Embodiments are directed to the providing a cloud keying and signing service and to securing software package distribution on the cloud. In an embodiment, a computer system instantiates a signing service configured to sign software packages. The computer system receives a signing request from a computer user requesting that a selected software package be signed. The signing request includes a computed hash of the selected software package. The computer system generates a private and public key pair on behalf of the computer user and stores the private key of the generated key pair in a secure data store.