Skip to content

Code Signing

Trusted binaries. Silent installs. No security warnings.

Windows EV Certificate macOS Notarization Azure Key Vault HSM-Backed Gatekeeper
3
Signed binaries
Windows + macOS
Platforms
EV
Certificate type
Azure HSM
Key storage

All Breeze release binaries are code-signed so they install and run without security warnings — critical for an RMM agent that needs elevated privileges and silent deployment.

Why It Matters for RMM

Unsigned binaries trigger SmartScreen blocks on Windows and Gatekeeper quarantine on macOS. For an agent that runs as a system service and supports MDM deployment, those warnings are not just friction — they break automated rollouts. Code signing removes that barrier across every deployment path your team uses.

Windows EV Certificate via Azure Key Vault

Windows binaries are signed using an Extended Validation certificate stored in Azure Key Vault. The private key never leaves the HSM — signing happens through the Azure Code Signing service using a service principal, meeting CA/Browser Forum requirements for EV certificates. Each artifact — the agent executable, the MSI installer, the viewer, and the Helper — is signed individually before upload.

macOS Notarization and Stapling

macOS binaries are signed with an Apple Developer ID Application certificate and submitted to Apple’s notarization service before release. Once notarization completes, the ticket is stapled to the package so Gatekeeper can verify authenticity offline — no internet connection required at install time. Universal binaries covering both Apple Silicon and Intel are notarized in a single submission.

Gatekeeper and SmartScreen Pass

Administrators can verify signatures before deployment using standard platform tools. On Windows, Get-AuthenticodeSignature confirms valid status and the correct publisher. On macOS, spctl --assess returns “accepted, source=Notarized Developer ID.” These checks integrate into MDM workflows and internal security baselines.

Every Release, Every Binary

Code signing is not optional or release-specific — it is a mandatory step in the CI/CD release pipeline for every artifact, every release. The agent, viewer, and Helper are all signed before they reach the release page, so your endpoints only ever run verified Breeze binaries.

Capabilities

Windows EV Code Signing

Agent, viewer, and helper binaries signed via Azure Code Signing with HSM-backed EV certificate in Key Vault.

macOS Notarization Pipeline

Apple Developer ID signing followed by notarization via notarytool and offline stapling for Gatekeeper clearance.

Three Signed Artifacts

Agent, native viewer, and Helper tray app are all signed on both platforms in the CI/CD release workflow.

Silent Installation Support

Code signing enables unattended MSI deployment, Group Policy distribution, and MDM rollout without user override prompts.

Deploy Now Cloud Waitlist ← All Features