SignPath for DevOps
Code Signing in the pipeline
With SignPath.io, code signing can be integrated into your existing continous deployment pipeline with just a few steps. You don't need to worry about connecting usb tokens to build servers, handling passwords prompts or securing your private keys. Signing just becomes one more step in your process, even for nested artifacts. Thanks to a clear separation of concerns, DevOps engineers can focus on the build and deployment process and leave the security concerns to their InfoSec colleagues.
Build process integration
SignPath.io is built with DevOps in mind. Adding a code signing step to your build process requires just a few lines of code by including our PowerShell script, calling the API directly or using one of our build system integrations. The artifact is then extracted, and all specified files are signed recursively. SignPath can be integrated in a synchronous and an asynchronous call, providing flexibility for different use cases. In the synchronous case, the build job waits for the uploaded artifact to be signed and continues with the following steps right away. In the asynchronous case, the signing request has to be approved and a second pipeline is then started for e.g. deploying the signed artifact. Deeper integration including origin verification is supported with AppVeyor, all other CI systems such as Jenkins, Travis, TeamCity or CircleCI can be integrated by using a generic REST call via PowerShell or cURL.
Submit-SigningRequest `
-OrganizationId $SIGNPATH_ORGANIZATION_ID `
-ApiToken $SIGNPATH_API_TOKEN `
-ProjectSlug my_software `
-SigningPolicySlug release-signing `
-InputArtifactPath my-release.msi `
-OutputArtifactPath my-release-signed.msi `
-WaitForCompletion
result=$(curl "https://app.signpath.io/api/v1/${SIGNPATH_ORGANIZATION_ID}/SigningRequests" \
-H "Authorization: Bearer ${SIGNPATH_API_TOKEN}" \
-F "ProjectSlug=my_software" \
-F "SigningPolicySlug=release-signing" \
-F "Artifact=@./my-release.msi" \
--retry 20 --retry-delay 30 --silent --verbose)
url=$( echo "$result" | grep -i '^< Location: ' | grep -io 'https://.*' | tr -d '\r' )
curl "$url/SignedArtifact" --output "my-release-signed.msi" --silent \
-H "Authorization: Bearer ${SIGNPATH_API_TOKEN}"
submitSigningRequest(
organizationId: "${params.SIGNPATH_ORGANIZATION_ID}",
ciUserTokenCredentialId: "${params.SIGNPATH_CI_USER_CREDENTIAL_ID}",
projectSlug: "my_software",
signingPolicySlug: "release-signing",
inputArtifactPath: "build-output/my-release.msi",
outputArtifactPath: "build-output/my-release-signed.msi",
waitForCompletion: true
)
deploy:
- provider: Webhook
url: https://app.signpath.io/API/v1/$(SIGNPATH_ORGANIZATION_ID)/Integrations/AppVeyor?ProjectSlug=my_software&SigningPolicySlug=release-siging
authorization:
secure: VGhpcyBpcyBub3QgdGhlIHNlY3JldCB0b2tlbiB5b3UgYXJlIGxvb2tpbmcgZm9yLi4uIC0gU2lnblBhdGguaW8=
- task: SignPathSubmitSigningRequest@2
inputs:
organizationId: '$(SIGNPATH_ORGANIZATION_ID)'
ciUserToken: '$(SIGNPATH_API_TOKEN)'
projectSlug: 'my_software'
signingPolicySlug: 'release-siging'
inputArtifactPath: 'my-release.msi'
outputArtifactPath: '$(Build.ArtifactStagingDirectory)/my-release-signed.msi'
waitForCompletion: 'sync'
Origin verification for enhanced security
For selected CI systems, SignPath can provide even more transparency by verifying that each signed artifact stems from a specific code repository, branch and source code commit. By integrating the origin information in the signature, each signed artifact can be traced back to the source code that it was build from.
Manual approval steps
Security critical tasks such as code signing often include manual approval steps in order to increase the security and avoid malicious code to be deployed into a production system. SignPath.io allows you to configure multiple security restrictions, including manual approvals. All details necessary to validate the artifact, such as its origin, SHA256 hash and contents are readily available in the web application.