Why Do You Need Code Signing?

To Counter Increasingly Complex IoT Supply Chain Attacks

Attack Vectors (Threat)

  • Firmware Tampering: Hackers implant malicious backdoors, taking control of numerous endpoints.
  • Unauthorized Mass Production: Supply chain or production processes are abused, leading to unauthorized cloned products in the market.
  • OTA Hijacking: Fake system update packages trick devices into downloading unapproved software.

CodeSign Defense Points (Control)

  • Source Verification: Only firmware and update packages signed with authorized private keys are accepted.
  • Production Boundary: Keys are stored in HSMs and signed via controlled APIs, reducing leakage and misuse risks.
  • Integrity Check: Digital signatures are verified during boot or updates to ensure code is unaltered.

R&D Compliance: CI/CD Within the Trust Boundary

Many companies store signing private keys long-term on CI servers or engineers' environments, creating “inherent supply chain risks.” Ciot removes keys from CI/CD and centralizes governance via HSM + KMS, turning signing into a mandatory pipeline checkpoint (Policy Gate), while providing auditable, traceable, and rotatable governance.

CodeSign × Secure Boot × Root of Trust

Building a complete trust chain starting from the hardware (Chain of Trust), with each verification step relying on rigorously signed software images.

CHANGING assists clients in establishing a software trust foundation on MCUs, SoCs, and endpoint devices that can be validated and managed over the long term. During device boot, code is verified layer by layer starting from the Root of Trust (e.g., Boot ROM). Without a governable Code Signing mechanism, Secure Boot cannot be fully enforced.

HSM Hardware Security Module KMS Management System

Production Line Code Signing Architecture

Extending "Trust" to the production line, preventing the supply chain from becoming a security gap (Factory as a Trust Boundary)

CHANGING’s architecture supports production-line-oriented secure signing, deployable at the development stage or final assembly as needed. Keys are isolated and controlled via KMS and HSM, ensuring private keys are never exposed during production operations.

  • Keys Never Touch the Floor: Signing private keys are stored in HSMs, not on production devices.
  • Authorized APIs: Manufacturing stations can only request signing through authorized APIs.
  • Trace & Audit: Every signing action is auditable, reducing the risk of malicious firmware insertion.
Secure IC Programming Integration

Production Station

API Gateway

HSM / KMS

Distributed Production × Centralized Key Governance × Fully Auditable

HSM + KMS CodeSign Integration with CI/CD

The biggest advantage is seamless integration with existing CI/CD, moving private keys from the CI Server to the HSM, and centrally managing and auditing them via KMS so that the development process naturally meets compliance requirements

Why CI/CD is a Critical Risk Point?

  • Signing private keys stored on CI Servers / Runners / Build VMs can be stolen, copied, or misused offline.
  • Without "enforced policies," unauthorized branches or personnel may still produce publishable signed images.
  • During audits, it is difficult to fully answer: who signed, what was signed, which key was used, and which version or work order it corresponds to.

Ciot Solution: HSM Protects Keys, KMS Manages Governance

HSM: Key Never Leaves
Private keys remain inside the HSM boundary; CI/CD only triggers signing through controlled interfaces.
KMS: Policy & Audit
Permissions, approvals, signing policies, audit trails, and key rotation are centrally managed, reducing human risk.
  • Integrate Existing CI/CD: Jenkins / GitLab CI / GitHub Actions / Azure DevOps can all be integrated via API or plugin.
  • Move Keys Out of CI Server: CI only holds short-term tokens or controlled certificates, never private or long-term keys.
  • Signing as Compliance Gate: Policy Gate is enforced before release, preventing unauthorized versions from being published.

CI/CD Code Signing Governance Pipeline Steps

Industrial / OT Long Lifecycle Governance

Security design for equipment with 10–20 year operational lifespan

Certificate & Signing Governance

Integrates CLM (Certificate Lifecycle Management) to handle renewals, revocations, and rotations, supporting long-term maintenance while reducing human risk.

CLM Certificate Lifecycle Management
Crypto-Agility

Supports smooth algorithm upgrades and provides a PQC (Post-Quantum Cryptography) migration path, ensuring long-term defense and compliance flexibility.

PQC Solution
Stability & Compatibility Verification

Provides compatibility verification strategies for legacy firmware and existing devices, preventing unexpected industrial system downtime from security upgrades and maintaining operational stability.




Use Cases & Examples

Providing a secure foundation for various development, production, and operational scenarios

DevOps / SecOps

Integrate CI/CD, moving private keys from CI Server to HSM, governed and audited via KMS

Secure OTA Updates

Signed update packages with source verification and anti-tampering protection

MCU / SoC Signing

Compliant with chip vendors’ Secure Boot specifications

Communication & Industrial Devices

Supports IEC and network security requirements

Compatibility & Integration List

Supported Semiconductor Platforms
Aligns with mainstream MCU/SoC Secure Boot specifications and signing formats; can integrate project-specific signing tools and packaging processes for various platforms.
Supports firmware signing and verification for Embedded OS (RTOS / Embedded Linux) at both kernel and application layers; can integrate with OTA platform workflows. For ecosystems like Matter, extends support for Secure OTA / Firmware Image Signing and verification, and can integrate DAC/PKI frameworks as needed.
Learn More: HSM Key Protection

International Compliance & Standards Alignment

Helping enterprises address supply chain security and product cybersecurity requirements

Standard / Regulation Code Signing Correspondence Implementation Goals & Benefits
IEC 62443-4-2 Software Integrity & Authenticity Ensure industrial control components’ software source is verifiable and intact, reducing unauthorized updates and tampering risks.
EU CRA (Reference Extension) Secure Development / Update Integrity Establish auditable signing and update governance processes, supporting long-term maintenance and supply chain risk control.
NIST FIPS 140-3 (HSM Optional) Cryptographic Key Protection / Key Custody Using compliant HSMs and governance design enhances key protection and satisfies audit requirements.
Secure SDLC / Supply Chain Governance (Extension) CI/CD Signing Gate / Release Traceability Integrate signing into the Pipeline as an enforced gate, ensuring releases are traceable and auditable, reducing inherent supply chain risks.

Why Choose CHANGING?

Key Never Leaves HSM

Private keys remain within the HSM security boundary throughout the signing process, reducing leakage and misuse risks while ensuring key sovereignty and auditability.

API / Automated Governance

Provides highly available API interfaces that can be directly embedded into existing CI/CD and production workflows, turning signing into an enforced Policy Gate while retaining full audit trails.

Mass Production & OT Practice

Offers governance-ready designs for mass production and long-term maintenance scenarios (audit, rotation, revocation, compatibility verification), helping solutions to be deployable and sustainably operational.

Establish the Digital Root of Trust for Your Devices

CHANGING consulting team will help you assess your current R&D and production workflows, planning a Code Signing governance framework (HSM / KMS / CLM) that aligns with international standards, and provide guidance for CI/CD integration and practical implementation

Schedule a Consultation