Developer Guide

  • 10/27/2020
  • Public Content

Preparing and Submitting Your Project for Signing

In order to ensure the integrity of trusted applications, and that they do not contain malicious or harmful code as well as mismatches between implemented features in a trusted application and support for those features on the loading platforms, trusted applications need to be signed by Intel before they can be installed or run on Intel® DAL production platforms.  It is impossible to load and execute an unsigned trusted application in a production environment.  
The process of validating the code and its interoperability with its environment is the certification process.  A successful certification process culminates in the signing of a trusted application.  A trusted application will be signed only after it is certified.  
Sign Once:
  Beginning with Intel® Management Engine (Intel® ME) 11.0, the trusted application signing key is decoupled from the platform signing key.  Therefore, a trusted application signed for Intel ME 11.0 Release X will no longer require resigning for Intel ME Release 11.0 and above.
When do you need to go through the certification and signing process?
  • A new trusted application.
  • New versions of existing trusted applications
  • Existing trusted application on next generation hardware (No longer needed from Intel ME 11.0 and above.)
At no stage in the signing process is the source code visible to Intel.
Validation Guidelines
for details on how to prepare for the certification process.
: During a signing flow, using a tool such as ProGuard* for code size optimization is enforced for big Trusted Applications. 

Product and Performance Information


Performance varies by use, configuration and other factors. Learn more at