 interface.

  • Linux: PKCS#11 interface.

  • macOS: PKCS#11 interface, and the Apple CryptoTokenKit framework on macOS.

Any signing tool that can address keys through one of these interfaces is compatible with Signum in a native way.

Existing build pipelines, signing scripts, and CI/CD workflows can be redirected to use HSM-backed keys in Signum by using the Agent rather than rewriting the signing toolchain. The signing tool continues to invoke the same commands against the same certificate identifiers. The Agent intercepts the key operation and routes it to the Signum server and HSM.

Cryptographic Interfaces

KSP Interface

The KSP interface is available exclusively on Windows and is the recommended integration path for tools that are part of the Windows cryptographic subsystem. When the Signum Windows Agent is installed, it registers a KSP that makes HSM-backed certificates visible in the Windows certificate store.

CSP Interface

The CSP interface is the legacy Windows cryptographic interface and is provided alongside the KSP for compatibility with older tools and workflows that have not yet migrated to CNG. The Signum Windows Agent registers a CSP that exposes the same HSM-backed certificates as the KSP. Tools that explicitly target the CSP interface, or that predate the CNG architecture, use this interface transparently. Where both KSP and CSP are available, KSP is preferred for new integrations.

PKCS#11 Interface

The PKCS#11 interface is available on Windows, Linux, and macOS and is the integration path for tools that load a cryptographic library directly rather than relying on operating system certificate stores. The Signum Agent exposes a PKCS#11 shared library, libsignumpkcs11.so, that can be referenced in the configuration of any PKCS#11-aware tool.

CryptoTokenKit

The CryptoTokenKit interface is available exclusively on macOS and is the Apple-native
framework through which the macOS operating system provides smartcard and hardware token
integration to signing tools. When the Signum macOS Agent registers a certificate in
the macOS Keychain through signum-util keychain --add, that certificate becomes accessible
to any tool that uses CryptoTokenKit, including codesign, productsign,
pkgbuild, productbuild, and Xcode. CryptoTokenKit is the mechanism that makes Signum
HSM-backed keys appear as locally available identities to these tools.

For more information, see CryptoTokenKit in the Apple Developer Documentation.

Supported Algorithms

The algorithms available to a signing tool depend on the interface through which it accesses Signum keys:

Interface

Platform

Key Algorithm

CSP

Windows

RSA

KSP

Windows

RSA

PKCS#11

Windows

RSA

PKCS#11

Linux

RSA, ECDSA

PKCS#11

macOS

RSA, ECDSA

CryptoTokenKit

macOS

RSA, ECDSA

For digest algorithms, SHA-256 is the standard hash algorithm used across all supported signing tools. The specific digest algorithm used for a given signature is determined by the signing tool and its configuration, not by Signum directly.

RSA Keys

Signum supports RSA key sizes of 2048, 3072, and 4096 bits across all interfaces and platforms. RSA 2048 is the minimum accepted key size. It meets current code signing baseline requirements and is compatible with all supported signing tools. RSA 3072 and RSA 4096 provide higher security margins and are appropriate for long-lived certificates or deployments with extended validity requirements.

RSA key sizes are ultimately dependent on the HSM support.

ECDSA Keys

ECDSA keys are particularly relevant for IoT device signing, container image signing, and other use cases where smaller key sizes and lower computational overhead are requirements. Any tool that accesses Signum through a PKCS#11 interface on Linux or macOS may use an ECDSA certificate in place of an RSA certificate, provided the certificate has been assigned to the signing user through a Signum policy.

Supported ECDSA Curves

The following ECDSA curves are supported on the Signum backend:

Curve

Common Name

Security

NIST P-256 / secp256r1

prime256v1

128-bit

NIST P-384 / secp384r1

-

192-bit

NIST P-521 / secp521r1

-

256-bit

secp256k1

Bitcoin / Ethereum curve

128-bit

Brainpool P-256

brainpoolP256r1

128-bit

Brainpool P-384

brainpoolP384r1

192-bit

Brainpool P-512

brainpoolP512r1

256-bit

ECDSA key sizes are ultimately dependent on the HSM support.

Supported Signing Tools

The following table summarizes the signing tools known to be compatible with Signum, the interface each uses, and the platforms on which that configuration is supported:

Tool

Interface

Platform

Microsoft SignTool

KSP

Windows

Microsoft HLK

KSP

Windows

Microsoft Set-Authenticode

KSP

Windows

Microsoft ClickOnce

KSP

Windows

Jarsigner (KSP)

KSP

Windows

Jarsigner (PKCS#11)

PKCS#11

Windows, Linux, macOS

OpenSSL

PKCS#11

Linux, macOS

Jsign

KSP / PKCS#11

Windows, Linux, macOS

rpmsign

PKCS#11 (via GPG)

Linux

dpkg-sig / debsign

PKCS#11 (via GPG)

Linux

GPG commit signing

PKCS#11

Linux

macOS codesign

CryptoTokenKit

macOS

macOS productsign, pkgbuild

CryptoTokenKit

macOS

Xcode (archive signing)

CryptoTokenKit

macOS

VBA signing for Office macros

KSP

Windows

Adobe PDF signing

KSP / PKCS#11

Windows, Linux, macOS

Container signing (Cosign)

PKCS#11

Linux

GPG-based tools use PKCS#11 indirectly through the gnupg-pkcs11-scd smart card daemon. For more information, see the guides for RPM signing, Debian package signing, and Git commit signing.

For step-by-step configuration instructions for each of these tools, see Integration & Signing Guides.