Integrating Code Signing in GitLab Pipeline

GitLab

GitLab is a web-based DevOps platform that provides a complete set of tools for managing the software development lifecycle. It is built on top of the Git version control system and offers features for source code management, continuous integration and deployment (CI/CD), project management, and collaboration.

GitLab Pipeline

In GitLab, a pipeline is a series of stages and jobs that define the steps for building, testing, and deploying your software. It is a core feature of GitLab's CI/CD capabilities.

The pipeline is divided into various stages, and each stage consists of one or more jobs. Agents called GitLab Runners execute the jobs defined in the pipeline when they are triggered by various events such as code pushes, merge requests, etc.

GitLab Configuration File

The GitLab CI/CD configurations are defined in the root repository in a file called “.gitlab-ci.yml”. In the file, you can define the scripts to be run, dependencies, commands to run in order, and other configuration files and templates to be included.
A .gitlab-ci.yml file might contain: 
stages:
  - build
  - test
build-code-job:
  stage: build
  script:
    - echo "Signing Command 1"
test-code-job1:
  stage: test
  script:
    - echo "Signing Command 2"

Code Signing Integration with Native Tools using AppViewX SIGN+ in GitLab Pipeline

Prerequisites
  1. A Git repository with GitLab pipeline setup in the runner.
  2. Download the SIGN+_Package.zip for the required OS and install in the required build server/runner and ensure connectivity from the build server/runner to the SIGN+ API Connector URL.
    Note: The SIGN+_Package should be installed under the same user as which the pipeline job is getting triggered.
Sample GitLab Configuration file with AppViewX SIGN+ CSP and Microsoft Signtool
.
.
.
job code_signing
  script:
     signtool.exe sign /f Codesign.cer  /fd sha256  /csp "AppViewX Enhanced Cryptographic Service Provider" /k "FF6CAB70-49EF-4A04-9ED6-967135E937E4" /tr "http://timestamp.digicert.com" /td sha265 <Path of Input Artifact>
.
.
.
Note: The above script is an example showcasing the signing of an artifact generated post the build process using Microsoft Signtool and AppViewX CSP. The same can be extended to include the signing of other artifacts generated post build with tools like Nuget, Jarsigner, JSign etc.. using the commands generated in the README after executing the SIGN+ Installer executable in the GitLab Runner or any CI/CD Server.

Code Signing Integration with AppViewX CSP/PKCS#11

Using Signtool with AppViewX CSP

  1. Run the AppViewX SIGN+ Installer executable to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.
  2. Copy the signtool command generated in the README File and update the GitLab Configuration File with the appropriate script.
    job code_signing
   stage: Sign using Signtool and AppViewX CSP
   script: 
- signtool.exe sign /f <path to certificate>  /fd <digest algorithm>  /csp <csp_name> /k <key_alias_name> /tr <timestamp_url> /td <timestamp digest algorithm>  <input_file_path>
    • /f <path to certificate>: Path to your code-signing certificate.
    • /fd <digest algorithm>: Specifies the hashing algorithm.
    • /csp <csp_name>: Name of Cryptographic Service Provider (CSP).
    • /k <key_alias_name>: Key Container Name.
    • /tr <timestamp_url>: Provides a timestamp from a trusted timestamping authority.
    • /tr <timestamp_digest>: Specifies the timestamping Digest algorithm.
    • <input_file_path>: Path to the file to be signed.
The <path to certificate>, <digest algorithm>, <csp_name>, <key_alias_name>, <timestamp_url>, <timestamp_digest> parametersare auto generated based on the signing policy configurations in the README after running the SIGN+ Installer.

Using JarSigner with AppViewX CSP

  1. Run the AppViewX SIGN+ Installer executable to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.
  2. Copy the Jarsigner command generated in the README File and update the GitLab Configuration File with the appropriate script.
    job code_signing
   stage: Sign using Jarsigner and AppViewX CSP
   script: 
      - jarsigner.exe -verbose -storetype "Windows-My" -keyStore NONE -tsa <time_stamp_url> <input_file_path> -signedjar <output_file_path> -sigalg <signature algorithm> <keypair alias>
The <time_stamp_url>, <signature algorithm> and <keypair alias> parameters are auto generated in the README after running the SIGN+ Installer.

Using Nuget with AppViewX CSP

  1. Run the AppViewX SIGN+ Installer executable to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.
  2. Copy the nuget command generated in the README File and update the GitLab Configuration File with the appropriate script.
    job code_signing
   stage: Sign using Nuget and AppViewX CSP
   script: 
     - nuget.exe sign <input_file_path> -Timestamper <timestamp_url> -CertificateFingerprint <certificate_fingerprint> -HashAlgorithm <hashing_algorithm> -Verbosity detailed -Overwrite
The <time_stamp_url>, <certificate_fingerprint> and <hashing_algorithm> parameters are auto generated in the README after running the SIGN+ Installer.

Using JarSigner with AppViewX PKCS#11 Provider

  1. Run the AppViewX SIGN+ Installer executable to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.
  2. Copy the Jarsigner command generated in the README File and update the GitLab Configuration File with the appropriate script.
    job code_signing
   stage: Sign using Jarsigner and AppViewX PKCS#11 Provider
   script: 
    - jarsigner.exe -verbose -keystore NONE -storetype PKCS11 -certs -providerclass sun.security.pkcs11.SunPKCS11 -providerArg <path to AVXPKCS11V1.cfg> <input_file_path> -signedjar <output_file_path> -tsa <time_stamp_url> -sigalg <signature algorithm> <keypairalias>
The <path to AVXPKCS11V1.cfg>, <time_stamp_url>, <signature algorithm> and <keypair alias> parameters are auto generated in the README after running the SIGN+ Installer.

Using JSign with AppViewX PKCS#11 Provider

  1. Run the AppViewX SIGN+ Installer executable to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.
  2. Copy the JSign command generated in the README File and update the GitLab Configuration File with the script.
    job code_signing
   stage: Sign using JSign and AppViewX PKCS#11 Provider
   script: 
     -  java -jar <path_to_jsign_jar> --keystore <path to AVXPKCS11V1.cfg> --storetype PKCS11 --storepass 12345678 --alias <keypair alias>  --alg <digest algorithm> --tsaurl <timestamp url> <input_file_path>
The <path to AVXPKCS11V1.cfg>, <keypair alias>, <digest algorithm>, <timestamp url> parameters are auto generated based on the signing policy configurations in the README after running the SIGN+ Installer.

Using APKSigner with AppViewX PKCS#11 Provider

  1. Run the AppViewX SIGN+ Installer executable to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.
  2. Copy the APKSigner command generated in the README File and update the GitLab Configuration File with the appropriate script.
    job code_signing
   stage: Sign using APKSigner and AppViewX PKCS#11 Provider
   script: 
    - java -jar <path_to_apk_signer_jar> sign --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg <path to AVXPKCS11V1.cfg> --ks NONE --ks-type PKCS11 --ks-pass pass:12345678 --ks-key-alias <keypair alias> --in "<input_file_path>" --out "<output_file_path>" --v1-signing-enabled false --v2-signing-enabled false --v3-signing-enabled true --v4-signing-enabled false
The <path to AVXPKCS11V1.cfg>, <keypair alias> parameters are auto generated based on the signing policy configurations in the README after running the SIGN+ Installer.