feat: add code-signing to PKI

backend/src/@types/fastify.d.ts

@@ -135,6 +135,7 @@ import { TSecretSharingServiceFactory } from "@app/services/secret-sharing/secre
 import { TSecretSyncServiceFactory } from "@app/services/secret-sync/secret-sync-service";
 import { TSecretTagServiceFactory } from "@app/services/secret-tag/secret-tag-service";
 import { TServiceTokenServiceFactory } from "@app/services/service-token/service-token-service";
+import { TSignerServiceFactory } from "@app/services/signer/signer-service";
 import { TSlackServiceFactory } from "@app/services/slack/slack-service";
 import { TSuperAdminServiceFactory } from "@app/services/super-admin/super-admin-service";
 import { TTelemetryServiceFactory } from "@app/services/telemetry/telemetry-service";
@@ -319,6 +320,7 @@ declare module "fastify" {
       pkiSync: TPkiSyncServiceFactory;
       pkiDiscovery: TPkiDiscoveryServiceFactory;
       pkiInstallation: TPkiInstallationServiceFactory;
+      signer: TSignerServiceFactory;
       secretScanning: TSecretScanningServiceFactory;
       license: TLicenseServiceFactory;
       trustedIp: TTrustedIpServiceFactory;

backend/src/@types/knex.d.ts

@@ -551,6 +551,12 @@ import {
   TServiceTokens,
   TServiceTokensInsert,
   TServiceTokensUpdate,
+  TSigners,
+  TSignersInsert,
+  TSignersUpdate,
+  TSigningOperations,
+  TSigningOperationsInsert,
+  TSigningOperationsUpdate,
   TSlackIntegrations,
   TSlackIntegrationsInsert,
   TSlackIntegrationsUpdate,
@@ -896,6 +902,12 @@ declare module "knex/types/tables" {
       TPkiDiscoveryScanHistoryInsert,
       TPkiDiscoveryScanHistoryUpdate
     >;
+    [TableName.Signers]: KnexOriginal.CompositeTableType<TSigners, TSignersInsert, TSignersUpdate>;
+    [TableName.SigningOperations]: KnexOriginal.CompositeTableType<
+      TSigningOperations,
+      TSigningOperationsInsert,
+      TSigningOperationsUpdate
+    >;
     [TableName.CertificateSync]: KnexOriginal.CompositeTableType<
       TCertificateSyncs,
       TCertificateSyncsInsert,

backend/src/db/migrations/20260309141236_code-signing-tables.ts

@@ -0,0 +1,76 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.Signers))) {
+    await knex.schema.createTable(TableName.Signers, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("projectId").notNullable().index();
+      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      t.string("name", 64).notNullable();
+      t.string("description", 256).nullable();
+      t.string("status").notNullable().defaultTo("active");
+      t.uuid("certificateId").notNullable();
+      t.foreign("certificateId").references("id").inTable(TableName.Certificate).onDelete("RESTRICT");
+      t.uuid("approvalPolicyId").notNullable();
+      t.foreign("approvalPolicyId").references("id").inTable(TableName.ApprovalPolicies).onDelete("RESTRICT");
+      t.datetime("lastSignedAt").nullable();
+      t.timestamps(true, true, true);
+      t.unique(["projectId", "name"]);
+      t.index("certificateId");
+      t.index("approvalPolicyId");
+    });
+
+    await createOnUpdateTrigger(knex, TableName.Signers);
+  }
+
+  if (!(await knex.schema.hasTable(TableName.SigningOperations))) {
+    await knex.schema.createTable(TableName.SigningOperations, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("signerId").notNullable();
+      t.foreign("signerId").references("id").inTable(TableName.Signers).onDelete("CASCADE");
+      t.string("projectId").notNullable();
+      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      t.string("status").notNullable();
+      t.string("signingAlgorithm").notNullable();
+      t.string("dataHash", 128).notNullable();
+      t.string("actorType").notNullable();
+      t.uuid("actorId").notNullable();
+      t.string("actorName").nullable();
+      t.uuid("approvalGrantId").nullable();
+      t.foreign("approvalGrantId").references("id").inTable(TableName.ApprovalRequestGrants).onDelete("SET NULL");
+      t.jsonb("clientMetadata").nullable();
+      t.string("errorMessage").nullable();
+      t.datetime("createdAt").defaultTo(knex.fn.now()).notNullable();
+      t.index(["signerId", "createdAt"]);
+      t.index(["projectId", "createdAt"]);
+      t.index("approvalGrantId");
+    });
+  }
+
+  // Add granteeMachineIdentityId to approval_request_grants so grants can target machine identities
+  const hasCol = await knex.schema.hasColumn(TableName.ApprovalRequestGrants, "granteeMachineIdentityId");
+  if (!hasCol) {
+    await knex.schema.alterTable(TableName.ApprovalRequestGrants, (t) => {
+      t.uuid("granteeMachineIdentityId").nullable().index();
+      t.foreign("granteeMachineIdentityId").references("id").inTable(TableName.Identity).onDelete("SET NULL");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.SigningOperations);
+  await dropOnUpdateTrigger(knex, TableName.Signers);
+  await knex.schema.dropTableIfExists(TableName.Signers);
+
+  const hasCol = await knex.schema.hasColumn(TableName.ApprovalRequestGrants, "granteeMachineIdentityId");
+  if (hasCol) {
+    await knex.schema.alterTable(TableName.ApprovalRequestGrants, (t) => {
+      t.dropIndex("granteeMachineIdentityId");
+      t.dropForeign(["granteeMachineIdentityId"]);
+      t.dropColumn("granteeMachineIdentityId");
+    });
+  }
+}

backend/src/db/schemas/approval-request-grants.ts

@@ -19,7 +19,8 @@ export const ApprovalRequestGrantsSchema = z.object({
   attributes: z.unknown(),
   createdAt: z.date().nullable().optional(),
   expiresAt: z.date().nullable().optional(),
-  revokedAt: z.date().nullable().optional()
+  revokedAt: z.date().nullable().optional(),
+  granteeMachineIdentityId: z.string().uuid().nullable().optional()
 });
 
 export type TApprovalRequestGrants = z.infer<typeof ApprovalRequestGrantsSchema>;

backend/src/db/schemas/index.ts

@@ -200,6 +200,8 @@ export * from "./secret-versions-v2";
 export * from "./secrets";
 export * from "./secrets-v2";
 export * from "./service-tokens";
+export * from "./signers";
+export * from "./signing-operations";
 export * from "./slack-integrations";
 export * from "./ssh-certificate-authorities";
 export * from "./ssh-certificate-authority-secrets";

backend/src/db/schemas/models.ts

@@ -259,6 +259,10 @@ export enum TableName {
   ApprovalRequestApprovals = "approval_request_approvals",
   ApprovalRequestGrants = "approval_request_grants",
 
+  // Code Signing
+  Signers = "signers",
+  SigningOperations = "signing_operations",
+
   QueueJobs = "queue_jobs"
 }
 

backend/src/db/schemas/signers.ts

@@ -0,0 +1,25 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SignersSchema = z.object({
+  id: z.string().uuid(),
+  projectId: z.string(),
+  name: z.string(),
+  description: z.string().nullable().optional(),
+  status: z.string().default("active"),
+  certificateId: z.string().uuid(),
+  approvalPolicyId: z.string().uuid(),
+  lastSignedAt: z.date().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TSigners = z.infer<typeof SignersSchema>;
+export type TSignersInsert = Omit<z.input<typeof SignersSchema>, TImmutableDBKeys>;
+export type TSignersUpdate = Partial<Omit<z.input<typeof SignersSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/signing-operations.ts

@@ -0,0 +1,28 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SigningOperationsSchema = z.object({
+  id: z.string().uuid(),
+  signerId: z.string().uuid(),
+  projectId: z.string(),
+  status: z.string(),
+  signingAlgorithm: z.string(),
+  dataHash: z.string(),
+  actorType: z.string(),
+  actorId: z.string().uuid(),
+  actorName: z.string().nullable().optional(),
+  approvalGrantId: z.string().uuid().nullable().optional(),
+  clientMetadata: z.unknown().nullable().optional(),
+  errorMessage: z.string().nullable().optional(),
+  createdAt: z.date()
+});
+
+export type TSigningOperations = z.infer<typeof SigningOperationsSchema>;
+export type TSigningOperationsInsert = Omit<z.input<typeof SigningOperationsSchema>, TImmutableDBKeys>;
+export type TSigningOperationsUpdate = Partial<Omit<z.input<typeof SigningOperationsSchema>, TImmutableDBKeys>>;

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -652,7 +652,17 @@ export enum EventType {
   GET_PKI_INSTALLATION = "get-pki-installation",
   GET_PKI_INSTALLATIONS = "get-pki-installations",
   UPDATE_PKI_INSTALLATION = "update-pki-installation",
-  DELETE_PKI_INSTALLATION = "delete-pki-installation"
+  DELETE_PKI_INSTALLATION = "delete-pki-installation",
+
+  // Code Signing
+  CREATE_SIGNER = "create-signer",
+  UPDATE_SIGNER = "update-signer",
+  DELETE_SIGNER = "delete-signer",
+  GET_SIGNER = "get-signer",
+  GET_SIGNERS = "get-signers",
+  GET_SIGNER_PUBLIC_KEY = "get-signer-public-key",
+  GET_SIGNING_OPERATIONS = "get-signing-operations",
+  SIGNER_SIGN = "signer-sign"
 }
 
 export const filterableSecretEvents: EventType[] = [
@@ -3610,6 +3620,74 @@ interface DeletePkiInstallationEvent {
   };
 }
 
+interface CreateSignerEvent {
+  type: EventType.CREATE_SIGNER;
+  metadata: {
+    signerId: string;
+    name: string;
+    certificateId: string;
+    approvalPolicyId: string;
+  };
+}
+
+interface UpdateSignerEvent {
+  type: EventType.UPDATE_SIGNER;
+  metadata: {
+    signerId: string;
+    name: string;
+  };
+}
+
+interface DeleteSignerEvent {
+  type: EventType.DELETE_SIGNER;
+  metadata: {
+    signerId: string;
+    name: string;
+  };
+}
+
+interface GetSignerEvent {
+  type: EventType.GET_SIGNER;
+  metadata: {
+    signerId: string;
+    name: string;
+  };
+}
+
+interface GetSignersEvent {
+  type: EventType.GET_SIGNERS;
+  metadata: {
+    count: number;
+    offset: number;
+    limit: number;
+  };
+}
+
+interface GetSignerPublicKeyEvent {
+  type: EventType.GET_SIGNER_PUBLIC_KEY;
+  metadata: {
+    signerId: string;
+    name: string;
+  };
+}
+
+interface GetSigningOperationsEvent {
+  type: EventType.GET_SIGNING_OPERATIONS;
+  metadata: {
+    signerId: string;
+    count: number;
+  };
+}
+
+interface SignerSignEvent {
+  type: EventType.SIGNER_SIGN;
+  metadata: {
+    signerId: string;
+    name: string;
+    signingAlgorithm: string;
+  };
+}
+
 interface OidcGroupMembershipMappingAssignUserEvent {
   type: EventType.OIDC_GROUP_MEMBERSHIP_MAPPING_ASSIGN_USER;
   metadata: {
@@ -5373,6 +5451,14 @@ export type Event =
   | GetPkiInstallationsEvent
   | UpdatePkiInstallationEvent
   | DeletePkiInstallationEvent
+  | CreateSignerEvent
+  | UpdateSignerEvent
+  | DeleteSignerEvent
+  | GetSignerEvent
+  | GetSignersEvent
+  | GetSignerPublicKeyEvent
+  | GetSigningOperationsEvent
+  | SignerSignEvent
   | OidcGroupMembershipMappingAssignUserEvent
   | OidcGroupMembershipMappingRemoveUserEvent
   | CreateKmipClientEvent

backend/src/ee/services/permission/default-roles.ts

@@ -11,6 +11,7 @@ import {
   ProjectPermissionCertificatePolicyActions,
   ProjectPermissionCertificateProfileActions,
   ProjectPermissionCmekActions,
+  ProjectPermissionCodeSigningActions,
   ProjectPermissionCommitsActions,
   ProjectPermissionDynamicSecretActions,
   ProjectPermissionGroupActions,
@@ -299,6 +300,17 @@ const buildAdminPermissionRules = () => {
     ProjectPermissionSub.PkiCertificateInstallations
   );
 
+  can(
+    [
+      ProjectPermissionCodeSigningActions.Read,
+      ProjectPermissionCodeSigningActions.Create,
+      ProjectPermissionCodeSigningActions.Edit,
+      ProjectPermissionCodeSigningActions.Delete,
+      ProjectPermissionCodeSigningActions.Sign
+    ],
+    ProjectPermissionSub.CodeSigners
+  );
+
   can(
     [
       ProjectPermissionKmipActions.CreateClients,
@@ -614,6 +626,10 @@ const buildMemberPermissionRules = () => {
 
   can([ProjectPermissionPkiDiscoveryActions.Read], ProjectPermissionSub.PkiDiscovery);
   can([ProjectPermissionPkiCertificateInstallationActions.Read], ProjectPermissionSub.PkiCertificateInstallations);
+  can(
+    [ProjectPermissionCodeSigningActions.Read, ProjectPermissionCodeSigningActions.Sign],
+    ProjectPermissionSub.CodeSigners
+  );
 
   can(
     [
@@ -698,6 +714,7 @@ const buildViewerPermissionRules = () => {
   can(ProjectPermissionPkiSyncActions.Read, ProjectPermissionSub.PkiSyncs);
   can(ProjectPermissionPkiDiscoveryActions.Read, ProjectPermissionSub.PkiDiscovery);
   can(ProjectPermissionPkiCertificateInstallationActions.Read, ProjectPermissionSub.PkiCertificateInstallations);
+  can(ProjectPermissionCodeSigningActions.Read, ProjectPermissionSub.CodeSigners);
   can(ProjectPermissionCommitsActions.Read, ProjectPermissionSub.Commits);
 
   can(