Automate Code Signing in CI/CD Without Cloud HSM
Apr 5, 2026 · Tutorials · 7 views
Every CI/CD tutorial assumes cloud HSM. Here's how to automate code signing with a local USB token and OneSigner — zero recurring costs.
Architecture
CI/CD Pipeline (GitHub Actions / Jenkins / GitLab)
|-- Build EXE/DLL/MSI
|-- Upload to OneSigner via REST API
|-- OneSigner signs with USB token (local)
|-- Retrieve signed binary
|-- Continue deploymentOption 1: Direct API
curl -X POST https://sign.yourcompany.com/api/upload
-H "Authorization: Bearer $TOKEN"
-F "file=@build/output/myapp.exe"Option 2: Folder Watch (Zero Code)
Mount network share as source folder. CI copies unsigned files there. OneSigner auto-signs and moves to destination. CI picks up signed files.
Option 3: Cloudflare Tunnel
For cloud CI (GitHub Actions) that can't reach your local server: enable Cloudflare Tunnel in OneSigner. Your server gets a public URL — no ports to open, no VPN.
Solving the Session Problem
USB tokens need a Windows desktop session. OneSigner solves this with:
- UserSessionSigner — spawns signing in user session from service
- Auto-Logon — always-on desktop session
- PIN pre-config — stored encrypted, no dialog
Performance: 12 Files in 5.7 Seconds
Tested with 12 PDFs in parallel: total 5.7 seconds, average 476ms per file. Token operation is sequential (~4.3s each) but API handles uploads concurrently.
3-Year Cost Comparison (100 signs/day)
| Solution | Year 1 | Year 2 | Year 3 | Total |
|---|---|---|---|---|
| SSL.com eSigner | $18,490 | $18,490 | $18,490 | $55,470 |
| DigiCert KeyLocker | $859 | $859 | $859 | $2,577 |
| OneSigner + Token | $179 | $0 | $0 | $179 |