With a Touch, Yubico, Docker Revolutionize Code Signing

Jerrod Chong

Jerrod Chong

2 minute read

Today we released the YubiKey 4. Our next generation product that includes a new function called touch-to-sign, a unique and simple method for code signing that we have brought to life together with Docker, an open platform for distributed applications.

At DockerCon Europe 2015 in Barcelona, Docker and Yubico together unveiled the world’s first touch-to-sign code signing system using the new YubiKey 4. A developer only needs to touch his YubiKey for user presence verification and to digitally sign code, using a private root key stored on the device. This capability is the first hardware signing key to provide content integrity for containers that are part of Docker Content Trust, and it enables secure software lifecycle development for Docker developers, sysadmins, and third-party ISVs. We think it’s slick, and cool, and the future of hardware-backed keys.

As part of YubiKey 4, we also released a new PKCS#11 module that our customers and partners can use with their cryptographic projects. The open standard protocol, PKCS#11, lets applications speak to cryptographic smart card devices, such as the YubiKey 4, and perform cryptographic functions. Docker has integrated the PKCS#11 module into its platform to support touch-to-sign, and we hope this inspires others to develop other cutting-edge security solutions.

This is an important milestone for Yubico and our customers as we complement authentication with another category where the YubiKey excels, strong security with ease-of-use for code signing. Having the root keys stored in the secure element of the YubiKey means attackers cannot duplicate the root key to forge sign operations. Insecure storage of keys, for example in software modules, is often the cause of many of the vulnerabilities found in software packages.

We salute Docker for taking this first major step to help developers secure the creation and on-going maintenance of their code. With Yubikey 4 and touch-to-sign, we hope all Docker users take advantage of this fantastic opportunity to secure their code!

Read Docker’s blog on touch-to-sign.

, ,
Talk to our teamTalk to our team

Share this article:
  • Goodbye master passwords: Dashlane and Yubico enhance credential vault encryption and login with YubiKeysAt Authenticate 2025 this week, the world’s leading experts on modern authentication and securing digital identities gathered, to discuss the future of secure authentication and achieving usable security across the account lifecycle. The message was clear: the future of phishing-resistant authentication is using passkeys for encryption, and the gold standard is device-bound passkeys – YubiKeys. […]Read morecredential vault encryptioncredential vault loginDashlanepartnerpasskey encryptionPRF
  • Piloting Europe’s future ID: Passkeys securing digital walletsOver the last several years, passkeys have become ubiquitous. They are available on every mobile platform, in every leading browser, as part of all major enterprise IAM solutions, and in most major cloud services. Until wwWallet came along, the only place where passkeys hadn’t yet made an impact is in the rapidly developing world of […]Read moredigital identity walletspasskeysSIROSwwWallet
  • We’re excited for what’s to come – meet us in-person to find out whyIt’s been a busy year for our team, filled with exciting company and product updates aimed at better serving our customers and helping them achieve cyber resilience as AI-driven phishing threats continue evolving globally. Between industry award recognitions and key new executive leadership hires to lead Yubico to its next stage of growth and a […]Read more
  • FIPS certified vs. FIPS compliant: What’s the real difference?“Is your MFA solution FIPS compliant, or is it certified?”  This is a question we hear a lot, and for good reason. In industries where security and compliance are critical (especially in government contracts), understanding the difference between FIPS certified and FIPS compliant isn’t just semantics – it can mean the difference between meeting requirements […]Read moreFIPSNIST