In his excellent technical explainer about the Iphone decryption order, the Electronic Frontier Foundation's Joseph Bonneau discusses the actual process of cryptographically signing a new release of a major piece of Internet infrastructure like IOS.

Bonneau writes, "While we don't know what internal security measures Apple takes with its signing key, we should hope they are very strict. Apple would not want to store it on Internet-connected computers, nor allow a small group of employees to abscond with it or to secretly use the key on their own. It is most likely stored in a secure hardware module in a physical vault (or possibly split across several vaults) and requires several high-level Apple personnel to unlock the key and sign a new code release."

He goes on to compare the process with the DNSSEC Root KSK signing ceremony process, "a complicated procedure involving dozens of people," and mentioned that there was video online. There is! I watched it! You should too! It's pretty rad, solemn, techie, and interesting.