SignPath for DevOps

Code Signing in the pipeline

With SignPath, code signing can be integrated into your existing continous deployment pipeline with just a few steps. You don't need to worry about connecting USB tokens to build servers, handling passwords prompts or securing your private keys. Signing just becomes one more step in your process, even for nested artifacts.

Thanks to a clear separation of concerns, DevOps engineers can focus on the build and deployment process and leave the security concerns to their InfoSec colleagues.

Start free trial

Build process integration

SignPath is built with DevOps in mind. To add code signing, just use the SignPath extension for your CI/CD system. When using Pipeline Integrity, this integration verifies the build's origin and the artifact's integrity. Optionally, security parameters of source code and build pipeline can be analyzed and constrained by policies.

View CI/CD connector documentation

Other CI/CD systems, such as Travis, CircleCI, or Bamboo, can be integrated via the command line (PowerShell cmdlet) or a REST call.

View general integration documentation

SignPath processes entire releases. All artifacts are analyzed, compared to artifact configurations, and then signed. Nested components, such as installers and packages, can be processed in place.

View artifact configuration documentation

SignPath can be integrated synchronously or asynchronously, providing flexibility for different use cases:

Synchronous integration: the build job waits for the signed artifacts and continues with the following steps right away.
Asynchronous integration: the build job can terminate or pause after submitting the signing request (depending on CI/CD system). This allows for large signing requests (without blocking CI/CD agents) and manual approval. The signed artifact can then be picked up directly from SignPath or processed by a new or resumed CI job.


          submitSigningRequest( 
            organizationId: "${params.SIGNPATH_ORGANIZATION_ID}", 
            ciUserTokenCredentialId: "${params.SIGNPATH_CI_USER_CREDENTIAL_ID}", 
            projectSlug: "my_software", 
            signingPolicySlug: "release-signing", 
            inputArtifactPath: "build/my-release.msi", 
            outputArtifactPath: "build-signed/my-release.msi", 
            waitForCompletion: true 
          )


          - uses: signpath/github-action-submit-signing-request@v0.4 
            with:
              api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
              organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}'
              project-slug: 'my_software'
              signing-policy-slug: 'release-signing'
              github-artifact-id: '${{ steps.upload-unsigned-artifact.outputs.artifact-id }}'
              output-artifact-directory: './build-signed'
              wait-for-completion: 'true'


          - task: SubmitSigningRequest@1 
            inputs:
              serviceConnectionName: 'my-signpath-service-connection'
              projectSlug: 'my_software'
              signingPolicySlug: 'release-signing'
              azureDevOpsArtifactName: 'my-artifact'
              outputArtifactDirectory: './build-signed'
              waitForCompletion: true


          signPathSubmitSigningRequest {
            connectorUrl = "https://tc-connector.localdomain.com"
            organizationId = "%SignPath.OrganizationId%"
            apiToken = "credentialsJSON:a03ec855-c92c-4f33-8877-b8ab1726afd4"
            projectSlug = "my_software"
            signingPolicySlug = "release-signing"
            inputArtifactPath = "./build/my-release.msi => my_release"
            outputArtifactPath = "./build-signed/my-release.msi"
            waitForCompletion = true
          }


          deploy:
            - provider: Webhook
            url: https://app.signpath.io/API/v1/$(SIGNPATH_ORGANIZATION_ID)/Integrations/AppVeyor?ProjectSlug=my_software&SigningPolicySlug=release-signing
            authorization:
              secure: VGhpcyBpcyBub3QgdGhlIHNlY3JldCB0b2tlbiB5b3UgYXJlIGxvb2tpbmcgZm9yLi4uIC0gU2lnblBhdGguaW8=


          Submit-SigningRequest `
              -OrganizationId $SIGNPATH_ORGANIZATION_ID `
              -ApiToken $SIGNPATH_API_TOKEN `
              -ProjectSlug my_software `
              -SigningPolicySlug release-signing `
              -InputArtifactPath build/my-release.msi `
              -OutputArtifactPath build-signed/my-release.msi `
              -WaitForCompletion


          result=$(curl "https://app.signpath.io/api/v1/${SIGNPATH_ORGANIZATION_ID}/SigningRequests" \
            -H "Authorization: Bearer ${SIGNPATH_API_TOKEN}" \
            -F "ProjectSlug=my_software" \
            -F "SigningPolicySlug=release-signing" \
            -F "Artifact=@./build/my-release.msi" \
            --retry 20 --retry-delay 30 --silent --verbose)
          url=$( echo "$result" | grep -i '^< Location: ' | grep -io 'https://.*' | tr -d '\r' )
          curl "$url/SignedArtifact" --output "build-signed/my-release.msi" --silent  \
            -H "Authorization: Bearer ${SIGNPATH_API_TOKEN}"

Origin verification for enhanced security

For selected CI systems, SignPath can provide even more transparency by verifying that each signed artifact stems from a specific code repository, branch and source code commit. By integrating the origin information in the signature, each signed artifact can be traced back to the source code that it was build from.

Manual approval steps

Security critical tasks such as code signing often include manual approval steps in order to increase the security and avoid malicious code to be deployed into a production system. SignPath allows you to configure multiple security restrictions, including manual approvals. All details necessary to validate the artifact, such as its origin, SHA256 hash and contents are readily available in the web application.

SignPath for DevOps

Code Signing in the pipeline

Build process integration

Origin verification for enhanced security

Manual approval steps

Sign up for news and special offers

Cookie settings