Signet
What it is
Section titled “What it is”Signet is the internal tool that produces and verifies formal 21 CFR Part 11 electronic signatures on TRACE ALM artefacts that need them — primarily release approvals and formal verification records.
Where the auto-stamp Action records content-level approval (per-PR REVIEWED_HASH + REVIEWED_BY), Signet records release-level signatures: a designated signer attests, with the legal weight of a Part 11 e-signature, that a specific release / verification record is approved.
Why it’s separate from the auto-stamp App
Section titled “Why it’s separate from the auto-stamp App”The auto-stamp App and Signet do different jobs at different layers:
- Auto-stamp records every regulated content approval as it happens. Triggered automatically by PR merges, frequent (one per regulated PR), single-content fingerprint per record.
- Signet signs aggregated release / verification records. Triggered manually by a designated signer at release time, infrequent (one per release / verification event), produces a Part 11–conformant signature manifest.
A Part 11 signature has specific legal characteristics — it requires deliberate user action, captures the signer’s intent, binds to specific record content, and produces a signature manifest that survives independent of the underlying tool. Auto-stamp’s commit-back model doesn’t satisfy those Part 11 properties; Signet does.
Both layers are required: auto-stamp gives FDA the chain of content approvals during development; Signet gives FDA the formal release-level signatures on verification records and release approvals.
Where it lives
Section titled “Where it lives”- Source repo: Signet has its own repository (URL in the reference index)
- Output directory in this repo:
signatures/— Signet writes signature manifests here, alongside the artefacts they sign - Skill-file integration: the strictdoc-requirements skill defers all Part 11 signing concerns to Signet — see the skill’s introduction for the explicit boundary
How to operate it
Section titled “How to operate it”The bulk of Signet’s documentation — installation, signer enrollment, the signing UI, signature-manifest format, verification, key management — lives on the Signet documentation site at <SIGNET_DOCS_URL>.
For TRACE ALM, the integration points are:
- Release approvals — signed at release time using Signet’s release-record workflow, against the release evidence bundle assembled by the post-processor
- Formal verification records — signed when a verification campaign closes (e.g. the IT/ST evidence bundle for a release candidate), per the How a release is verified and signed workflow
- Manifest storage — signed manifests are committed under
signatures/with the same CODEOWNERS protection asregulatory-docs/, and any change to a signed manifest creates a drift signal in the post-processor
For the actual signing UX, key generation, signer enrollment, and the technical details of the signature manifest format, read the Signet documentation site: <SIGNET_DOCS_URL>.
Versioning / update policy
Section titled “Versioning / update policy”- Signet is regulated software — its own SOUP register entry, its own CSA package
- Version pinned per release; bumping Signet between releases requires the standard SOUP review
- Signature manifests produced by an older Signet version remain verifiable indefinitely (forward compatibility is a Signet design constraint — see the Signet docs)
External documentation
Section titled “External documentation”The canonical Signet documentation lives at <SIGNET_DOCS_URL>. This page covers only how Signet plugs into TRACE ALM. Do not look here for Signet’s own usage, configuration, or signature-format details — go to the Signet site.