A Digital-First Financial Services Firm
A digital-first financial services firm with 8 million mobile banking users integrated QCecuring Code Signing into its CI/CD pipeline, achieving 100% signed mobile releases with HSM-backed keys, reducing release cycle time by 65%, and establishing a complete audit trail for regulatory compliance.
Code Signing Challenges in a High-Velocity Mobile Banking Pipeline
Unsigned and inconsistently signed mobile banking releases
The firm released mobile banking updates for iOS and Android on a bi-weekly sprint cycle, with hotfixes deployed as needed between releases. Code signing was performed manually by two senior engineers who had access to the signing keys stored on a shared USB token. When both engineers were unavailable — during holidays, travel, or overlapping PTO — releases were either delayed or, in three documented cases, pushed to internal QA environments unsigned. An internal audit found that 12% of builds in the staging environment over a 6-month period lacked valid signatures, creating a gap in the firm's software supply chain integrity.
Manual signing bottleneck slowing release velocity
The manual code signing process added an average of 4 hours to each release cycle. The signing engineers had to pull the build artifacts from the CI/CD pipeline, connect the USB token, sign each artifact (iOS IPA, Android APK/AAB, and associated libraries), verify the signatures, and upload the signed artifacts back to the pipeline. This manual step was the single largest bottleneck in the release process, and the firm's product team was pushing for weekly releases to match competitor feature velocity. The engineering leadership estimated that the manual signing process consumed approximately 16 hours per month of senior engineer time.
Audit trail gaps for regulatory compliance
Financial regulators required the firm to demonstrate a complete chain of custody for all software deployed to customer-facing systems, including evidence of who signed what, when, with which key, and under what authorization. The manual signing process produced no automated audit trail — signing events were tracked in a spreadsheet maintained by the signing engineers. During a regulatory examination, the firm could not produce signing records for 8 releases over the prior 12 months, resulting in a finding that required remediation within 90 days.
Automated Code Signing with QCecuring
CI/CD-integrated code signing with policy enforcement
QCecuring Code Signing was integrated directly into the firm's Jenkins and GitHub Actions CI/CD pipelines as an automated signing step. Every build artifact — iOS IPA, Android APK/AAB, server-side JARs, and associated libraries — was signed automatically as part of the build process. Policy enforcement ensured that no artifact could progress to the staging or production environment without a valid signature. The signing step added less than 90 seconds to the build pipeline, replacing the 4-hour manual process entirely.
Code SigningHSM-backed signing keys with role-based access controls
Signing keys were migrated from the shared USB token to a FIPS 140-2 Level 3 certified HSM managed through QCecuring's key management interface. Role-based access controls replaced the two-person key holder model — the CI/CD service account was authorized for automated signing operations, while key generation, rotation, and revocation required approval from the security team. Key usage was logged with tamper-evident audit records, and keys were rotated on a quarterly schedule without disrupting the signing pipeline.
Code SigningComplete audit trail and compliance reporting
QCecuring generated a tamper-evident audit log for every signing operation — recording the artifact hash, signing key identifier, timestamp, pipeline run ID, requesting service account, and approval chain. The platform produced compliance reports mapping signing events to specific releases, providing the chain-of-custody evidence regulators required. Reports were exportable in formats compatible with the firm's GRC platform, enabling automated compliance monitoring and regulatory examination preparation.
Code SigningMeasurable Impact on Release Velocity and Compliance
100% signed releases
After integrating QCecuring Code Signing into the CI/CD pipeline, every mobile banking release — including hotfixes and emergency patches — was signed automatically with HSM-backed keys. The 12% unsigned build rate in staging was eliminated entirely, and policy enforcement prevented any unsigned artifact from reaching production.
65% faster release cycles
Automated code signing reduced the signing step from 4 hours of manual effort to under 90 seconds of automated processing. This removed the primary bottleneck in the release pipeline, enabling the firm to move from bi-weekly to weekly releases and reducing the overall release cycle time by 65%. Senior engineer time previously spent on manual signing — approximately 16 hours per month — was redirected to feature development.
100% audit trail coverage
QCecuring's tamper-evident audit logs provided a complete chain of custody for every signed artifact, closing the regulatory finding within 60 days — 30 days ahead of the remediation deadline. The firm's compliance team now generates regulatory examination evidence on demand, replacing the manual spreadsheet tracking that had produced gaps in 8 releases.
Code signing was our release pipeline's weakest link — manual, dependent on two people, and invisible to our compliance team. QCecuring turned it into an automated, auditable step that runs in seconds. We went from bi-weekly releases with signing delays to weekly releases with zero unsigned builds. Our regulators got the audit trail they needed, and our engineers got their time back.
Related Products & Industry
More Customer Success Stories
Frequently Asked Questions
How does QCecuring Code Signing integrate with CI/CD pipelines? +
QCecuring provides native plugins for Jenkins, GitHub Actions, GitLab CI, and Azure DevOps, as well as a CLI tool and REST API for custom integrations. The signing step is added as a pipeline stage that receives build artifacts, signs them using HSM-backed keys, and returns signed artifacts to the pipeline. Configuration is managed through policy files stored alongside the pipeline definition, enabling signing policies to be version-controlled with the application code.
What happens if the signing service is unavailable during a build? +
QCecuring's signing infrastructure is deployed in a high-availability configuration with automatic failover. If the primary signing endpoint is unavailable, the pipeline automatically routes to the secondary endpoint. In the unlikely event of a complete service interruption, the pipeline is configured to fail the build rather than produce unsigned artifacts — ensuring that no unsigned code reaches staging or production environments.
How are signing keys protected and rotated? +
Signing keys are stored in FIPS 140-2 Level 3 certified HSMs and never leave the HSM boundary — signing operations are performed within the HSM. Key rotation is automated on a configurable schedule (quarterly in this deployment) and is transparent to the CI/CD pipeline. The old key remains valid for signature verification while the new key is used for all new signing operations, ensuring continuity during the rotation period.
Ready to Secure Your Enterprise?
Experience how our cryptographic solutions simplify, centralize, and automate identity management for your entire organization.