SignPath for DevOps
Code Signing in the pipeline
With SignPath, code signing can be integrated into your existing continous deployment pipeline with just a few steps. You don't need to worry about connecting USB tokens to build servers, handling passwords prompts or securing your private keys. Signing just becomes one more step in your process, even for nested artifacts.
Thanks to a clear separation of concerns, DevOps engineers can focus on the build and deployment process and leave the security concerns to their InfoSec colleagues.
Build process integration
SignPath is built with DevOps in mind. To add code signing, just use the SignPath extension for your CI/CD system. When using Pipeline Integrity, this integration verifies the build's origin and the artifact's integrity. Optionally, security parameters of source code and build pipeline can be analyzed and constrained by policies.
View CI/CD connector documentation
Other CI/CD systems, such as Travis, CircleCI, or Bamboo, can be integrated via the command line (PowerShell cmdlet) or a REST call.
View general integration documentation
SignPath processes entire releases. All artifacts are analyzed, compared to artifact configurations, and then signed. Nested components, such as installers and packages, can be processed in place.
View artifact configuration documentation
SignPath can be integrated synchronously or asynchronously, providing flexibility for different use cases:
- Synchronous integration: the build job waits for the signed artifacts and continues with the following steps right away.
- Asynchronous integration: the build job can terminate or pause after submitting the signing request (depending on CI/CD system). This allows for large signing requests (without blocking CI/CD agents) and manual approval. The signed artifact can then be picked up directly from SignPath or processed by a new or resumed CI job.
submitSigningRequest(
organizationId: "${params.SIGNPATH_ORGANIZATION_ID}",
ciUserTokenCredentialId: "${params.SIGNPATH_CI_USER_CREDENTIAL_ID}",
projectSlug: "my_software",
signingPolicySlug: "release-signing",
inputArtifactPath: "build/my-release.msi",
outputArtifactPath: "build-signed/my-release.msi",
waitForCompletion: true
)
- uses: signpath/github-action-submit-signing-request@v0.4
with:
api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}'
project-slug: 'my_software'
signing-policy-slug: 'release-signing'
github-artifact-id: '${{ steps.upload-unsigned-artifact.outputs.artifact-id }}'
output-artifact-directory: './build-signed'
wait-for-completion: 'true'
- task: SubmitSigningRequest@1
inputs:
serviceConnectionName: 'my-signpath-service-connection'
projectSlug: 'my_software'
signingPolicySlug: 'release-signing'
azureDevOpsArtifactName: 'my-artifact'
outputArtifactDirectory: './build-signed'
waitForCompletion: true
signPathSubmitSigningRequest {
connectorUrl = "https://tc-connector.localdomain.com"
organizationId = "%SignPath.OrganizationId%"
apiToken = "credentialsJSON:a03ec855-c92c-4f33-8877-b8ab1726afd4"
projectSlug = "my_software"
signingPolicySlug = "release-signing"
inputArtifactPath = "./build/my-release.msi => my_release"
outputArtifactPath = "./build-signed/my-release.msi"
waitForCompletion = true
}
deploy:
- provider: Webhook
url: https://app.signpath.io/API/v1/$(SIGNPATH_ORGANIZATION_ID)/Integrations/AppVeyor?ProjectSlug=my_software&SigningPolicySlug=release-signing
authorization:
secure: VGhpcyBpcyBub3QgdGhlIHNlY3JldCB0b2tlbiB5b3UgYXJlIGxvb2tpbmcgZm9yLi4uIC0gU2lnblBhdGguaW8=
Submit-SigningRequest `
-OrganizationId $SIGNPATH_ORGANIZATION_ID `
-ApiToken $SIGNPATH_API_TOKEN `
-ProjectSlug my_software `
-SigningPolicySlug release-signing `
-InputArtifactPath build/my-release.msi `
-OutputArtifactPath build-signed/my-release.msi `
-WaitForCompletion
result=$(curl "https://app.signpath.io/api/v1/${SIGNPATH_ORGANIZATION_ID}/SigningRequests" \
-H "Authorization: Bearer ${SIGNPATH_API_TOKEN}" \
-F "ProjectSlug=my_software" \
-F "SigningPolicySlug=release-signing" \
-F "Artifact=@./build/my-release.msi" \
--retry 20 --retry-delay 30 --silent --verbose)
url=$( echo "$result" | grep -i '^< Location: ' | grep -io 'https://.*' | tr -d '\r' )
curl "$url/SignedArtifact" --output "build-signed/my-release.msi" --silent \
-H "Authorization: Bearer ${SIGNPATH_API_TOKEN}"
Origin verification for enhanced security
For selected CI systems, SignPath can provide even more transparency by verifying that each signed artifact stems from a specific code repository, branch and source code commit. By integrating the origin information in the signature, each signed artifact can be traced back to the source code that it was build from.
Manual approval steps
Security critical tasks such as code signing often include manual approval steps in order to increase the security and avoid malicious code to be deployed into a production system. SignPath allows you to configure multiple security restrictions, including manual approvals. All details necessary to validate the artifact, such as its origin, SHA256 hash and contents are readily available in the web application.