Breadcrumbs

Signum Agents

Signum agents are lightweight components that bridge native operating system signing capabilities with the Signum SaaS platform. By using SignServer as the backend, the Signum Agents can access certificates stored in SignServer.

Agent Overview

The Signum Agents work by leveraging platform-native cryptographic interfaces, such as:

  • Windows: Key Storage Providers (KSP), Cryptographic Service Providers (CSP), and PKCS#11

  • Linux: PKCS#11

  • macOS: PKCS#11 and Keychain using CryptoTokenKit

For more information, see Interoperability.

The Windows Agent comes as an installable .msi and can be configured to operate with an interactive user interface or in a CLI server mode. The Linux Agent is available as a .deb or .rpm package and operates with a CLI only. The macOS Agent is installable as a package that includes a CLI tool for configuring the client.

The Agents are available as installable packages for Windows (.msi), Linux (.deb/.rpm), macOS, and as a container from the Signum SaaS Portal.

Once authenticated through an Agent, users or machines gain access to certificates governed by the roles and policies defined in Signum.

Outbound access to port 443 on the Signum server instance is required. Ensure your firewall permits this connection.

For guides on signing with these Agents, see Signing Guides.

Use Agents with SignServer

By using SignServer as the backend, the Signum Agents can access certificates stored in SignServer.

For setup information for the macOS and Linux Agents, see Signum Agents in the SignServer documentation.

The current version of Signum-util supports only configuring one backend at a time. You can set up either SignServer or Signum as the backend, but not both simultaneously.

Agent Upgrades

Agent binaries are available from the Signum SaaS Portal. For the supported Agents for your server version, see Supported Versions.

Depending on the platform and version, you can either upgrade in-place or uninstall and reinstall your Agent:

In-place Upgrade: In-place upgrades preserve the configuration. On some platforms, in-place updates are not supported and might leave the Agent in an inconsistent state.

Uninstall/Reinstall: When uninstalling the Agent, the existing configuration is purged. You need to run signum-util setup again after the new installation. However, the uninstall process does not remove any configuration stored on the keychain. If you want to ensure the configuration is deleted, run signum-util logout before uninstalling.

Platform

Recommended Upgrade Procedure

Linux DEB (Ubuntu, Debian)

From version 4.30.4, perform an in-place upgrade with dpkg -i. See Linux Agent | Agent Installation & Upgrade.

Linux RPM (RHEL, AlmaLinux, Rocky)

For versions 4.30.4 to 4.70.1, perform a complete uninstall and new installation. An in-place upgrade is not safe.

From version 4.80.1, use rpm -Uvh. See Linux Agent | Agent Installation & Upgrade.

macOS

Double-click the new .pkg and follow the installer. See macOS Agent | Agent Installation.

Windows

Uninstall the previous version, then install the new one. See Windows Agent | Installation.

In this section