Skip to main content

Account settings

DigiCert​​®​​ Software Trust Manager account settings feature gives you control over the key aspects of your code signing process, allowing you to tailor your experience to meet your specific needs. In this section, you can fine-tune your keypair management, configure release settings, personalize your CSV report preferences, and manage essential signature metadata to streamline your code signing workflow.

Teams

Teams is used to group users and restrict keypairs, projects, and releases to the team.

Anmerkung

You require the following permission to update the approval amount:

  • Manage all teams permission allows you to change the approval amount on any team in the account.

  • Manage my teams permission allows you to change the approval amount on any team in the account that you are a part of.

Enable Teams

You require the Manage license or Manage account settings to enable teams on your account.

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Account > Account settings > Teams.

  4. Select the edit icon.

  5. Select one or more of the following checkboxes under the Teams section based on your preference.

    1. Allow team mapping for keypairs and certificate profiles

    2. Allow keypair restriction to a team

  6. Select Update settings.

Disable Teams

You require the Manage license or Manage account settings to enable teams on your account.

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Account > Account settings > Teams.

  4. Select the edit icon.

  5. Deselect both of the following checkboxes under the Teams section based on your preference.

    1. Allow team mapping for keypairs and certificate profiles

    2. Allow keypair restriction to a team

  6. Select Update settings.

Keypair preferences

A keypair refers to a public key and an associated private key.

To adjust your account settings for keypairs:

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to Account > Account settings.

  4. In the Account section, select the edit icon.

  5. In the Keypairs section, you can edit the following account settings related to keypairs:

    Field

    Description

    Require keypair profile to generate keypair

    Select this checkbox to require users to select a keypair profile when creating a keypair. What are keypair profiles?

    User selection

    Select this checkbox to assign individual users to a keypair.

    User group selection

    Select this checkbox to assign user groups to a keypair. What are user groups?

    Algorithms

    Select to enable algorithms available to users in your account when creating a keypair:

    • RSA

      Rivest–Shamir–Adleman (RSA) is a widely-used and compatible with various systems and protocols. RSA is a trusted choice for applications requiring broad compatibility and established security practices.

    • ECDSA

      Elliptic Curve Digital Signature Algorithm (ECDSA) is suitable for resource-constrained environments like mobile devices and IoT devices. ECDSA provides strong security with shorter key lengths compared to traditional RSA.

    • EdDSA

      Edwards-curve Digital Signature Algorithm (EdDSA) offers strong resistance against various cryptographic attacks while maintaining efficiency. EdDSA is recommended for applications where security is paramount, such as digital signatures and secure communications.

    • MLDSA (Quantum-safe)

      Module-Lattice-Based Digital Signatures Algorithm (MLDSA) is a quantum-safe approach to cryptographic security. It relies on the difficulty of solving lattice-based problems, which makes it resistant to attacks from quantum computers.

    • SLHDSA (Quantum-safe)

      Secure Lightweight Hash-based Digital Signature Algorithm (SLHDSA) is a quantum-safe approach to cryptographic security. It is designed to offer robust protection with minimal computational overhead. It leverages lightweight hash-based techniques to ensure security while optimizing performance, making it ideal for resource-constrained environments.

    Size/Curve

    Enable or disable the key sizes or curves available to users in your account when creating a keypair.

    The following key sizes are available for RSA algorithms:

    • 2048

      A 2048-bit key size is one of the most commonly used key sizes in asymmetric cryptography, particularly in RSA encryption.

    • 3072

      A 3072-bit key size provides higher cryptographic strength compared to 2048-bit keys.

    • 4096

      A 4096-bit key size offers the highest level of cryptographic security among the RSA options.

    Key curve Ed25519 is available for EdDSA.

    The following key curves are available for ECDSA algorithms:

    • P-192

      NIST P-192, also known as secp192r1 refers to an elliptic curve defined over a 192-bit prime field.

    • P-256

      NIST P-256, also known as secp256r1 is an elliptic curve defined over a 256-bit prime field. This curve has a higher security level that P-192 due to its longer key length.

    • P-384

      NIST P-384, also known as secp384r1 is an elliptic curve defined over a 384-bit prime field. This curve offers a significantly higher level of security compared to P-256, as it utilizes a longer key length and larger computational parameters.

    The following security levels are available for MLDSA algorithms:

    • MLDSA-44

      Represents a cryptographic strength equivalent of at least 128-bit symmetric encryption. This level of security is considered sufficient for many applications requiring strong security, such as protecting sensitive data and communications.

    • MLDSA-65

      Represents a higher cryptographic strength equivalent to at least 192-bit symmetric encryption. Offers increased security margin compared to Security Level 44, making it suitable for applications demanding elevated security requirements.

    • MLDSA-87

      Represents an even higher level of cryptographic strength of at least 256-bit symmetric encryption, surpassing the previous two levels. Equivalent to an even greater bit length in symmetric encryption, further increasing the complexity for potential attackers. Offers the highest level of security among the mentioned levels, suitable for extremely sensitive applications requiring maximum protection against advanced cryptographic attacks.

    The following security levels are available for SLHDSA algorithms:

    • SHA2-128s

      Provides a cryptographic strength equivalent to 128-bit symmetric encryption, offering strong protection for general applications.

    • SHAKE-128s

      Offers an equivalent strength of 128-bit symmetric encryption, using SHAKE for flexible security parameters.

    • SHA2-128f

      Similar to SHA2-128s but optimized for faster performance.

    • SHAKE-128f

      Fast variant of SHAKE-128, balancing performance and security.

    • SHA2-192s

      Provides 192-bit symmetric encryption strength, suitable for applications demanding higher security.

    • SHAKE-192s

      Flexible security with 192-bit strength using SHAKE for adjustable output lengths.

    • SHA2-192f

      Fast variant of SHA2-192s, offering higher security with optimized performance.

    • SHAKE-192f

      Fast variant of SHAKE-192, optimized for performance in demanding applications.

    • SHA2-256s

      Offers 256-bit symmetric encryption strength, suitable for highly sensitive applications.

    • SHAKE-256s

      Uses SHAKE for flexible cryptographic output at a 256-bit strength.

    • SHA2-256f

      A faster version of SHA2-256s, providing maximum security with optimized performance.

    • SHAKE-256f

      Fast variant of SHAKE-256, ideal for highly sensitive environments requiring both strong security and high efficiency.

    Production key storage

    Select to enable storage options available to users in your account when creating a production keypair:

    • HSM

    • Disk

    Keypair type

    Select to enable keypair types available to users in your account when creating a keypair:

    • Production

      Used to sign software released to the public or production environments.

    • Test

      Used to sign software in development or test phases, using short-lived, private certificates.

      Anmerkung

      Test keypairs expire after a maximum of 30 days.

    Enable key rotations

    Select this checkbox to allow rotation of 2-10 keys and certificates. Learn more about key rotations.

    Enable dynamic keys

    Select this checkbox to create dynamic keys. After signing with a dynamic key, these keys are automatically deleted and replaced with a new keypair. Learn more about dynamic keys.

  6. Select Update settings.

Release preferences

Releases offers key security by confining their use to specific approved timeframes, sometimes referred to as "release windows." Within these defined timeframes, you have comprehensive control over keypairs, authorized users that can sign, and the maximum allowable signatures.

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Account > Account settings.

  4. Scroll down to Releases.

  5. Select the edit icon.

  6. You can edit the following account settings related to releases:

    Field

    Description

    Comparison matches required

    Comparing releases allows you to confirm that multiple releases have matching code and ensure that no bad actors or software has injected malicious code into your releases. Enter a value between 2 and 6 to set the required amount of matches required when completing a release comparison.

    Enable keypair types for releases

    Select or deselect the following types of keypairs that user's are allowed to assign to a release:

    • Online

      Online keypairs can be used to sign at any time.

    • Offline

      Offline keypairs can only be used to sign during a release window.

    • Test

      Test keypairs can only be used for test signing.

    Release purpose

    Select how you would like to use your release workflow:

    • Sign

      Only use the release window to sign.

    • Detect threats

      Only use the release window to perform threat detection scans.

    • Detect threats then sign

      Use the release window to perform threat detection scans and then choose to sign based on the scan status.

    Block signing if the CI/CD status fails

    If the release purpose includes threat detection, select if you want to prevent signing if the threat detection scan status fails:

    • Yes

      Do not allow signing if the threat detection scan fails.

    • No

      Prevent signing if the threat detection scan fails.

    • Specify during release

      Enable the option to select if you want the scan to pass or fail while creating a release.

    Restrict threat detection scans to releases

    Threat detection scans tied to a release triggers the approval process, whereas scans completed outside of a release do not require approval.

    • Yes

      Only allow threat detection scans during a release.

    • No

      Threat detection scans can be completed inside or outside of a release window.

  7. Select Update settings.

Signature metadata preferences

These settings provide flexibility and customization options when signing code or files. Depending on your security and verification requirements, you can enable or disable these options as needed to meet your specific needs.

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Account > Account settings.

  4. Select the edit icon.

  5. Scroll down to Signature metadata.

  6. You can edit the following account settings related to releases:

    Field

    Description

    All

    Select this checkbox to include all the metadata below when signing.

    Checksum after signature

    Enabling this option generates and stores a checksum (a hash value) of the signed file after the code signing process. The checksum provides a way to verify the integrity of the file after it has been signed.

    Checksum before signature

    Enabling this option generates and stores a checksum before the code signing process. It can serve as a baseline for verifying the file's integrity before it was signed.

    Digest algorithm

    Enabling this option specifies the cryptographic hash algorithm used to create the hash value (checksum) for the file.

    File location

    Enabling this option includes the specific the location or path where the signed file should be saved after the code signing process is completed.

    File name

    Enabling this option allows you to configure the name of the signed file to determines what the signed file will be named once the signing process is done.

    Signing tool

    Enabling this option includes information about the tool or software used for code signing. It may include details about the version of the signing tool, its issuer, or other relevant information.

    Timestamp

    Enabling this option includes a timestamp in the digital signature. The timestamp indicates when the signature was applied to the file. It helps ensure the validity of the signature even if the certificate used for signing expires.

    Timestamp URL

    Enabling timestamping allows you to specify the URL of the timestamping authority or service that provides the timestamp. Timestamps are used to prove that the signature was applied at a particular time, which is important for long-term verification.

    Tipp

    DigiCert timestamp URL is: http://timestamp.digicert.com

  7. Select Update settings.

CSV report preferences

Select the time zone that should be used as the reference point for timestamps and time-related data in the reports. This is important because code signing activities may involve parties located in different parts of the world, and it ensures that all timestamps are consistent and accurate for users in different time zones.

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Account > Account settings.

  4. Select the edit icon.

  5. Scroll down to CSV export preferences.

  6. Select one of the following time zones for your CSV reports:

    1. UTC

    2. Local time zone

  7. Select Update settings.

Deployment risk levels

Deployment risk levels are predefined sets of policy controls that help you gradually improve your software security. Select a P0 level and if your threat detection scan satisfies all criteria for a specific level, your Threat detection scan status results in a PASS status.

To set your deployment risk level:

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Account > Account settings.

  4. Select the edit icon.

  5. Scroll down to Deployment risk level.

  6. Select one of the following P0 levels:

    Levels

    Description

    L0

    Selecting this option disables RL levels and uses the default L5 scanning criteria.

    L1

    Selecting this option is suitable for CI/CD. The Threat detection scan will only fail under the most extreme conditions such as detection of:

    • Malware

    • Signature tampering

    • Leaked source code

    • Unencrypted keys

    • Build compromise

    L2

    The Threat detection scan will fail under the conditions of L1, as well as:

    • Riskware applications

    • Signing abuses

    • Private key leaks

    • CVE patching mandates

    L3

    Selecting this option is suitable for automated software build process that occurs on a daily basis because it will catch the most severe issues prior to release. The Threat detection scan will fail under the conditions of L1, L2, as well as:

    • Unsafe loading practices

    • Signature coverage gaps

    • Embedded private keys

    • Malware exploited CVEs

    L4

    Threat detection scan will fail under the conditions of L1, L2, L3, as well as:

    • Code loading abuses

    • Revoked code signatures

    • Depreciated code signing

    • Actively exploited CVEs

    L5 (default)

    Selecting this option is recommended for software releases because it is the most secure level. Threat detection scan will fail under the conditions of L1, L2, L3, L4, as well as:

    • Executable code packers

    • Self-modifying executables

    • Critical severity CVEs

  7. Select Update settings.

In diesem Abschnitt: