Secured Code Signing at Scale for Apache Software Foundation

This case study outlines the challenges faced by the Apache Software Foundation (ASF) in managing code signing and SSL certificates for its 350 products and 6,000 developers globally. The organization sought to enhance security and streamline processes, leading to the adoption of DigiCert Software Trust Manager and DigiCert CertCentral Enterprise. The solutions provided ASF with a secure method for code signing, allowing developers to access signing keys without direct possession, thus minimizing authentication risks. Additionally, the case study describes how the new system enables on-demand SSL certificate issuance, significantly reducing the time required from days to minutes. The implementation also includes role-based access controls and comprehensive audit logs for monitoring activities. Overall, the solutions have improved the security and efficiency of ASF's operations, ensuring that end users can trust the software they download.