Integrating Code Signing in Atlassian Bamboo Pipeline

Bamboo

Bamboo is a continuous integration and continuous deployment (CI/CD) server that is used to automate the build, test, and deployment processes of software applications. Bamboo is designed to streamline and automate the software development process, helping teams deliver software more efficiently and with fewer errors. Bamboo assists software development teams by providing:
  • Automated building and testing of software source-code status
  • Updates on successful and failed builds
  • Reporting tools for statistical analysis.

Bamboo Pipeline

The Bamboo pipeline refers to a sequence of automated steps and tasks that are defined to build, test, and deploy a software application as part of a continuous integration and continuous deployment (CI/CD) process.
Here are the key components and concepts associated with Bamboo pipelines:
  1. Stages: A pipeline is typically divided into stages, each representing a phase in the CI/CD process. Common stages include "Build," "Test," "Deploy to Staging," and "Deploy to Production." Stages are executed sequentially, and each stage may consist of one or more jobs.
  2. Jobs: Within each stage, you define one or more jobs. A job is a collection of tasks that need to be executed together. For example, a "Build" stage might have a single job that compiles source code, runs unit tests, and packages the application. Bamboo provides a wide range of built-in tasks and supports custom scripts and commands.
  3. Tasks: Tasks are individual steps within a job that perform specific actions, such as running a script, checking out code from a version control system, or publishing artifacts. Bamboo offers a variety of task types to accommodate different actions.
  4. Triggers: Pipelines can be triggered manually or automatically based on events. Automatic triggers can be set up to start a pipeline when code is pushed to a version control repository, ensuring that new changes are continuously integrated and tested.
  5. Branches: Bamboo pipelines can be configured to work with different branches of your version control repository. This allows you to have separate CI/CD pipelines for different development branches, such as feature branches or release branches.
  6. Artifacts: Bamboo allows you to manage and store build artifacts generated during the pipeline, making it easy to distribute them to different environments or store them for future reference.
  7. Notifications: Bamboo can send notifications and reports about pipeline results to team members via email, chat, or other communication channels.
  8. Parallel Execution: Bamboo supports parallel execution of tasks and jobs within a stage, enabling faster build and test times by taking advantage of available resources.
For more information on configuring the Bamboo CI Server, Understanding the Bamboo CI Server.

Bamboo Configuration File

Bamboo's configuration is primarily managed through its web-based interface, and it doesn't typically rely on single configuration files. Bamboo relies on a distributed configuration model where various configuration settings are stored in different places and files, and many of these settings are managed through its web-based administration interface. The primary configuration files in Bamboo are associated with the Bamboo home directory (BAMBOO_HOME) and Bamboo agents.
Some of the key configuration files and directories in Bamboo are:
  1. Bamboo Home Directory (BAMBOO_HOME): This directory contains many of the configuration files and data for Bamboo. The specific location and structure may vary based on your installation. Important subdirectories and files include:
    • xml-data/: Contains various XML configuration files
    • lib/: May include libraries and JAR files for custom plugins and extensions
    • agent/: Configuration files and data specific to Bamboo agents.
  2. Bamboo Agent Configuration: Each Bamboo agent has its own configuration file named “bamboo-agent.cfg.xml”. This file contains agent-specific settings, including the Bamboo server connection details.
    Sample bamboo-agent.cfg.xml: 
    <?xml version="1.0" encoding="UTF-8"?>

<bamboo-agent>
    <!-- Bamboo server URL -->
    <serverUrl>http://bamboo-server:8085</serverUrl>

    <!-- Bamboo agent's unique identifier -->
    <agentUuid>YOUR_AGENT_UUID</agentUuid>

    <!-- Bamboo agent's display name -->
    <agentName>My Bamboo Agent</agentName>

    <!-- Bamboo agent's capabilities -->
    <capabilities>
        <!-- Example capability for Maven -->
        <capability name="system.builder.mvn3.Maven 3" value="/usr/local/apache-maven-3.8.1" />
        
        <!-- Example capability for Node.js -->
        <capability name="system.builder.node.Node.js" value="/usr/local/bin/node" />
    </capabilities>

    <!-- Bamboo agent's working directory -->
    <workingDir>/path/to/agent/work</workingDir>

    <!-- Bamboo agent's temp directory -->
    <tempDir>/path/to/agent/temp</tempDir>

    <!-- Bamboo agent's home directory -->
    <homeDir>/path/to/agent/home</homeDir>

    <!-- Bamboo agent's capabilities sharing method (usually "true" or "false") -->
    <sharingCapability>true</sharingCapability>

    <!-- Bamboo agent's environment variables -->
    <environmentVariables>
        <environmentVariable name="PATH" value="/usr/local/bin:/usr/bin:/bin" />
        <environmentVariable name="JAVA_HOME" value="/usr/local/jdk1.8.0_291" />
    </environmentVariables>

    <!-- Bamboo agent's security token (if required) -->
    <securityToken>YOUR_SECURITY_TOKEN</securityToken>
</bamboo-agent>

Configuring the Bamboo Pipeline Environment

  1. Create or Open a Bamboo Plan:
    • Login to the Bamboo instance and create a new plan or open an existing one where the code signing has to be integrated.
  2. Add a Script Task:
    • Within the Bamboo plan, add a new Script task to one of the existing jobs or create a new job for this purpose. This task will run the jarsigner command.
    • Set the interpreter to "Windows PowerShell" if using a Windows agent or set the interpreter to "Shell" if using a Linux agent.
  3. Configure the Script Task for Integration with AppViewX CSP/PKCS#11:
    In the Script Body section of the Script task configuration, add the required commands to sign the artifacts based on requirement.
  4. Save and Execute:
    • Save the Script task configuration.
    • Trigger a Bamboo build for the plan or setup webhooks to trigger the task based on code commit or any other events based on configuration.

Prerequisites

  1. The pipeline should be configured with the required Build stages and the required artifacts should be ready for signing.
  2. Copied the downloaded SIGN+_Package to the configured runner machine or agent and installed the package.
  3. Ensure the connectivity from the runner machine to the SIGN+ API Connector URL Node (Compute Cluster, Cloud Connector, LoadBalancer or OnPrem Worker Node).

Sample Script Configuration using AppViewX CSP and Signtool in Bamboo Dashboard

Using Signtool with AppViewX CSP

  1. Execute the AppViewX SIGN+ Installer executable in the configured runner machine to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.
  2. Copy the signtool command generated in the README File after installation and update the Script Section with the generated command. 
    signtool.exe sign /f <path to certificate> /fd <digest algorithm> /csp <csp_name> /k <key_alias_name>
/tr <timestamp_url> /td <timestamp digest algorithm> <input_file_path>
    • /f <path to certificate>: Path to your code-signing certificate.
    • /fd <digest algorithm>: Specifies the hashing algorithm.
    • /csp <csp_name>: Name of Cryptographic Service Provider (CSP).
    • /k <key_alias_name>: Key Container Name.
    • /tr <timestamp_url>: Provides a timestamp from a trusted timestamping authority.
    • /tr <timestamp_digest>: Specifies the timestamping Digest algorithm.
    • <input_file_path>: Path to the file to be signed.
    The <path to certificate>, <digest algorithm>, <csp_name>, <key_alias_name>, <timestamp_url>, <timestamp_digest> parameters are auto generated based on the signing policy configurations in the README after running the SIGN+ Installer.

Using JarSigner with AppViewX CSP

  1. Execute the AppViewX SIGN+ Installer executable in the configured runner machine to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.
  2. Copy the Jarsigner command generated in the README File and update the Script Section with the generated command. 
    jarsigner.exe -verbose -storetype "Windows-My" -keyStore NONE -tsa <time_stamp_url>
<input_file_path> -signedjar <output_file_path> -sigalg <signature algorithm> <keypair alias>
    The <time_stamp_url>, <signature algorithm> and <keypair alias> parameters are auto generated in the README after running the SIGN+ Installer.

Using Nuget with AppViewX CSP

  1. Execute the AppViewX SIGN+ Installer executable in the configured runner machine to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.
  2. Copy the nuget command generated in the README File and update the Script Section with the generated command. 
    nuget.exe sign <input_file_path> -Timestamper <timestamp_url> -CertificateFingerprint
<certificate_fingerprint> -HashAlgorithm <hashing_algorithm> -Verbosity detailed -Overwrite
    The <time_stamp_url>, <certificate_fingerprint> and <hashing_algorithm> parameters are auto generated in the README after running the SIGN+ Installer.

Using JarSigner with AppViewX PKCS#11 Provider

  1. Execute the AppViewX SIGN+ Installer executable in the configured runner machine to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.
  2. Copy the Jarsigner command generated in the README File and update the Script Section with the generated command. 
    jarsigner -verbose -keystore NONE -storetype PKCS11 -certs -providerclass
sun.security.pkcs11.SunPKCS11 -providerArg <path to AVXPKCS11V1.cfg> <input_file_path> -signedjar
<output_file_path> -tsa <time_stamp_url> -sigalg <signature algorithm> <keypairalias>
    The <path to AVXPKCS11V1.cfg>, <time_stamp_url>, <signature algorithm> and <keypair alias> parameters are auto generated in the README after running the SIGN+ Installer.

Using JSign with AppViewX PKCS#11 Provider

  1. Execute the AppViewX SIGN+ Installer executable in the configured runner machine to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.
  2. Copy the JSign command generated in the README File and update the Script Section with the generated command. 
    java -jar <path_to_jsign_jar> --keystore <path to AVXPKCS11V1.cfg> --storetype PKCS11 --storepass
12345678 --alias <keypair alias> --alg <digest algorithm> --tsaurl <timestamp url> <input_file_path>
    The <path to AVXPKCS11V1.cfg>, <keypair alias>, <digest algorithm>, <timestamp url> parameters are auto generated based on the signing policy configurations in the README after running the SIGN+ Installer.

Using APKSigner with AppViewX PKCS#11 Provider

  1. Execute the AppViewX SIGN+ Installer executable in the configured runner machine to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.
  2. Copy the APKSigner command generated in the README File and update the Script Section with the generated command. 
    java -jar <path_to_apk_signer_jar> sign --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg
<path to AVXPKCS11V1.cfg> --ks NONE --ks-type PKCS11 --ks-pass pass:12345678 --ks-key-alias
<keypair alias> --in "<input_file_path>" --out "<output_file_path>" --v1-signing-enabled false
--v2-signing-enabled false --v3-signing-enabled true --v4-signing-enabled false
    The <path to AVXPKCS11V1.cfg>, <keypair alias> parameters are auto generated based on the signing policy configurations in the README after running the SIGN+ Installer.
    Note: The script can be configured to sign with any tool using the commands generated in the README File based on requirement.