Account settings
DigiCert® Software Trust Manager account settings feature gives you control over the key aspects of your code signing process, allowing you to tailor your experience to meet your specific needs. In this section, you can fine-tune your keypair management, configure release settings, personalize your CSV report preferences, and manage essential signature metadata to streamline your code signing workflow.
Teams
Teams is used to group users and restrict keypairs, projects, and releases to the team.
Nota
You require the following permission to update the approval amount:
Manage all teams
permission allows you to change the approval amount on any team in the account.Manage my teams
permission allows you to change the approval amount on any team in the account that you are a part of.
Enable Teams
You require the Manage license
or Manage account settings
to enable teams on your account.
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Account settings > Teams.
Select the edit icon.
Select one or more of the following checkboxes under the Teams section based on your preference.
Allow team mapping for keypairs and certificate profiles
Allow keypair restriction to a team
Select Update settings.
Disable Teams
You require the Manage license
or Manage account settings
to enable teams on your account.
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Account settings > Teams.
Select the edit icon.
Deselect both of the following checkboxes under the Teams section based on your preference.
Allow team mapping for keypairs and certificate profiles
Allow keypair restriction to a team
Select Update settings.
Keypair preferences
A keypair refers to a public key and an associated private key.
To adjust your account settings for keypairs:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Account settings.
Select the edit icon.
Scroll down to Keypairs.
You can edit the following account settings related to keypairs:
Field
Description
Keypair profile
Keypair profiles simplify keypair generation by preconfiguring values for all keypair options. For further profile controls by implement Teams. Keypair profiles are only enforced when enabled on your account.
To activate keypair profiles, tick the box; to deactivate keypair profiles, untick the box.
Key rotation
Key rotations allow you to set up a cycle that rotates 2-10 keys and certificates. This enhances security, automatically changing keys after a pre-determined period of time and after each signing so that you do not have multiple consecutive signings using the same key and certificate.
To activate key rotation, tick the box; to deactivate them, untick the box.
User selection
Enabling this feature allows you to assign individual users to a keypair.
To activate user selection, tick the box; to deactivate them, untick the box.
User group selection
Enabling this feature allows you to assign user groups to a keypair.
To activate user group selection, tick the box; to deactivate them, untick the box.
Dynamic key
When you create a dynamic keypair, you establish the parameters of your keypairs. Every 15 minutes, the dynamic keypair and certificate will be deleted and generate a new keypair and certificate using the same parameters as a replacement. This ensures that each signature is unique and adds an additional layer of security.
To activate dynamic keys, tick the box; to deactivate them, untick the box.
Keypair type
Select the format based on the specific requirements of your system or application using the certificate. Many systems and software libraries can handle both formats, so the choice often comes down to compatibility and the need for human readability.
Algorithms
Add or remove the following algorithms that users are allowed to choose from when creating a keypair:
RSA
ECDSA
EdDSA
MLDSA (Quantum-safe)
Production key storage
Add or remove the following storage options that user's are allowed to choose from when creating production keys:
HSM
Disk
Select Update settings.
Release preferences
Releases offers key security by confining their use to specific approved timeframes, sometimes referred to as "release windows." Within these defined timeframes, you have comprehensive control over keypairs, authorized users that can sign, and the maximum allowable signatures.
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Account settings.
Scroll down to Releases.
Select the edit icon.
You can edit the following account settings related to releases:
Field
Description
Comparison matches required
Comparing releases allows you to confirm that multiple releases have matching code and ensure that no bad actors or software has injected malicious code into your releases. Enter a value between 2 and 6 to set the required amount of matches required when completing a release comparison.
Enable keypair types for releases
Select or deselect the following types of keypairs that user's are allowed to assign to a release:
Online
Online keypairs can be used to sign at any time.
Offline
Offline keypairs can only be used to sign during a release window.
Test
Test keypairs can only be used for test signing.
Release purpose
Select how you would like to use your release workflow:
Sign
Only use the release window to sign.
Detect threats
Only use the release window to perform threat detection scans.
Detect threats then sign
Use the release window to perform threat detection scans and then choose to sign based on the scan status.
Block signing if the CI/CD status fails
If the release purpose includes threat detection, select if you want to prevent signing if the threat detection scan status fails:
Yes
Do not allow signing if the threat detection scan fails.
No
Prevent signing if the threat detection scan fails.
Specify during release
Enable the option to select if you want the scan to pass or fail while creating a release.
Restrict threat detection scans to releases
Threat detection scans tied to a release triggers the approval process, whereas scans completed outside of a release do not require approval.
Yes
Only allow threat detection scans during a release.
No
Threat detection scans can be completed inside or outside of a release window.
Select Update settings.
Signature metadata preferences
These settings provide flexibility and customization options when signing code or files. Depending on your security and verification requirements, you can enable or disable these options as needed to meet your specific needs.
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Account settings.
Select the edit icon.
Scroll down to Signature metadata.
You can edit the following account settings related to releases:
Field
Description
All
Select this checkbox to include all the metadata below when signing.
Checksum after signature
Enabling this option generates and stores a checksum (a hash value) of the signed file after the code signing process. The checksum provides a way to verify the integrity of the file after it has been signed.
Checksum before signature
Enabling this option generates and stores a checksum before the code signing process. It can serve as a baseline for verifying the file's integrity before it was signed.
Digest algorithm
Enabling this option specifies the cryptographic hash algorithm used to create the hash value (checksum) for the file.
File location
Enabling this option includes the specific the location or path where the signed file should be saved after the code signing process is completed.
File name
Enabling this option allows you to configure the name of the signed file to determines what the signed file will be named once the signing process is done.
Signing tool
Enabling this option includes information about the tool or software used for code signing. It may include details about the version of the signing tool, its issuer, or other relevant information.
Timestamp
Enabling this option includes a timestamp in the digital signature. The timestamp indicates when the signature was applied to the file. It helps ensure the validity of the signature even if the certificate used for signing expires.
Timestamp URL
Enabling timestamping allows you to specify the URL of the timestamping authority or service that provides the timestamp. Timestamps are used to prove that the signature was applied at a particular time, which is important for long-term verification.
Dica
DigiCert timestamp URL is:
http://timestamp.digicert.com
Select Update settings.
CSV report preferences
Select the time zone that should be used as the reference point for timestamps and time-related data in the reports. This is important because code signing activities may involve parties located in different parts of the world, and it ensures that all timestamps are consistent and accurate for users in different time zones.
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Account settings.
Select the edit icon.
Scroll down to CSV export preferences.
Select one of the following time zones for your CSV reports:
UTC
Local time zone
Select Update settings.
Deployment risk levels
Deployment risk levels are predefined sets of policy controls that help you gradually improve your software security. Select a P0 level and if your threat detection scan satisfies all criteria for a specific level, your Threat detection scan status results in a PASS
status.
To set your deployment risk level:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Account settings.
Select the edit icon.
Scroll down to Deployment risk level.
Select one of the following P0 levels:
Levels
Description
L0
Selecting this option disables RL levels and uses the default L5 scanning criteria.
L1
Selecting this option is suitable for CI/CD. The Threat detection scan will only fail under the most extreme conditions such as detection of:
Malware
Signature tampering
Leaked source code
Unencrypted keys
Build compromise
L2
The Threat detection scan will fail under the conditions of L1, as well as:
Riskware applications
Signing abuses
Private key leaks
CVE patching mandates
L3
Selecting this option is suitable for automated software build process that occurs on a daily basis because it will catch the most severe issues prior to release. The Threat detection scan will fail under the conditions of L1, L2, as well as:
Unsafe loading practices
Signature coverage gaps
Embedded private keys
Malware exploited CVEs
L4
Threat detection scan will fail under the conditions of L1, L2, L3, as well as:
Code loading abuses
Revoked code signatures
Depreciated code signing
Actively exploited CVEs
L5 (default)
Selecting this option is recommended for software releases because it is the most secure level. Threat detection scan will fail under the conditions of L1, L2, L3, L4, as well as:
Executable code packers
Self-modifying executables
Critical severity CVEs
Select Update settings.