Production Signing Fortanix Confidential Computing Manager Application Enclaves


This article will describe how to use the "enclaveos-signer" application for production signing Fortanix Confidential Computing Manager (CCM) converted containers.


enclaveos-signer is an independent utility to sign Fortanix CCM converted containers with your Intel enclave production signing key. Please follow code-signing guidelines/rituals from your organization while using this tool.


  1. Request a production enclave signing key from Intel to sign production enclaves. Follow the instructions in the URL below to submit a request to Intel.
  2. Also, you would have to assign ISVSVN and ISVPRODID parameters for your application. The Intel SGX documentation below provides more information on these fields.


The application requires a python3 environment (3.6 or older) on your system. You should install pip3 package manager.

sudo apt-get -y install python3-pip

 Install the dependencies for enclaveos-signer.

pip3 install -r requirements.txt

Production Signing Workflow

enclaveos-signer works with Fortanix CCM converted container images. You can use the tool to sign a converted container by providing the input container image and enclave signing keys to the command line. Please use the tool to help you get started with the flow.

chmod +x enclaveos-signer
./enclaveos-signer -h

The application can be signed with debug keys for running in SGX debug mode. The URL below has more details from Intel on debugging and production enclaves:

During the signing process, we generate an Enclave Signature of the application. Enclave Signature generation is described in the Intel SGX documentation here:

Production enclaves require valid Intel enclave signing keys enforced by CPU and IAS remote attestation. Please use debug enclaves if you need to just test the enclave-signer flow with your converted applications.

Here is a brief description of enclave-signer input parameter :

  • The Enclave Author’s Public Key - This can be the production or debug key used for enclave signatures.
  • The Security Version Number of the Enclave (ISVSVN) – The enclave author assigns a Security Version Number (SVN) to each version of an enclave.
  • The Product ID of the Enclave (ISVPRODID) - The enclave author also assigns a Product ID to each enclave.

Sample Signing Request for Debug Enclaves

To generate a debug signing key (RSA private key size 3072-bit):

openssl genrsa -3 -out private_rsa_key.pem 3072
./enclaveos-signer --container <registery>/converter-app-sgx-output <registery>/app-sgx-production --isvsvn <version num> --isvprodid <produt id> -key <path to signing key>

Sample Signing Request for Production Enclaves

./enclaveos-signer --container <registery>/converter-app-sgx-output <registery>/app-sgx-production --isvsvn <version num> --isvprodid <produt id> --production -key <path to signing key>


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful