I've heard that companies store their private keys offline "in a safe that will never be opened" and stuff like that (the context for this is a console developer like Microsoft keeping the Xbox private keys offline in a safe).
How would they still sign code with their private keys if they're fully locked away? Does someone go and physically get the keys to sign the code? Is this a figure of speech that I don't understand?
By having a chain of trust:
Validation of the code on an end user's device is then a matter of asking "has this code been correctly signed with a key which itself was signed by the master key?" The advantage of all this is that if an intermediate key is compromised, it can easily be revoked and a new one generated without needing to change the end user devices - all they care about is the root of trust, the master key.
(Small disclaimer: I don't actually know how big software houses do this, but this is how the SSL CAs work, and they're effectively solving the same problem).
The "safe that will never be opened" is probably a figure of speech.
On the other hand, such private keys are of very great (economic) value to a company like Microsoft, so they will be protected very carefully. I can fully imagine that those keys are really stored in a safe that is only accessible to less than a handful of people who are trusted enough to sign the released code.
