Integrating Code Signing in Jenkins Pipeline

Jenkins

Jenkins is a self-contained, open-source automation server that can be used to automate all sorts of tasks related to building, testing, and delivering or deploying software.

Jenkins can be installed through native system packages, Docker, or even run standalone by any machine with a Java Runtime Environment (JRE) installed.

Jenkins Pipeline

Jenkins Pipeline is a suite of plugins that support implementing and integrating continuous delivery pipelines into Jenkins. Pipeline adds a powerful set of automation tools to Jenkins, supporting use cases that span from simple continuous integration to comprehensive CD pipelines.

Pipeline provides an extensible set of tools for modeling simple-to-complex delivery pipelines "as code" via the Pipeline domain-specific language (DSL) syntax.

Jenkinsfile

A Jenkinsfile is a text file that defines the entire pipeline of a Jenkins job or build process. It allows you to define the various stages, their order, and the actions or steps to be executed within each stage. A sample Jenkins file content is as follows: 
pipeline {
    agent any
    stages {
        stage('Build') {
            steps {
                //
            }
        }
        stage('Test') {
            steps {
                //
            }
        }
        stage('Deploy') {
            steps {
                //
            }
        }
    }
}

Code Signing Integration with Native Tools using AppViewX SIGN+ in Jenkins Pipeline

Prerequisites
A repository with Jenkins pipeline setup in the runner. Download the SIGN+_Package.zip for the required OS and install in the required build server/runner and ensure connectivity from the build server/runner to the SIGN+ API Connector URL.
Note: The SIGN+_Package should be installed under the same user as which the pipeline job is getting triggered.

Code Signing Integration with AppViewX CSP/PKCS#11

Using Signtool with AppViewX CSP

  1. Run the AppViewX SIGN+ Installer executable to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.
  2. Copy the signtool command generated in the README File and update the Jenkins Configuration File with the appropriate script.
    stage('sign') {
  steps {
   bat 'signtool.exe sign /f <path to certificate>  /fd <digest algorithm>  /csp <csp_name> /k <key_alias_name> /tr <timestamp_url> /td <timestamp digest algorithm>  <input_file_path>'
}
    • /f <path to certificate>: Path to your code-signing certificate.
    • /fd <digest algorithm>: Specifies the hashing algorithm.
    • /csp <csp_name>: Name of Cryptographic Service Provider (CSP).
    • /k <key_alias_name>: Key Container Name
    • /tr <timestamp_url>: Provides a timestamp from a trusted timestamping authority.
    • /tr <timestamp_digest>: Specifies the timestamping Digest algorithm.
    • <input_file_path>: Path to the file to be signed.
    The <path to certificate>, <digest algorithm>, <csp_name>, <key_alias_name>, <timestamp_url>, <timestamp_digest> parametersare auto generated based on the signing policy configurations in the README after running the SIGN+ Installer.

Using JarSigner with AppViewX CSP

  1. Run the AppViewX SIGN+ Installer executable to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.
  2. Copy the Jarsigner command generated in the README File and update the Jenkins Configuration File with the appropriate script.
    stage('sign') {
  steps {
    bat 'jarsigner.exe -verbose -storetype "Windows-My" -keyStore NONE -tsa <time_stamp_url> <input_file_path> -signedjar <output_file_path> -sigalg <signature algorithm> <keypair alias>'
}
    The <time_stamp_url>, <signature algorithm> and <keypair alias> parameters are auto generated in the README after running the SIGN+ Installer.

Using Nuget with AppViewX CSP

  1. Run the AppViewX SIGN+ Installer executable to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.
  2. Copy the nuget command generated in the README File and update the Jenkins Configuration File with the appropriate script.
    stage('sign') {
  steps {
    bat 'nuget.exe sign <input_file_path> -Timestamper <timestamp_url> -CertificateFingerprint <certificate_fingerprint> -HashAlgorithm <hashing_algorithm> -Verbosity detailed -Overwrite'
}
    The <time_stamp_url>, <certificate_fingerprint> and <hashing_algorithm> parameters are auto generated in the README after running the SIGN+ Installer.

Using JarSigner with AppViewX PKCS#11 Provider

  1. Run the AppViewX SIGN+ Installer executable to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.
  2. Copy the Jarsigner command generated in the README File and update the Jenkins Configuration File with the appropriate script.
    stage('sign') {
  steps {
    //Windows
    bat 'jarsigner.exe -verbose -keystore NONE -storetype PKCS11 -certs -providerclass sun.security.pkcs11.SunPKCS11 -providerArg <path to AVXPKCS11V1.cfg> <input_file_path> -signedjar <output_file_path> -tsa <time_stamp_url> -sigalg <signature algorithm> <keypairalias>'

    //Linux
    bat 'jarsigner -verbose -keystore NONE -storetype PKCS11 -certs -providerclass sun.security.pkcs11.SunPKCS11 -providerArg <path to AVXPKCS11V1.cfg> <input_file_path> -signedjar <output_file_path> -tsa <time_stamp_url> -sigalg <signature algorithm> <keypairalias>'

}
    The <path to AVXPKCS11V1.cfg>, <time_stamp_url>, <signature algorithm> and <keypair alias> parameters are auto generated in the README after running the SIGN+ Installer.

Using JSign with AppViewX PKCS#11 Provider

  1. Run the AppViewX SIGN+ Installer executable to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.
  2. Copy the JSign command generated in the README File and update the Jenkins Configuration File with the script.
    stage('sign') {
  steps {
    //Windows
    bat 'java -jar <path_to_jsign_jar> --keystore <path to AVXPKCS11V1.cfg> --storetype PKCS11 --storepass 12345678 --alias <keypair alias>  --alg <digest algorithm> --tsaurl <timestamp url> <input_file_path>'

    //Linux
    sh 'java -jar <path_to_jsign_jar> --keystore <path to AVXPKCS11V1.cfg> --storetype PKCS11 --storepass 12345678 --alias <keypair alias>  --alg <digest algorithm> --tsaurl <timestamp url> <input_file_path>'

}
    The <path to AVXPKCS11V1.cfg>, <keypair alias>, <digest algorithm>, <timestamp url> parameters are auto generated based on the signing policy configurations in the README after running the SIGN+ Installer.

Using APKSigner with AppViewX PKCS#11 Provider

  1. Run the AppViewX SIGN+ Installer executable to install the prerequisites required to use the AppViewX CSP/PKCS11 Providers.
  2. Copy the APKSigner command generated in the README File and update the Github Actions Configuration File with the appropriate script.
    stage('sign') {
  steps {
    // Windows
    bat 'java -jar <path_to_apk_signer_jar> sign --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg <path to AVXPKCS11V1.cfg> --ks NONE --ks-type PKCS11 --ks-pass pass:12345678 --ks-key-alias <keypair alias> --in "<input_file_path>" --out "<output_file_path>" --v1-signing-enabled false --v2-signing-enabled false --v3-signing-enabled true --v4-signing-enabled false'

    // Linux
    sh 'java -jar <path_to_apk_signer_jar> sign --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg <path to AVXPKCS11V1.cfg> --ks NONE --ks-type PKCS11 --ks-pass pass:12345678 --ks-key-alias <keypair alias> --in "<input_file_path>" --out "<output_file_path>" --v1-signing-enabled false --v2-signing-enabled false --v3-signing-enabled true --v4-signing-enabled false'
}
    The <path to AVXPKCS11V1.cfg>, <keypair alias> parameters are auto generated based on the signing policy configurations in the README after running the SIGN+ Installer.