Software development today is distributed, fast-moving, and increasingly heterogeneous. Enterprises build for Windows, Linux, macOS, iOS, containers, and cloud-native environments—often all at once. Yet the keys used to sign this code must remain centrally governed, tightly controlled, and backed by HSM-grade security.
Keyfactor SignServer and Signum are designed precisely for this challenge. Together, they give organizations a unified platform to centrally manage signing keys and securely sign software artifacts across every toolchain, operating system, and CI/CD pipeline.
The latest releases—SignServer 7.5 and Signum 4.6—push that vision forward in major ways, delivering new cross-platform signing capabilities, hybrid agent flexibility, modern authentication through OAuth, and a more intuitive documentation experience.
Here’s what’s new, and why it matters for teams building software at enterprise scale.
1. Native macOS Signing Arrives: A Milestone for Apple Ecosystem Developers
For years, customers have asked for a first-class way to sign Apple software using centrally managed, HSM-protected keys—without breaking native developer workflows.
With the official introduction of the new macOS agent, that moment has arrived.
The new agent integrates directly with the macOS and iOS toolchain, using Apple’s native Keychain and the trusted codesign and productsign utilities. Developers can continue working exactly as they do today, while organizations gain centralized governance and key security through Signum or SignServer.
What it enables:
-
Signing for macOS, iOS, and iPadOS apps using standard Apple tools
-
Full compatibility with Apple Keychain
-
Centralized HSM-backed key management across teams and platforms
-
Access for both Signum and SignServer Enterprise customers, thanks to the agent’s dual-backend capability
Why it matters:
Enterprise Apple development is growing rapidly. Being able to sign Apple binaries inside controlled, auditable, centrally secured workflows—without developers changing their tools—closes a long-standing gap in secure DevSecOps.
2. Hybrid Agent Architecture: Signing Flexibility for Every Build Pipeline
To support today’s distributed development environments—GitHub Actions, Jenkins, cloud pipelines, on-prem CI/CD, and everything in between—the Signum agent has been rearchitected from the ground up.
The result is a new hybrid agent design that works across:
-
macOS
-
Linux
-
(future) Windows
This hybrid architecture allows all agents to communicate with both Signum and SignServer, creating extraordinary deployment flexibility for large engineering organizations.
Key advantages:
-
Sign from any OS, using either backend
-
Consistent tooling and experience across macOS and Linux
-
Native signing using
OpenSSL,JARSigner, and more—without having to configure a purpose-built SignServer worker -
The upcoming Signum 4.7 release will extend PKCS#11 support, making it even easier to integrate with native tools like OpenSSL
Why it matters:
Development environments differ across teams—but governance requirements don’t. Hybrid agent support makes it easier to standardize secure signing across diverse pipelines without forcing teams into new tools.
3. OAuth Support for SignServer AdminWeb: Modern, Unified Authentication
Historically, accessing SignServer’s AdminWeb required certificate-based authentication. That ensured security, but also created friction—especially for teams without an established PKI or those wanting tighter integration with enterprise identity systems.
With SignServer 7.5, administrators can now authenticate using OAuth, starting with support for Auth0. More identity providers—such as Azure AD, Okta, or Ping—will follow in upcoming releases.
This means enterprises can now:
-
Log in with their existing IdP accounts
-
Manage users centrally
-
Apply MFA, conditional access policies, and identity governance
-
Harmonize access management across EJBCA, Signum, SignServer, and Command
Why it matters:
With OAuth, SignServer aligns with the authentication patterns enterprises already use everywhere else. This reduces the burden on administrators, improves auditability, and delivers a seamless, standards-based user experience.
4. Improved Developer & Admin Experience with the New SignServer Documentation Layout
With SignServer growing across more use cases and workflows, finding the right information quickly has become essential. The new documentation layout is tailored to match how users actually work.
The redesigned docs:
-
Highlight critical concepts for administrators (deployment, configuration, policies)
-
Streamline content for developers (client interfaces, signing flows, APIs)
-
Surface best practices and architectural guidance more clearly
-
Make onboarding new teams dramatically easier
Why it matters:
Powerful products must also be approachable. Making documentation more intuitive reduces time-to-value and helps organizations adopt secure signing practices more quickly.
A Unified Vision for Modern Enterprise Signing
With these updates, Keyfactor strengthens its leadership in secure, scalable enterprise signing. SignServer and Signum now offer:
-
True cross-platform signing, from Windows to Linux to Apple ecosystems
-
Hybrid agent architectures that fit real-world enterprise environments
-
Modern identity and access management via OAuth
-
Streamlined documentation and improved usability
In short: more flexibility for developers, more control for security teams, and more scalability for the business.
