Inferensys

Glossary

MRSIGNER

A cryptographic hash of the public key used to sign an enclave's authorizing certificate, allowing attestation verifiers to establish trust based on the software vendor's identity rather than a specific code version.
Operations team reviewing AI vendor onboarding platform on laptop, forms and contracts visible, casual office workspace.
Enclave Signer Identity

What is MRSIGNER?

MRSIGNER is a cryptographic hash of the public key used to sign an enclave's authorizing certificate, enabling attestation verifiers to establish trust based on the software vendor's identity rather than a specific code version.

MRSIGNER is a cryptographic measurement that identifies the signing authority—typically the software vendor or development team—responsible for an enclave's authorizing certificate. Unlike MRENCLAVE, which changes with every code modification, MRSIGNER remains constant across all enclaves signed by the same private key, enabling verifiers to establish trust based on the software vendor's identity rather than a specific binary hash.

During remote attestation, a relying party evaluates MRSIGNER to determine whether the enclave was produced by a trusted source. This allows for version-flexible trust policies: an organization can whitelist all enclaves signed by an approved vendor without updating attestation policies for each software update, simplifying confidential computing deployment management while maintaining cryptographic assurance of provenance.

IDENTITY-BASED ATTESTATION

Key Characteristics of MRSIGNER

MRSIGNER shifts the trust model from verifying a specific code version to verifying the software vendor's identity. This cryptographic primitive enables seamless updates without re-attestation.

01

Vendor Identity, Not Code Identity

Unlike MRENCLAVE, which binds trust to an exact binary hash, MRSIGNER binds trust to the public key of the software vendor. This allows verifiers to trust any enclave signed by a specific authority, decoupling security policy from specific build artifacts.

02

Seamless Software Updates

Because MRSIGNER does not change when code is patched (as long as the signing key remains the same), organizations can deploy security patches and version updates without updating their attestation policies. This is critical for maintaining operational agility in production environments.

03

The Signing Enclave Hierarchy

MRSIGNER is derived from the hash of the public key that signs the Enclave Authoring Certificate. This creates a chain of trust: the hardware root verifies the provisioning key, which certifies the signing key, which authorizes the enclave developer.

04

Attestation Policy Flexibility

Verifiers can implement allowlisting by MRSIGNER values to permit any enclave from a trusted Independent Software Vendor (ISV). This enables a single policy rule—'trust all binaries from Vendor X'—rather than managing a whitelist of hundreds of individual MRENCLAVE hashes.

05

Intel SGX DCAP Integration

In the Intel Data Center Attestation Primitives (DCAP) framework, MRSIGNER is a primary claim in the attestation quote. Verifiers use the MRSIGNER value to query the Provisioning Certification Service and validate the signing certificate chain before trusting the enclave.

06

Multi-Vendor Trust Models

Complex confidential applications often combine enclaves from multiple vendors. MRSIGNER allows a verifier to establish a composite trust policy, trusting a database engine from one MRSIGNER and a machine learning runtime from another, all within a single attestation decision.

ATTESTATION IDENTITY COMPARISON

MRSIGNER vs. MRENCLAVE

A comparison of the two primary measurement values used in Intel SGX remote attestation to establish enclave identity and trust.

FeatureMRSIGNERMRENCLAVE

What it measures

Hash of the enclave author's public key

Hash of the enclave's code and initial data

Identity granularity

Software vendor or signing authority

Exact binary version of the enclave

Update tolerance

Trust model

Trust in the vendor's signing key

Trust in a specific, immutable code build

Policy flexibility

Allows any enclave signed by the same key

Locks policy to a single, precise measurement

Typical use case

Production deployments requiring seamless updates

High-security environments requiring strict immutability

Revocation mechanism

Key revocation by the vendor

Requires policy update for each new build

Collision resistance

Dependent on the signing key's security

Dependent on the enclave's content uniqueness

MRSIGNER ATTESTATION

Frequently Asked Questions

Common questions about the MRSIGNER identity, its role in enclave attestation, and how it differs from MRENCLAVE for establishing trust in confidential computing environments.

MRSIGNER is a cryptographic hash of the public key used to sign an enclave's authorizing certificate, serving as a hardware-enforced identifier of the software vendor or signing authority. Unlike MRENCLAVE, which identifies a specific binary build, MRSIGNER allows attestation verifiers to establish trust based on who signed the enclave rather than the exact code version. During Intel SGX attestation, the CPU generates a signed report containing both the MRSIGNER and MRENCLAVE values, enabling a relying party to verify that the enclave was produced by a trusted vendor—such as a specific ISV or cloud provider—without needing to whitelist every individual build hash. This abstraction is critical for Confidential Computing deployments where software updates occur frequently, as it decouples identity from the precise code measurement.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.