Resources | Resources |



Securing Private Signing Keys

A signing authority has one or more key pairs that they use for the actual signing of applications. The private keys of those pairs must be kept confidential, or the whole signing operation can be compromised.

The practice and protection needed are similar to those for any public key operation, such as an SSL server or other code signing servers. This documentation describes only the particular characteristics for Brew MP signing and makes some suggestions about operational security. It is not a definitive step-by-step guide that, if followed, guarantees operational security. Those operating a signing authority should either have the necessary expertise to keep it secure, or obtain that expertise for hire.