Code Signing certificate for Google Cloud KMS
Sign EXE, DLL, Java artifacts and PowerShell directly from Google Cloud KMS. No USB token needed. Jsign connects to your Cloud KMS key and performs the signing. Your private key is stored on a FIPS 140-2 Level 3 HSM and never leaves Google's infrastructure.
GCP KMS costs approximately €2.50/month (one HSM key + signing operations). That is dramatically cheaper than CA-hosted cloud signing services like DigiCert KeyLocker (~€300/year + signing limits on top of the certificate).
What is Google Cloud KMS Code Signing?
Google Cloud Key Management Service is Google's cloud-based key management service. With the HSM protection level, keys are stored on FIPS 140-2 Level 3 certified HSM hardware. The private key is generated inside the HSM and never leaves it. All signing operations happen on the HSM itself.
Jsign ↗ is the primary signing tool for GCP KMS. It is open source, Java-based and cross-platform. Jsign connects to GCP KMS via service account authentication and performs Authenticode and JAR signing with the cloud-hosted key.
Since June 2023, all Code Signing certificates (OV and EV) require HSM-backed key storage. GCP KMS
meets this requirement. Software-only .pfx files are no longer permitted by any Certificate Authority.
OV vs EV Code Signing with Google Cloud KMS
| OV Code Signing | EV Code Signing | |
|---|---|---|
| Validation | Organisation | Extended (stricter) |
| SmartScreen reputation | Builds over time with downloads | Starts with higher reputation |
| Kernel-mode driver signing | No | Yes (required by Microsoft) |
| Key storage | GCP KMS HSM | GCP KMS HSM |
| Issuance time | 1–3 business days | 1–5 business days |
| Maximum validity | 459 days | 459 days |
Google Cloud KMS vs Azure Key Vault
Both services meet the HSM requirement for code signing. The choice depends on your cloud platform and signing workflow.
Google Cloud KMS
- ✓ ~€2.50/month
- ✓ FIPS 140-2 Level 3 HSM
- ✓ Signing via Jsign (cross-platform)
- ✓ Google Cloud SDK authentication
- ✓ Ideal for GCP-native teams
Azure Key Vault
- ✓ ~$5/month
- ✓ FIPS 140-2 Level 3 HSM
- ✓ Signing via AzureSignTool or Jsign
- ✓ Azure AD/RBAC authentication
- ✓ Ideal for Azure-native teams and Windows-heavy workflows
Compatible Certificate Authorities
Only DigiCert and GlobalSign support GCP KMS key attestation. Sectigo/Comodo certificates are not compatible with Google Cloud KMS.
FairSSL sells both DigiCert and GlobalSign Code Signing certificates and provides installation guides for both CAs with Google Cloud KMS. We recommend the CA that best fits your requirements and budget.
Signing tools
Jsign is the recommended signing tool for Google Cloud KMS. It supports GCP KMS natively and works on Windows, macOS and Linux. Jsign handles Authenticode signing (.exe, .dll, .msi) and JAR signing.
signtool.exe does not work with GCP KMS directly, as there is no CNG provider for Google Cloud. Use Jsign instead.
Complete setup guide for Google Cloud KMS Code Signing
Step-by-step guide with GCP CLI commands, service account setup and CI/CD examples.
Read the setup guide →Related pages: USB Token | Azure Key Vault | Google Cloud KMS | AWS KMS | Office Macros | Compare all →
Code Signing certificates for Google Cloud KMS
OV Code Signing
DigiCert CodeSign OV
DigiCert OV Code Signing. Works with Google Cloud KMS.
GlobalSign CodeSign
GlobalSign OV Code Signing. Works with Google Cloud KMS.
EV Code Signing
Frequently asked questions about Google Cloud KMS Code Signing
Find answers to the most common questions about SSL certificates and FairSSL.
Ready to sign from Google Cloud KMS?
Create a free account and issue your first certificate in under 10 minutes.