Sales Department: +48 789 594 102
Email UsLive Chat Knowledge BaseBlog
Client Area

Google Cloud KMS and Sectigo Code Signing: Advanced Key Management and Code Signing

Google Cloud KMS
24/07/2025  in Our Offer, SSL Offer

Modern cloud environments demand robust cryptographic key security and trusted code signatures. Google Cloud Key Management Service (KMS) provides a scalable, fully managed solution for creating, storing, and managing encryption keys, while a Sectigo Code Signing certificate ensures an undeniable digital signature for your software. This post dives deep into Google Cloud KMS architecture, integration with Sectigo Code Signing, and practical implementation scenarios.

1. Google Cloud KMS Architecture

1.1. HSM Nodes and Key Protection
  • Cloud HSM (FIPS 140‑2 Level 3) offers a hardware‑secured environment for private key storage.
  • Supported key types:
    • Symmetric – AES‑256‑GCM / GCM‑SIV
    • Asymmetric – RSA‑2048/3072/4096, EC P‑256/P‑384/P‑521
  • Separation of control plane (management) from data plane (cryptographic operations) enables full audit via Cloud Audit Logs.
1.2. IAM Model and Authorization
  • Predefined and custom roles:
    • roles/cloudkms.admin – full access
    • roles/cloudkms.cryptoKeyEncrypterDecrypter – encrypt/decrypt only
    • roles/cloudkms.viewer – read‑only
  • Apply policies at project, folder, and organization levels for layered security.
1.3. Key Rotation and Recovery
  • Automatic rotation configured via the rotationPeriod attribute.
  • Keys marked “destroy scheduled” can be recovered within the destroy_scheduled_duration window before permanent deletion.

2. Sectigo Code Signing – PKI Overview

2.1. Role in the Software Lifecycle
  • Guarantees publisher identity and code integrity.
  • Protects against tampering, man‑in‑the‑middle attacks, and OS security warnings.
2.2. Certificate Components
  • Private Key: secured locally or in HSM/Cloud KMS.
  • CSR (Certificate Signing Request): generated with tools like OpenSSL.
  • Trust Chain: root → intermediate → publisher certificate.

3. Integrating Google Cloud KMS with Sectigo Code Signing

3.1. Generate an Asymmetric Key in KMS
gcloud kms keys create code-signing-key \
  --location=global \
  --keyring=signing-ring \
  --purpose=asymmetric-signing \
  --default-algorithm=RSA_SIGN_PKCS1_4096_SHA256
3.2. Export the CSR
gcloud kms keys versions create \
  --key code-signing-key \
  --location global \
  --keyring signing-ring \
  --protection-level hsm \
  --generate-upload-job \
  --algorithm rsa-sign-pkcs1-4096-sha256

gcloud kms import-job describe import-job-1 \
  --location global \
  --keyring signing-ring
# Extract CSR from the output and submit to Sectigo
3.3. Obtain the Sectigo Certificate
  1. Submit CSR via our portal.
  2. After validation, download the certificate (PEM or PKCS#7).
3.4. Import Certificate into Cloud KMS
gcloud kms import-key-version \
  --location=global \
  --keyring=signing-ring \
  --key=code-signing-key \
  --import-job=import-job-1 \
  --algorithm=rsa-sign-pkcs1-4096-sha256 \
  --wrapped-key-material=certificatesection.pem

Now Cloud KMS holds the key–certificate pair, ready for signing binaries.

4. Practical Scenario: CI/CD and Signing

  1. CI Pipeline (e.g., Jenkins, GitLab CI) builds the artifact.
  2. Signing step: 
    gcloud kms asymmetric-sign \
  --location=global \
  --keyring=signing-ring \
  --key=code-signing-key \
  --version=1 \
  --digest-algorithm=sha256 \
  --digest=$(openssl dgst -sha256 -binary myapp.jar | base64) \
  > signature.bin

jarsigner -keystore NONE \
  -signedjar myapp-signed.jar \
  -signatureFile signature.bin \
  myapp.jar
  3. Verification: 
    gcloud kms asymmetric-verify \
  --location=global \
  --keyring=signing-ring \
  --key=code-signing-key \
  --version=1 \
  --digest-algorithm=sha256 \
  --digest=$(openssl dgst -sha256 -binary myapp-signed.jar | base64) \
  --signature=signature.bin

5. Best Practices

  • Environment Isolation: separate keyrings for dev/test and prod.
  • Least Privilege IAM: grant only the cryptoKeySigner role for signing.
  • Monitoring: enable Cloud Audit Logs for all KMS operations.
  • Automated Rotation: set rotationPeriod to 30–90 days.
  • Secure CSR Handling: generate and submit CSRs exclusively from HSM/Cloud KMS.

Combining Google Cloud KMS with a Sectigo Code Signing certificate provides a secure, scalable end‑to‑end solution for key management and digital code signing. HSM‑grade security, granular IAM policies, and CI/CD integration deliver a robust workflow that meets stringent compliance and audit requirements.

Leave your comment

Add A Knowledge Base Question !

You will receive an email when your question will be answered.

+ = Verify Human or Spambot ?