A self-hosted remote code-signing daemon that wraps the sgcSign engine behind a REST API, a Bootstrap web admin console, and ready-made CI/CD pipelines.
A single Windows host accepts signing requests from build agents, developers, and CI pipelines — with full audit, approvals, and metrics built in.
TLS-secured /api/v1 endpoints for signing, verification, health, metrics, and approval workflows. Stable, machine-friendly contract for build agents and SDKs.
Bootstrap-based /admin UI for users, API keys, providers, projects, audit, approvals, webhooks, and metrics. Operators never need to edit JSON.
Inno Setup wizard or zip-drop. The daemon registers itself as a Windows service, terminates TLS itself, and runs unattended on a hardened host.
Each project isolates a subset of providers, API keys, audit visibility, and approval queues. Several teams share one server without seeing each other's signing material.
The same API key requests, an admin or project admin approves or rejects, and only then are the bytes signed. SHA-256 hash and file size are locked into the request.
Every action — sign, verify, login, approval, webhook fire — is appended to a hash-chained audit log. Tampering is detectable; SIEM scraping is straightforward.
Sign / verify / approval counters, signing-latency histograms, provider-availability gauges. Direct Prometheus 0.0.4 text exposition with no extra database to manage.
13 lifecycle events delivered with X-Sgcsign-Signature: sha256=…. Three-attempt retry queue keeps SIEM, chat, and ticketing systems in sync.
The same engine that ships in the library, exposed through the REST API. Every country profile, every signature level.
XML signatures for VeriFactu, FatturaPA, Facturae, KSeF, e-Factura, Peppol, myDATA and EU employment contracts. POST /api/v1/sign/xades.
PAdES-Basic PDF signatures with incremental updates that preserve original content. Visible or invisible signatures. POST /api/v1/sign/pades.
CMS / PKCS#7 detached or attached signatures for arbitrary binary data. Timestamp + long-term validation. POST /api/v1/sign/cades.
The signing daemon talks to whichever cert source you configure: Windows store, PFX, PKCS#11 hardware token, Azure Trusted Signing, AWS KMS, Google KMS.
Sign .exe, .dll, .msi, .cab, .cat, .ocx, .sys. Hash-only mode lets low-bandwidth runners exchange a few dozen bytes for an 8 KB PKCS#7 blob.
Sign ClickOnce manifests (.application / .manifest) so Windows clients install without trust prompts. POST /api/v1/sign/clickonce.
Sign .nupkg packages so the NuGet client validates publisher identity. Author and repository signatures supported. POST /api/v1/sign/nuget.
Sign Visual Studio extension packages so VS Marketplace and the IDE itself accept them as trusted. POST /api/v1/sign/vsix.
Build agents call a stable REST endpoint instead of installing signing certificates on every runner.
Composite action posts the artefact to the server's REST API. Token issued by the web admin, scoped to a project, never leaves the runner secret store.
Pipeline task runs the sgcSign CLI client, which uploads the binary, polls for approval if required, and downloads the signed result — all in one step.
Declarative-pipeline snippet using curl or the bundled CLI. Works with both Linux and Windows agents; signature appears as a build artefact.
Image with the daemon and a sample provider config. Run the container, mount your TLS cert + provider secrets, and you have a portable signing service.
Deploy on Kubernetes for fully redundant, scaled-out signing. Pair with cloud KMS (Azure Trusted Signing, AWS KMS, Google KMS) for keyless pods.
A single Windows service terminates TLS, exposes /api/v1 + /admin, and reaches out to the configured key provider on every call. Key material never lives in the database.
/api/v1 over HTTPS with a bearer API key.
/admin in any browser. Bootstrap UI, session cookies, role-based access.
+----------------------------+
| Build agents / CI / CLI |
+-------------+--------------+
|
| HTTPS (TLS 1.2/1.3)
v
+-------------------------------------------+
| sgcSignServer.exe (Windows service) |
| /api/v1/* (signing, verify, health) |
| /admin/* (web console, sessions) |
+---+-----------------+---------------------+
| | |
v v v
+-------------+ +---------------+ +-----------+
| SQLite DB | | KeyProviders | | Webhooks |
| (audit/keys)| | PFX/HSM/KMS | | (outbound)|
+-------------+ +---------------+ +-----------+curl AwayA bearer API key, a multipart upload, and the signed binary streams back to stdout. Authenticode, CAdES, PAdES, XAdES, ClickOnce, NuGet, VSIX share the same shape.
X-API-Key or Authorization: Bearer — either auth method works.
X-Project selects the tenant; the key must be authorised for the project.
X-Sgcsign-Signer-Subject + X-Sgcsign-Duration-Ms for log correlation.
# Authenticode-sign MyApp.exe via the REST API
curl -X POST https://sign.example.com/api/v1/sign \
-H "Authorization: Bearer $TOKEN" \
-H "X-Project: production" \
-F "format=authenticode" \
-F "file=@./MyApp.exe" \
-o MyApp-signed.exe
# Headers returned by the server
# X-Sgcsign-Signer-Subject: CN=ACME Corp, O=ACME, C=US
# X-Sgcsign-Duration-Ms: 312From a fresh Windows host to the first signed artefact in under five minutes.
Run the bundled Inno Setup wizard or drop the zip into a folder. The daemon registers itself as a Windows service called sgcSignServer. Bind to :8443 and load your TLS certificate.
Add a provider to sgcSignServer.conf.json — a PFX file, Azure Trusted Signing account, AWS KMS key, Certum SimplySign user, or any of the other ten key providers. No service restart required.
Open /admin/apikeys, click New API key, scope it to a project, copy the token into your CI runner secret. Build agent calls POST /api/v1/sign.