Secure Build & Release

Signed at build. Bound to the artifact.

OBIS provides a CLI and REST API for firmware signing and SBOM binding. The signed firmware and its bound SBOM enter the Product Workspace and are ready for factory provisioning or secure OTA.

Book a Demo
INTEGRATION

Signing at CI/CD with keys in HSM

OBIS provides a CLI and REST API. At the end of the CI/CD pipeline, after the build system produces its output, one call completes HSM signing and SBOM binding. The signed firmware and its bound SBOM enter the Product Workspace Asset Pool — split into a firmware-image branch for factory flashing and an OTA- package branch for field updates, signed and bound the same way.
The same workflow runs on a developer's machine for pre-release testing. Signature formats are compatible with the Secure Boot verification chains of major chipset families — the artifact that reaches the factory or OTA pipeline is ready to deploy without reformatting.
Build tools keep building. OBIS takes over at the last mile — signing and binding only, zero intrusion into what comes before.
Jenkins
GitHub Actions
GitLab CI
Key Sovereignty

Delegate the signing capability to partners. Keep the key.

The ODM scenario is higher-stakes. OEMs need ODM partners to sign firmware in their own CI/CD environments. OBIS delegates signing capability: the ODM receives a scoped, revocable authorization — not the key itself. Multiple parties produce the OEM's signature — without ever holding the key.

SBOM

Bound at build. Not bolted on later.

OBIS integrates with Syft, cdxgen, and other mainstream SBOM generators. At build time, it captures the SBOM in CycloneDX or SPDX format and cryptographically binds it to the signed firmware.
This means firmware and SBOM travel as one unit through factory provisioning, OTA distribution, vulnerability monitoring, and compliance reporting. There is no scenario where the firmware is at one version and the SBOM is at another, or where an SBOM is missing entirely and must be reconstructed after the fact.
The SBOM is not a compliance document attached at the end. It is part of the build output, bound at creation, carried end-to-end.
Get Started

See the signing step. One CLI call, one governed build.

A 30-minute demo walks through your build pipeline and shows how OBIS signing integrates without changing your tool chain.

Book a Demo
Contact Us
Digital trust infrastructure for connected devices and credentials. Built on 13 years in digital credentials and cryptographic infrastructure.
IoT Security
OverviewSecure Build & ReleaseFactory ProvisioningSBOM & VulnerabilitySecure Update & OTACompliance & DisclosureGoogle CastMatter
Mobile Credentials
OverviewTransitAccessDigital Car Key
Resources
OverviewBlogWhitepapersCase Study
Company
About UsPartners
Privacy PolicyTerms Of ServiceCookie Policy
© 2026 Snowball Technology. All rights reserved.
EN
|
ZH