Overview
Signing provides release authorization and authenticity evidence for Enigm OS software delivery. The Enigm OS signing model distinguishes between:- Current Production OTA Manifest Signing Model.
- Target Production HSM Release-Signing Architecture.
Signing Authorities
Enigm OS separates signing authorities by purpose.Current Authority: OTA Manifest Signing Authority
The OTA Manifest Signing Authority authorizes OTA manifests and release metadata. This authority is responsible for:- Manifest authorization.
- Metadata authorization.
- Release metadata authenticity.
- Approval evidence for OTA release metadata.
Target Authority: Production Release-Signing Authority
The Production Release-Signing Authority is the target authority for production image and release artifact signing. This authority is intended to be responsible for:- Production image signing.
- OTA payload signing.
- Signing-critical release artifacts.
- Production release authorization.
Current Production OTA Manifest Signing Model
The current Enigm OS OTA model uses PIV-backed hardware security key offline manifest signing. This model provides:- Hardware-backed offline signing.
- Physical operator participation.
- Non-exportable key material.
- Manifest and metadata authorization.
- Separation from release-signing workflows.
Protected Signing Material
The manifest signing key must not be stored in:- Git repositories.
- CI/CD variables.
- Build scripts.
- Developer workstations.
- Online object storage.
- Release artifacts.
Relationship With Other OTA Controls
Manifest signing complements:- Transport authentication.
- Request authentication.
- Artifact verification.
- Rollout controls.
- Device eligibility.
- Remote attestation.
Target Production HSM Release-Signing Architecture
The target Enigm OS production release-signing architecture is designed to use a dedicated physical HSM. The target architecture is intended to support:- Non-exportable production keys.
- Release authorization.
- Production image signing.
- OTA payload signing.
- Signing-critical release artifacts.
- Dual control.
- Multi-party approval.
- Audit logs.
- Key ceremonies.
- Secure backup procedures.
- Release governance.
Production Signing Trust Boundary
Production signing must have a clear trust boundary.Inside The Trust Boundary
Inside the production signing trust boundary:- Physical HSM.
- Non-exportable private keys.
- Approved signing policies.
- Authenticated operators.
- Audit records.
- Key ceremonies.
Outside The Trust Boundary
Outside the production signing trust boundary:- Build systems.
- CI runners.
- Artifact repositories.
- OTA services.
- Developer workstations.
- Source repositories.
- Release scripts.
Signing Flow
The conceptual signing flow is:- Build artifacts are produced.
- Release pipeline prepares signing payloads.
- Operator approval occurs.
- Signing authority validates policy.
- Signing authority signs.
- Verification occurs.
- Release gates execute.
- Release is published.
Threat Model
The signing architecture is intended to mitigate:- Private key theft.
- CI compromise.
- Developer workstation compromise.
- Repository compromise.
- Unauthorized signing.
- Test-key misuse.
- Artifact replacement.
- Malicious source code.
- Authorized operator abuse.
- Misconfigured policy.
- Verification defects.
- Signing authority compromise.
Security Limitations
Hardware-backed signing acts as a release authorization root of trust. It does not replace:- Verified boot.
- Artifact verification.
- Remote attestation.
- Device eligibility.
- Rollout controls.
- OTA verification.
- Request authentication.
- Transport authentication.
- Manifest signing authority and release-signing authority must remain distinct.
- Signed metadata does not prove artifact integrity unless the artifact verification gates succeed.
- Signed artifacts do not prove that source code is free of vulnerabilities.
- Operator-mediated workflows still require governance and audit review.
- Hardware-backed signing does not prevent misuse by authorized operators.