Security teams should treat signing keys as privileged NHI assets. Restrict who can use them, separate signing from deployment authority, store keys in controlled systems, and rotate or revoke them on a defined schedule. Without key governance, signing only proves that a trusted identity was compromised or misused.
Why This Matters for Security Teams
Signing keys in container pipelines are not ordinary build artifacts. They are privileged NHI assets that can authorize software release, code provenance, and downstream deployment trust. If a key can sign anything without strong governance, then an attacker who steals it can make malicious images look legitimate, bypassing controls that were meant to protect production. That risk is amplified by secret sprawl and weak lifecycle discipline, which NHIMG has documented in the Guide to the Secret Sprawl Challenge and in the CI/CD pipeline exploitation case study. NIST Cybersecurity Framework 2.0 reinforces the need to govern identity, access, and recovery as core security outcomes, not afterthoughts, which makes key custody a governance issue rather than only a DevOps concern. Security teams often underestimate how quickly exposed credentials are abused, because build systems are optimized for speed and automation rather than manual review. In practice, many security teams encounter signing-key misuse only after a trusted pipeline has already produced and distributed a malicious artifact.
How It Works in Practice
Effective signing-key governance starts with separating duties. The team that can trigger builds should not automatically be the team that can sign releases, and signing authority should be narrower than deployment authority. Treat the signer as a workload identity with a constrained trust boundary, not as a shared secret embedded in a pipeline script. Current guidance suggests using controlled key management systems, hardware-backed storage where feasible, and short-lived access paths to the signing function rather than exposing long-lived private keys directly to runners. That aligns with NIST Cybersecurity Framework 2.0 and with the operational lessons in NHIMG’s Reviewdog GitHub Action supply chain attack, where exposed automation expanded the blast radius of a compromised workflow.
A practical control set usually includes:
- Restricting signing keys to dedicated service accounts or HSM-backed services.
- Applying RBAC so only approved release paths can request signing.
- Using JIT access for humans who oversee exceptions or emergency signing.
- Rotating keys on a defined schedule and revoking them immediately after compromise.
- Logging every sign request, approval, and attestation for audit and forensics.
Where the pipeline supports it, separate build, test, sign, and deploy identities so each step has only the permissions it needs. That reduces the chance that one compromised job can both alter code and bless it. These controls tend to break down when signing is embedded in a shared CI template used across many repositories, because one misconfiguration can expose the same privileged key to every project.
Common Variations and Edge Cases
Tighter signing control often increases release overhead, requiring organisations to balance developer velocity against the need for provable release integrity. One common variation is keyless or ephemeral signing, where the pipeline uses short-lived identity assertions rather than a long-lived private key. That pattern can reduce secret exposure, but best practice is still evolving, and there is no universal standard for every platform or registry. Another edge case is emergency hotfix signing: teams may need break-glass procedures, but those should be time-bound, fully logged, and reviewed after the event. For regulated environments, the Ultimate Guide to NHIs — Regulatory and Audit Perspectives is useful for translating key governance into audit evidence, while the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs helps frame rotation, revocation, and retirement as lifecycle controls. The main tradeoff is that stronger key governance can slow release automation unless identity, approval, and attestation are designed together. These controls are hardest to sustain when multiple teams share a single signing service and exceptions become routine instead of rare.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Signing keys need rotation and revocation as privileged NHI credentials. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access is central to separating signing from deployment authority. |
| NIST Zero Trust (SP 800-207) | Zero trust supports runtime verification for pipeline signing requests. |
Set rotation cadence, revoke on compromise, and avoid long-lived shared signing keys.
