CybersecurityConnected & Cyber-Physical Devices Software Lifecycle

Code Signing

Cryptographic signing of executable software and firmware so that only authentic, unmodified code from a trusted publisher will run.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed June 20, 2026

Definition

Code signing is the practice of digitally signing executable files, firmware images, software packages, and OTA updates with a private key whose corresponding public key (in a certificate from a trusted certificate authority) is embedded in or trusted by the device. At install or boot, the device verifies the signature; if it doesn't validate against an expected publisher and the artifact hasn't been modified, the code is rejected. Code signing is the foundational control behind secure boot, OTA update verification, and anti-tampering on connected medical devices.

What the regulation says

FDA's 2023 Cybersecurity in Medical Devices guidance lists 'Authenticity and Integrity of Updates' as a core security capability. IEC 81001-5-1 §5.7.2 and §9.6 expect signed updates and secure key management. AAMI SW96 requires code signing for distributed software components.

What this means in practice

FDA premarket cybersecurity submissions are expected to describe how the device verifies the authenticity and integrity of firmware and software updates. Code signing, paired with a hardware root of trust to protect verification keys, is the standard answer. Key management is where most code-signing programs fail: signing keys stored in source control, in unprotected CI build agents, or shared across product lines have caused some of the most severe medical device cybersecurity advisories.

Common pitfalls

•Storing signing keys in CI/CD environment variables or unencrypted on build servers, keys belong in an HSM or hardware-backed key store.
•Using the same signing key across product lines and over many years, key rotation and per-product or per-release keys limit blast radius.
•Verifying signatures only at install time, not at boot, pair code signing with secure boot to defend against post-install tampering.

Primary references

3 sources

Link health: 2 verified 1 bot-blocked· last checked 2026-06-20

FDA·1NIST·1MDCG·1

Inline markers like [1] jump to the matching reference above.

On this term

Category: Cybersecurity
Sources: 3
Updated: 6/20/2026

Compare with another term

Learn in 60 seconds

Cryptographic signing of executable software and firmware so that only authentic, unmodified code from a trusted publisher will run.

·FDA premarket cybersecurity submissions are expected to describe how the device verifies the authenticity and integrity of firmware and software updates.
·Code signing, paired with a hardware root of trust to protect verification keys, is the standard answer.
·At install or boot, the device verifies the signature; if it doesn't validate against an expected publisher and the artifact hasn't been modified, the code is rejected.

Remember this

Watch out: Storing signing keys in CI/CD environment variables or unencrypted on build servers, keys belong in an HSM or hardware-backed key store.

Related terms

You may also need

Auto-suggested from Cybersecurity and shared keywords.

All Cybersecurity terms

From the Blue Goat network

Related resources and services on this topic.