Integrating Code Signing in GitHub Actions Pipeline

Github Actions Pipeline

GitHub Actions is a continuous integration and continuous development (CI/CD) platform that allows users to automate their build, test, and deployment pipeline. Users may design workflows that build and test every pull and push request to their repository or deploy merged pull requests to production. GitHub Actions is a powerful tool that allows developers to automate workflows within their GitHub repositories. Each workflow is made up of one or more jobs, which are made up of one or more steps. Each step is a set of commands that are executed on a runner, which is a virtual machine that runs the required workflows.

GitHub Actions Configuration File

To get started with GitHub Actions, a GitHub account and a repository is required. Once creating the repository, create a new workflow by adding a YAML file to the .github/workflows directory in the created repository. Some of the terms used in the YAML file defining workflow are as follows:

name: name of the workflow.
on: specifies when the workflow should be triggered. For example, the workflow can run when a pull request is opened on a branch.
jobs: a list of jobs that will be executed as part of the workflow.
run-on: specifies the operating system and environment for the job.
steps: specifies a list of steps that will be executed as part of the job.
uses: a shortcut for using an existing action from the GitHub Marketplace.
name: specifies the name of the step.
run: This is a shell command that will be executed as part of the step.

Code Signing Integration with Native Tools using AppViewX SIGN+ in Github Actions Pipeline:

Prerequisites

A GitHub repository with GitHub Actions pipeline setup in the runner.
Download the SIGN+_Package.zip for the required OS and install in the required build server/runner and ensure connectivity from the build server/runner to the SIGN+ API Connector URL.

Sample Github Actions Configuration file with AppViewX SIGN+ CSP and Microsoft Signtool

name: Code Signing using AppViewX SIGN+

on:
  push:
    branches: <[ Branch Name ]>

jobs:
  build:
    runs-on: <Runner name>
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Build code
        uses: msbuild <build parameters>

      - name: Sign code using AppViewX CSP
        run: |
         signtool.exe sign /f Codesign.cer  /fd sha256  /csp "AppViewX Enhanced Cryptographic Service Provider" /k "FF6CAB70-49EF-4A04-9ED6-967135E937E4" /tr "http://timestamp.digicert.com" /td sha265 <Path of Input Artifact>

Note: The above script is an example showcasing the signing of an artifact generated post the build process using Microsoft Signtool and AppViewX CSP. The same can be extended to include the signing of other artifacts generated post build with tools like Nuget, Jarsigner, JSign etc.. using the commands generated in the README after executing the SIGN+ Installer executable in the GitHub Actions workflow or any CI/CD Server.

Code Signing Integration with AppViewX CSP/PKCS#11:

Using Signtool with AppViewX CSP

Run the AppViewX SIGN+ Installer executable to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.
Copy the signtool command generated in the README File and update the Github Actions Configuration File with the appropriate script.
```
- name: Sign using Signtool and AppViewX CSP
- script: signtool.exe sign /f <path to certificate>  /fd <digest algorithm>  /csp <csp_name> /k <key_alias_name> /tr <timestamp_url> /td <timestamp digest algorithm>  <input_file_path>
```
- /f <path to certificate>: Path to your code-signing certificate.
- /fd <digest algorithm>: Specifies the hashing algorithm.
- /csp <csp_name>: Name of Cryptographic Service Provider (CSP).
- /k <key_alias_name>: Key Container Name.
- /tr <timestamp_url>: Provides a timestamp from a trusted timestamping authority.
- /tr <timestamp_digest>: Specifies the timestamping Digest algorithm.
- <input_file_path>: Path to the file to be signed.
The <path to certificate>, <digest algorithm>, <csp_name>, <key_alias_name>, <timestamp_url>, <timestamp_digest> parameters are auto generated based on the signing policy configurations in the README after running the SIGN+ Installer.

Using JarSigner with AppViewX CSP

Run the AppViewX SIGN+ Installer executable to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.

Copy the Jarsigner command generated in the README File and update the Github Actions Configuration File with the appropriate script.

- name: Sign using Jarsigner and AppViewX CSP
- script: jarsigner.exe -verbose -storetype "Windows-My" -keyStore NONE -tsa <time_stamp_url> <input_file_path> -signedjar <output_file_path> -sigalg <signature algorithm> <keypair alias>

The <time_stamp_url>, <signature algorithm> and <keypair alias> parameters are auto generated in the README after running the SIGN+ Installer.

Using Nuget with AppViewX CSP

Run the AppViewX SIGN+ Installer executable to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.

Copy the nuget command generated in the README File and update the Github Actions Configuration File with the appropriate script.

- name: Sign using Nuget and AppViewX CSP
- script: nuget.exe sign <input_file_path> -Timestamper <timestamp_url> -CertificateFingerprint <certificate_fingerprint> -HashAlgorithm <hashing_algorithm> -Verbosity detailed -Overwrite

The <time_stamp_url>, <certificate_fingerprint> and <hashing_algorithm> parameters are auto generated in the README after running the SIGN+ Installer.

Using JarSigner with AppViewX PKCS#11 Provider

Run the AppViewX SIGN+ Installer executable to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.

Copy the Jarsigner command generated in the README File and update the Github Actions Configuration File with the appropriate script.

- name: Sign using Jarsigner and AppViewX PKCS#11 Provider
- script: jarsigner.exe -verbose -keystore NONE -storetype PKCS11 -certs -providerclass sun.security.pkcs11.SunPKCS11 -providerArg <path to AVXPKCS11V1.cfg> <input_file_path> -signedjar <output_file_path> -tsa <time_stamp_url> -sigalg <signature algorithm> <keypairalias>

The <path to AVXPKCS11V1.cfg>, <time_stamp_url>, <signature algorithm> and <keypair alias> parameters are auto generated in the README after running the SIGN+ Installer.

Using JSign with AppViewX PKCS#11 Provider

Run the AppViewX SIGN+ Installer executable to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.

Copy the JSign command generated in the README File and update the Github Actions Configuration File with the script.

- name: Sign using JSign and AppViewX PKCS#11 Provider
- script: java -jar <path_to_jsign_jar> --keystore <path to AVXPKCS11V1.cfg> --storetype PKCS11 --storepass 12345678 --alias <keypair alias>  --alg <digest algorithm> --tsaurl <timestamp url> <input_file_path>

The <path to AVXPKCS11V1.cfg>, <keypair alias>, <digest algorithm>, <timestamp url> parameters are auto generated based on the signing policy configurations in the README after running the SIGN+ Installer.

Using APKSigner with AppViewX PKCS#11 Provider

Run the AppViewX SIGN+ Installer executable to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.

Copy the APKSigner command generated in the README File and update the Github Actions Configuration File with the appropriate script.

- name: Sign using APKSigner and AppViewX PKCS#11 Provider
- script: java -jar <path_to_apk_signer_jar> sign --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg <path to AVXPKCS11V1.cfg> --ks NONE --ks-type PKCS11 --ks-pass pass:12345678 --ks-key-alias <keypair alias> --in "<input_file_path>" --out "<output_file_path>" --v1-signing-enabled false --v2-signing-enabled false --v3-signing-enabled true --v4-signing-enabled false

The <path to AVXPKCS11V1.cfg>, <keypair alias> parameters are auto generated based on the signing policy configurations in the README after running the SIGN+ Installer.