Skip to main content

Product release PIC

The Product Release PIC prepares, governs, and oversees secure release-signing workflows for production software, firmware, containers, and related release artifacts. Users in this workflow validate signing capacity, authorized access, release windows, and recovery readiness so release signing remains secure, repeatable, auditable, and resilient at the required volume.

They ensure only approved identities, teams, releases, keys, certificates, signing environments, and workflows can produce trusted software artifacts while coordinating release execution with development, build/DevOps engineering, security, and compliance stakeholders.

Using Software Trust Manager, a Product Release PIC can:

  • Oversees release-scoped signing governance through projects, releases, teams, keypairs, and certificates.

  • Coordinate release readiness with developers, build engineers, and security teams.

  • Assign approved signers, teams, keypairs, certificates, and projects to releases.

  • Restrict signing by release window, signer, approval workflow, and signature limits.

  • Validate release execution through audit logs, signature logs, and release evidence.

  • Review approved and rejected signing activity before production release.

  • Coordinate CI/CD signing workflows where release processes extend beyond Software Trust Manager.

The Product Release PIC role typically needs the following Software Trust Manager permissions:

Category

Permission

Description

Notes

User settings

Default

View own user profile and generate own API key and client authentication certificate in DigiCert ONE.

Projects

View project

View projects associated with release-signing workflows.

Needed to confirm the correct project is tied to the release.

Releases

View release

View all releases in the account.

Required to review release scope, release windows, signing resources, and release status.

Releases

Create/Edit release

Create or update releases, including release scope, release window, ownership, and assigned signing resources.

Needed if the PIC is responsible for configuring release governance.

Teams

View team

View teams and assigned users or groups involved in release signing.

Helps validate signer access and separation of duties.

Keypairs

View keypair

View approved keypairs assigned to release-signing workflows.

Needed to confirm production releases use approved signing keys.

Certificates

View certificate

View certificates associated with approved signing keypairs.

Needed to validate certificate usage for production artifacts.

Audit logs

View audit log

View audit and signature logs to verify signer, keypair, certificate, artifact, and workflow evidence

Required for release evidence, compliance review, and troubleshooting failed or rejected signing attempts.

Signatures

Sign

Sign software with keypairs assigned to the user.

Required only if the Product Release PIC also performs signing

Approval workflows

View approval status

Review approval history and signing-request status where approval workflows are used

Needed to confirm approvals were completed before release signing.

The Product Release PIC persona typically needs permissions for Projects, Releases, Teams, audit logs, signature logs, release visibility, and signing governance controls.

  • Confirm the Product Release PIC has the required permissions for releases, projects, audit logs, and signing visibility.

  • Confirm approved keypairs, certificates, teams, and signing resources are available.

  • Identify release approval requirements and separation-of-duty policies.

  • Confirm CI/CD pipelines and signing integrations are operational.

  • Identify which release controls will be enforced through Software Trust Manager.

Releases provide governance controls around signing operations and help ensure only approved artifacts are released.

  1. Sign in to DigiCert ONE.

  2. Go to Releases > Releases.

  3. Create a release or select an existing release.

  4. Define release scope, release window, and ownership.

  5. Assign approved projects, teams, keypairs, and certificates.

Only approved signing resources should be available for production releases.

  1. Review approved keypairs and certificates.

  2. Verify team access and signer authorization.

  3. Map approved resources to the release.

  4. Validate production and development separation.

Release controls help enforce governance and separation of duties.

  1. Configure authorized signers.

  2. Define release windows.

  3. Configure signature limits where required.

  4. Enable request and approval workflows when policy requires approval.

  1. Coordinate with build engineers and DevOps engineers to ensure release artifacts are ready for signing.

  2. Confirm build success.

  3. Verify artifact availability.

  4. Validate CI/CD readiness.

  5. Confirm the release version and artifact integrity.

Approved artifacts can now be signed through authorized workflows.

  1. Initiate signing through CI/CD integrations or SMCTL.

  2. Verify successful signing operations.

  3. Review failed or rejected signing attempts.

  4. Confirm artifacts were signed with approved resources.

Auditability is a key responsibility of the Product Release PIC.

  1. Review audit logs.

  2. Review signature logs.

  3. Validate approval history.

  4. Capture release evidence for compliance and audit reviews.