Integrating Code Signing in AWS DevOps

AWS CodePipeline

AWS CodePipeline is a continuous delivery service that enables you to model, visualize, and automate the steps required to release your software. With AWS CodePipeline, you model the full release process for building your code, deploying to pre-production environments, testing your application and releasing it to production. AWS CodePipeline then builds, tests, and deploys your application according to the defined workflow every time there is a code change. You can integrate partner tools and your own custom tools into any stage of the release process to form an end-to-end continuous delivery solution
Some of the key components and concepts associated with AWS CodePipeline are:
  1. Pipeline: A pipeline is a workflow construct that describes how software changes go through a release process. Each pipeline is made up of a series of stages.
  2. Stages: A stage is a logical unit you can use to isolate an environment and to limit the number of concurrent changes in that environment. Each stage contains actions that are performed on the application artifacts. Your source code is an example of an artifact. A stage might be a build stage, where the source code is built and tests are run. It can also be a deployment stage, where code is deployed to runtime environments. Each stage is made up of a series of serial or parallel actions.
  3. Transitions: A transition is the point where a pipeline execution moves to the next stage in the pipeline. You can disable a stage's inbound transition to prevent executions from entering that stage, and then you can enable the transition to allow executions to continue. When more than one execution arrives at a disabled transition, only the latest execution continues to the next stage when the transition is enabled. This means that newer executions continue to supersede waiting executions while the transition is disabled, and then after the transition is enabled, the execution that continues is the superseding execution.
  4. Actions: An action is a set of operations performed on application code and configured so that the actions run in the pipeline at a specified point. This can include things like a source action from a code change, an action for deploying the application to instances, and so on. For example, a deployment stage might contain a deployment action that deploys code to a compute service like Amazon EC2 or AWS Lambda.Valid CodePipeline action types are source, build, test, deploy, approval, and invoke.
For more information on the concepts of AWS CodePipeline, refer CodePipeline concepts.

CodePipeline Configuration File

Sample Github Actions Configuration file with AppViewX SIGN+ CSP and Jarsigner
version: 0.2

phases:
 install:
   runtime-versions:
     java: openjdk17
     maven: 3.8

 pre_build:
   commands:
     # Checkout code from CodeCommit (Note: AWS CodeBuild automatically clones the repository)
     - echo "Pre-build phase started"
     - echo "Source code checkout completed"
     - echo "running as $(whoami)"
    
 build:
   commands:
     # Maven build
     - echo "Working directory: $(pwd)"
     - echo "Build phase started"
     - mvn clean install
    
 post_build:
   commands:
     - echo "Post-build phase started"
     - echo "Working directory: $(pwd)"
     - echo "signing artifacts"
     - jarsigner.exe -verbose -keystore NONE -storetype PKCS11 -certs -providerclass sun.security.pkcs11.SunPKCS11 -providerArg "C:\Windows\system32\config\systemprofile\AppData\Roaming\AppViewX Sign+\AVXPKCS11V1.cfg" -storepass NONE target/simple-poc-1.0.0.jar -signedjar target/simple-poc-1.0.0_signed.jar -tsa "http://timestamp.digicert.com" -sigalg "SHA256withRSA" "AppViewX Inc Test's AppViewX Intermediate CA"
     - echo "Build completed successfully"

artifacts:
 files:
   - target/**/*
 discard-paths: no

For more information on declaring the pipeline configuration , refer Pipeline declaration - AWS CodePipeline

Note: The above script is an example showcasing the signing of an artifact generated post the build process using Jarsigner and AppViewX PKCS11. The same can be extended to include the signing of other artifacts generated post build with tools like Nuget, Jarsigner, JSign etc.. using the commands generated in the README after executing the SIGN+ Installer executable in the runner machine or CI/CD Server.

Code Signing Integration with Native Tools using AppViewX SIGN+ in AWS CodePipeline:

Prerequisites

  1. The pipeline should be configured with the required Build stages and the required artifacts should be ready for signing.
  2. Copied the downloaded SIGN+_Package to the configured runner machine or agent and installed the package.
  3. Ensure the connectivity from the runner machine to the SIGN+ API Connector URL Node (Compute Cluster, Cloud Connector, LoadBalancer or OnPrem Worker Node).

Using Signtool with AppViewX CSP

  1. Run the AppViewX SIGN+ Installer executable in the configured runner machine to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.
  2. Copy the signtool command generated in the README File after installation and update the Script Section with the generated command:
    signtool.exe sign /f <path to certificate>  /fd <digest algorithm>  /csp <csp_name> /k <key_alias_name> /tr <timestamp_url> /td <timestamp digest algorithm>  <input_file_path>
    • /f <path to certificate>: Path to your code-signing certificate.
    • /fd <digest algorithm>: Specifies the hashing algorithm.
    • /csp <csp_name>: Name of Cryptographic Service Provider (CSP).
    • /k <key_alias_name>: Key Container Name.
    • /tr <timestamp_url>: Provides a timestamp from a trusted timestamping authority.
    • /tr <timestamp_digest>: Specifies the timestamping Digest algorithm.
    • <input_file_path>: Path to the file to be signed.
    The <path to certificate>, <digest algorithm>, <csp_name>, <key_alias_name>, <timestamp_url>, <timestamp_digest> parameters are auto generated based on the signing policy configurations in the README after running the SIGN+ Installer.

Using JarSigner with AppViewX CSP

  1. Run the AppViewX SIGN+ Installer executable in the configured runner machine to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.
  2. Copy the Jarsigner command generated in the README File and update the Script Section with the generated command:
    jarsigner.exe -verbose -storetype "Windows-My" -keyStore NONE -tsa <time_stamp_url> <input_file_path> -signedjar <output_file_path> -sigalg <signature algorithm> <keypair alias>
    The <time_stamp_url>, <signature algorithm> and <keypair alias> parameters are auto generated in the README after running the SIGN+ Installer.

Using Nuget with AppViewX CSP

  1. Run the AppViewX SIGN+ Installer executable in the configured runner machine to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.
  2. Copy the nuget command generated in the README File and update the Script Section with the generated command:
    nuget.exe sign <input_file_path> -Timestamper <timestamp_url> -CertificateFingerprint <certificate_fingerprint> -HashAlgorithm <hashing_algorithm> -Verbosity detailed -Overwrite
    The <time_stamp_url>, <certificate_fingerprint> and <hashing_algorithm> parameters are auto generated in the README after running the SIGN+ Installer.

Using JarSigner with AppViewX PKCS#11 Provider

  1. Run the AppViewX SIGN+ Installer executable in the configured runner machine to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.
  2. Copy the Jarsigner command generated in the README File and update the Script Section with the generated command:
    jarsigner -verbose -keystore NONE -storetype PKCS11 -certs -providerclass sun.security.pkcs11.SunPKCS11 -providerArg <path to AVXPKCS11V1.cfg> <input_file_path> -signedjar <output_file_path> -tsa <time_stamp_url> -sigalg <signature algorithm> <keypairalias>
    The <path to AVXPKCS11V1.cfg>, <time_stamp_url>, <signature algorithm> and <keypair alias> parameters are auto generated in the README after running the SIGN+ Installer.

Using JSign with AppViewX PKCS#11 Provider

  1. Run the AppViewX SIGN+ Installer executable in the configured runner machine to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.

  2. Copy the JSign command generated in the README File and update the Script Section with the generated command:
    java -jar <path_to_jsign_jar> --keystore <path to AVXPKCS11V1.cfg> --storetype PKCS11 --storepass 12345678 --alias <keypair alias>  --alg <digest algorithm> --tsaurl <timestamp url> <input_file_path>
    The <path to AVXPKCS11V1.cfg>, <keypair alias>, <digest algorithm>, <timestamp url> parameters are auto generated based on the signing policy configurations in the README after running the SIGN+ Installer.

Using APKSigner with AppViewX PKCS#11 Provider

  1. Run the AppViewX SIGN+ Installer executable in the configured runner machine to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.
  2. Copy the APKSigner command generated in the README File and update the Script Section with the generated command:
    java -jar <path_to_apk_signer_jar> sign --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg <path to AVXPKCS11V1.cfg> --ks NONE --ks-type PKCS11 --ks-pass pass:12345678 --ks-key-alias <keypair alias> --in "<input_file_path>" --out "<output_file_path>" --v1-signing-enabled false --v2-signing-enabled false --v3-signing-enabled true --v4-signing-enabled false
    The <path to AVXPKCS11V1.cfg>, <keypair alias> parameters are auto generated based on the signing policy configurations in the README after running the SIGN+ Installer.
    Note: The script can be configured to sign with any tool using the commands generated in the README File based on requirement.