Code Signing Reading Time: 5 minutes

How to Integrate a Jenkins CI CD Pipeline with CodeSigning

Jenkins is an open-source automation tool that is widely used for continuous integration and continuous delivery (CI/CD) of software applications. Jenkins provides a web-based user interface that makes it easy to configure and manage jobs, which are automated tasks that can be scheduled to run at specific times or triggered by specific events. These jobs can be used to compile code, run tests, deploy applications, and perform many other tasks related to software development.

Some of the key features of Jenkins include:

  • Easy installation and setup

    Jenkins is easy to install and configure and can be set up on a wide range of operating systems and platforms.

  • Powerful job management

    Jenkins allows you to create and manage jobs, which are automated tasks that can be scheduled to run at specific times or triggered by specific events. Jobs can be used to compile code, run tests, deploy applications, and perform many other tasks related to software development.

  • Wide range of plugins and integrations

    Jenkins has a large number of plugins and integrations available, which allows it to work with many different tools and technologies. This makes it highly customizable and flexible.

  • Support for pipelines

    Jenkins provides strong support for pipelines, which are sets of stages that define a software development workflow. Pipelines can be defined using code, which makes them highly customizable and easy to version control.

  • Built-in testing support

    Jenkins provides built-in support for many different types of tests, including unit tests, integration tests, and functional tests. This makes it easy to run tests as part of a continuous integration workflow, ensuring that any code changes are thoroughly tested before being deployed to production.

  • Scalability

    Jenkins can be easily scaled to support large development teams and complex software development workflows.

  • Open-source

    Jenkins is open-source software, which means that it is free to use and can be customized to meet the specific needs of your development team.

Codesigning Using Jenkins

Code signing is a procedure that verifies the legitimacy of the author and the originality and authenticity of digital information, particularly software code. It also ensures that the information is not malicious code. Additionally, it guarantees that this information has not been altered, falsified, or canceled after being digitally signed.

To perform codesigning using Jenkins go through the steps below.

Prerequisites for performing this task includes:

  1. Jenkins Setup and Configured in your device
  2. Signtool installed and configured
  3. ECSigning KSP installed and configured.

To Setup and Configure Jenkins go through the link.

To Setup and Configure Signtool follow the steps below:

Signtool can be downloaded as part of the Windows SDK. Download Windows SDK: (developer.microsoft.com/en-us/windows/downloads/windows-10-sdk/)

You can choose to install only the Windows SDK Signing Tools for Desktop Apps.

Open the winsdksetup.exe file. Remember the default path shown in the install path, as this will be helpful with running these commands from the command prompt.

windows sdk home

On the Windows Kits Privacy page, either option for allowing Microsoft to collect insights is okay. Click next.

windows sdk privacy

Accept the license agreement

windows sdk license agreeement

Deselect every feature except for Windows SDK Signing Tools for Desktop Apps, then select install.

windows sdk feature

When prompted if you want to allow this app to make changes, select yes.

wndows user account control
windows sdk final

Click on windows search bar on task bar and type “Edit the system environment variables” and select the control panel option of the same name.

edit system environment variable

Click environment variables.

environmental variables modal

Before editing the variable list, navigate to where the Windows SDK is installed to using file explorer, you must copy the path of the folder which contains the signtool application, the default path is C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64, refer to the below screenshot. Make sure to right click and copy the path as shown. You can also see the signtool application at the bottom of the file list, this is the command you will run.

signtool installation path

In the System Variables list, click new. Then type Path as the variable name, and copy and paste the aforementioned path. Then click OK on the environment variables window and system properties window.

add new system variable

To test the installation, open command prompt, and type signtool, and the output should be as shown below.

signtool command prompt

The default signtool installation location is, for example: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64

To set up KSP follow the steps below:

Encryption Consulting provides you with this solution, CodeSignSecure. This solution can help you with tamper-proof storage for the keys and complete visibility and control of Code Signing activities. The private keys of the code-signing certificate can be stored in an HSM to eliminate the risks associated with stolen, corrupted, or misused keys.

If you’re using our solution you can download the KSP using the steps below:

  • Sign in to Code Sign Secure.
  • Navigate to: Signing tools repository.

    codesign secure signing tools page
  • Download “Encryption Consulting CNG-SigningKSP”
  • Install the client tools using the .MSI installer. The .MSI installer automates much of the configuration. Navigate to where the downloaded file is saved and launch the installer.

    msi installer
  • Click next when the installation wizard appears.

    ec signing ksp setup home
  • Click next.

    ec signing ksp setup folder installation
  • In the Username field, type admin.
  • In the Code field, copy the code from the Postman API Repository. Click on the GetLoginToken api and copy the code from the Body.

    Download PostMan from this link. Once downloaded, click the skip button at the bottom of the window. Once on dashboard, add a new collection using the plus sign button next to collections.

    GetLoginToken API (http://codesignsecureapi.encryptionconsulting.com/api/auth/GetLoginToken): This is the most important API, as this gives you a Bearer Token to use with the rest of the APIs, What should be in the body is shown below. The code serves as a password in order to get a the Bearer Token, the user field is the username, and the identity type field specifices the user type. Click Send to generate an output which has the Bearer Token listed at the bottom. Copy this token for use.

    postman bearer token api
  • Change the Identity Type to 1.
  • Leave API BaseURL the same.
  • Click next.

    ec signing ksp setup user authentication info
  • Click next.

    ec signing ksp setup installation confirm
  • You will then be notified that this program will make changes to your pc, click yes.

    msi setup user account control
  • Installation is now complete.

    ec signing ksp setup installation complete

Once Jenkins is setup, we will require administrative privilege to run the command for signtool. To see we have set the administrative privilege for Jenkins, and if we haven’t, to set those

  • Go to services on your system (You can just search for it)
  • Scroll down to Jenkins. There in the “Log on As” column, you can see the user account set up for Jenkins. If it’s set to anything (Local Service/System, Network Service/System) other than “.\Administrator”, then we have to set it for Administrator.
  • Double Click on Jenkins or Right Click > Properties to open Properties. Go to Log On.

    Select “This Account”

    Set it as “.\Administrator”. Give a password, preferably administrator password. Click on Apply once done.

    jenkins properties

Once we have set this we’ll now head to Jenkins. Whichever URL/hostname you specified earlier while setting up, navigating to that from your browser will lead you to Jenkins. In my system I have set it up as http://localhost:8080/ (It is also default).

In your Dashboard follow the steps below:

  • From Dashboard click on New Item.

    jenkins dashboard
  • Enter any item name and click on pipeline and click ok.

    jenkins enter item name
  • In configuration page, under General put up a description as your wish.

    jenkins general configure
  • Scroll down to the bottom to find Pipeline.

    jenkins configure pipeline
  • Write the script in the script box and click on save. You’ll need to edit your environment variable as per your setup

    pipeline {
        agent any
        environment {
            SM_KEY_NAME='evcodesigning'
            SM_CLIENT_CERT_FILE='C:\\Users\\Administrator\\Desktop\\ForTesting\\evcodesigning.pem'
            SM_HASHING_ALGORITHM='SHA256'
            SM_TIME_STAMP_SERVER="http://timestamp.digicert.com"
            SM_FILEPATH="C:\\Users\\Administrator\\Desktop\\ForTesting\\AgentService.exe"
        }
        stages {
            stage('Code Signing') {
                steps {
                    dir('C:\\Users\\Administrator\\Desktop\\ForTesting'){
                    bat 'signtool sign /csp "Encryption Consulting Key Storage provider" 
    /kc %SM_KEY_NAME% /fd 
     %SM_HASHING_ALGORITHM% /f %SM_CLIENT_CERT_FILE% /tr %SM_TIME_STAMP_SERVER% /td SHA256 %SM_FILEPATH%'
                    }
                }
            }
        }
    }
    
  • Click on build now and you’ll see a build number running on the screen.

    jenkins build
  • If you click on the build number and go for console output you’ll see that your file has been signed.

    jenkins successfully signed file

Free Downloads

Datasheet of Code Signing Solution

Code signing is a process to confirm the authenticity and originality of digital information such as a piece of software code.

Download

About the Author

Surabhi Dahal's profile picture

Surabhi is consultant at Encryption consulting, working with Code Signing and development. She leverages her adept knowledge of HSMs and PKIs to implement robust security measures within software applications. Her understanding of cryptographic protocols and key management practices enables her to architect secure code signing solutions tailored to meet the requirements of enterprise environments. Her interests include exploring the realm of cybersecurity through the lens of digital forensics. She enjoys learning about threat intelligence, understanding how adversaries operate, and comprehend strategies to defend against potential attacks.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo