Developer guide

The DigiCert® Software Trust Manager Developer is responsible for:

Signing
Managing assets relating to signing
Releasing software

Create a keypair

A keypair is required to create a certificate and sign.

Example 1. Standard keypairs

A standard keypair refers to a public key and an associated private key. The public key encrypts data that only the associated private key can decrypt.

To create a standard keypair:

Sign in to DigiCert ONE.
In the Managers () menu, select Software Trust.
In the Software Trust menu, go to Keypairs > Keypairs.
Select Create keypair.
(Optional) To also create a certificate while you're creating a keypair, select Generate certificate.

Tip

For more detailed instructions, refer to standard keypair.

Example 2. GPG keys

Unlike standard keys, each GPG key includes a master key and associated subkeys. The master key should be used for creating subkeys, while the subkeys are used for signing. If a subkey is compromised, this will allow you to revoke and replace the affected subkey, while the master key and uncompromised subkeys remain secure.

Note

Technical support enables the use of GPG keys. However, if DigiCert ONE is hosted in-house, then a system scope admin with the Manage account settings permission can create a certificate template.

To create a GPG master key or subkey:

Sign in to DigiCert ONE.
In the Managers () menu, select Software Trust.
In the Software Trust menu, go to Keypairs > GPG keypairs.
Select Create master key or Create subkey.

Tip

For more detailed instructions, refer to GPG keys.

Create a certificate

A certificate is required to sign. If you have permission to generate certificates, then you can generate public or private code signing certificates.

Sign in to DigiCert ONE.
In the Managers () menu, select Software Trust.
In the Software Trust menu, go to Keypairs > Keypairs.
Hover over the desired keypair, and then select the more actions () icon.
Select Generate certificate.

Tip

For more detailed instructions, refer to Certificates.

View threat detection scans

You can review reports for threats detected in your software.

Tip

If you don't see threat detection in the left-side navigation menu, contact your account manager to add Threat detection to your service agreement.

Software Trust offers the following types of threat detection:

Example 3. Static binary analysis

Scan all components of your software before release to detect malware, vulnerabilities, secrets, and other risks in both your developer and third-party code.

If you've subscribed to use this service, the following documentation may be useful to you:

Example 4. Software composition analysis

Scan open-source components during development to help your team automatically track, manage, and fix licensing issues and vulnerabilities before release.

If you've subscribed to use this service, the following documentation may be useful to you:

Create a release (optional)

Releases protect keys by restricting their use to pre-approved dates and times. The pre-approved date and time selected for a release is referred to as a release window. Within a release window, organizations can control which keypairs to use, who can use them, and the maximum number of signatures to use.

Sign in to DigiCert ONE.
In the Managers () menu, select Software Trust.
In the Software Trust menu, go to Releases > Releases.
Select Create release.

Tip

For more detailed instructions, refer to Releases.

Sign your software (optional)

As a developer, if you want to sign, follow the instructions in the Signer's guide.

In this section: